The Patch Gap Exposes Your Technology

I received an e-mail this morning from my network drive, a Western Digital MyCloud.  While it comes with all sorts of bells and whistles to synchronize to the cloud, or to be accessible over the internet, I’ve limited its availability to internal users.  But the e-mail (from the device, not the company) warned me that there was a firmware update, a feature I’d turned on but hadn’t actually benefitted from before.

The WD MyCloud patch fixed a Samba file system/sharing bug that had been identified in May 2017.  If I had been one of those people who exposed their WD drive to the world, I would have been pretty annoyed that it had taken Western Digital 6 months to issue a patch.

Time Lapse

If everything I’ve just typed is gobbledygook, you’re not alone.  A lot of this stuff is under the hood.  I know about Samba only because I have to turn it on when I’m using a Linux machine on my Windows network.  You may be using it without realizing it.  You may also be using a Windows operating system that, because it auto-updates, has already patched the bug.

It made me think about the gap that can occur between when a bug is announced and a patch is issued.  Western Digital took 6 months.

Apple rushed a patch for it’s Mac OS Sierra users.  It looks like the problem was public on November 13, and they have now issued a patch this morning.  Like Linux, Apple comes with a default root account.  This is the administrator account on the computer and is often/usually not the one the person on the computer will use.  Windows users may have accounts that act as administrators (although you don’t have to:  here’s how I created root accounts on all of our PCs, to make sure that no-one had administrator rights by default).

Unfortunately, because (a) the root account is automatically created but (b) it is not necessarily the user’s account, it apparently had no password.  Why would you create and save a password for an account you didn’t know existed?

Stay Up to Date

Unfortunately, there’s no good way to stay on top of that time lapse.  One of my favorite sites is US CERT, which has helpful pages like this one – describing how to fix this Apple root problem by yourself, without software – but it’s not always possible to stay on top of new exploits AND whether or not they impact you.  Even had I thought to check whether my Western Digital drive had the Samba flaw, I couldn’t have manually fixed it.

Where you can, you should be:

  • allowing your software to automatically update and add patches, both your operating system and the apps you run on it
  • limiting access from the Internet to resources inside your office and home (including TVs, baby monitors, voice activated resources, network devices and game consoles, &c.)
  • thinking about who has physical and virtual access to your devices, and take steps to make sure you keep them within your control

In some cases, the exploit will never be patched.  In that case, you’ll need to physically replace the technology or accept the risk that someone can use the exploit.  But you can still be proactive by thinking about who accesses your technology and how.