SmartStateIndia
News

Tenable’s comments on this month’s Patch Tuesday

Tenable Satnam Narang

This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome.

“The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year. Chaining vulnerabilities is an important tactic for threat actors.

“While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.”

Microsoft also rolled out a new format for their Patch Tuesday releases which removes a lot of critical vulnerability detail that companies rely on to determine the severity of each flaw. Bob Huber, Chief Security Officer, Tenable comments on the limitations of this format.

“Microsoft’s decision to remove CVE description information from its Patch Tuesday release is a bad move, plain and simple. By relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organisations of the business risk a particular flaw poses to them.

“With this new format, end users are completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users.

“However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritise their remediation efforts.

“While I appreciate that they are adopting the industry-standard format in CVSSv3, Microsoft also must consider that many folks who review Patch Tuesday releases aren’t security practitioners. They are the IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data.

“Context is king and it’s extremely disappointing to see Microsoft remove that from this equation.”

Related posts

SAP Concur appoints Kumar Gaurav Gupta as VP & Country Manager to lead its India business

SSI Bureau

PCCW Global and Neeco collaborate to provide innovative IoT solutions in Asia Pacific

SSI Bureau

Matrix Cosec ATOM RD100K Reader: Simplifying Access Control for Organizations

SSI Bureau

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More