COI Report – Part III
Page
86 of
425 252. A patch that was effective in preventing the vulnerability from being exploited (and thus to prevent the installation of the tool) was available since late. Leong Seng has explained that software security patches are applied on SingHealth and IHiS issued endpoints based
on a specified posting cycle, except for critical patches addressing serious vulnerabilities, which would be applied as soon as possible. The patch was scheduled
to be rolled out as part of IHiS’ regular patching cycle, but the patch had not been applied to Outlook on Workstation A as at 1 December 2017.
253. Counsel for IHiS has submitted that IHiS’ conduct in respect of the patching cycle for Outlook was “
reasonable”, and that it was “
entirely fortuitous” for the attacker to have executed the hacking tool within the period between the release of the patch and its application. Once again, the reasonableness of IHiS’ conduct in this respect is not in issue. What the
Committee is concerned with, and has found, is that the hacking tool was installed on Workstation A by exploiting
a vulnerability on Outlook, that a patch was available since late but was not applied at the time the hacking tool was installed on 1 December
2017, and that the patch was scheduled to be rolled out as part of the regular patching cycle. The Committee’s recommendations on improving software upgrade policies are found in section 47 (pg 381) below.
Share with your friends: 
