M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.
Don't Risk IT
19-Year-Old Windows Bug and WinShock Are a Lesson in IT Liability

19-Year-Old Windows Bug and WinShock Are a Lesson in IT Liability

As Microsoft patched WinShock and other vulnerabilities, IT professionals saw an example of liabilities and security flaws that clients can sued them over. Learn more.

Tuesday, December 2, 2014/Categories: consultant-liability

Last week, Microsoft issued its usual monthly patches, but there were two interesting vulnerabilities making data security news. Let's look at each bug and see the ripple effects they can have for an IT professional's cyber liability.

The two bugs were...

  • CVE-2014-6332. CNET reports that this security flaw in Microsoft Windows and Office went unnoticed for 19 years before finally being patched this month. How bad was the flaw? Really bad. The vulnerability scores 9.3 out of 10 on the Common Vulnerability Scoring System and allows hackers to take control of user devices and steal data from servers.
  • CVE-2014-6321. This bug has earned the nickname "WinShock" (not to be confused with the harmless windsock) because, like ShellShock, it allows hackers to perform remote code executions on vulnerable servers.

These bugs are patched (MS14-066), so they're no longer an issue, right? Well, sort of. As IT consultants know, small businesses sometimes use dangerously out-of-date technology and don't realize they need to update software. There's always the problem of businesses running outdated and vulnerable IT.

But there was an additional problem with this patch. The patch didn't work completely and caused some servers to slow down and prevent Schannel connections. These vulnerabilities have been fixed, but the patch has created its own set of headaches for many system admins.

Why Fast Updates Are Important: Hacks Follow Patches

On November 11, 2014, Microsoft published a patch for the two vulnerabilities discussed above (and a number of other security flaws). Six days later, a security research firm posted a video demonstrating a proof-of-concept hack showing how cyber criminals could execute a WinShock attack.

While it likely took months to find and fix the bug, it only took days for a video showing the hack in action to be posted online.

This quick turnaround – going from patch release to hack – is common. Microsoft usually releases its patches on the second Tuesday of the month. This day has earned the nickname "Patch Tuesday," while snarky InfoSec people have begun calling the following day "Exploit Wednesday."

Problems with Patches? More Headaches for Windows Servers

A funny thing happened after Microsoft released its latest update – the patch caused all sorts of unexpected conflicts, including interrupting TLS connections and causing servers to hang.

IT consultants can be liable for these slowdowns after updates. If you install a patch that stalls your client's servers or causes the business to lose productivity, you can be sued. How do you protect your IT business from lawsuits?

Insurance for system admins protects you from the cost of these lawsuits by paying for your legal fees, court costs, and the damages you owe a client for lost business and other damages. This coverage – Errors and Omissions Insurance – is so common it's often required in the contracts you sign with clients.

If you need insurance quotes in order to start your own IT consulting firm or sign a contract with a client, submit an online insurance application with TechInsurance's web app.

The Small Business
Insurance Leader
800.688.1984 | 8 am - 5:30 pm CST | M-F
Customer Rating 4.9 out of 5
Read Customer Reviews


The Small Business Insurance Leader