2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide
January 8, 2020 • RBS
Whether you are working in IT or not, you’re probably familiar with Microsoft’s Monthly Patch Tuesday. Introduced in 2003, this is when the software giant releases updates and patches for its software products. As we discussed in September 2018, we have seen more and more vendors piggybacking on this approach and releasing their own patches on the same day. Now, with 2020 barely underway, we kick off the year with an almost-unprecedented schedule of substantial releases of new patches to fix known vulnerabilities.
When two hurricanes collide, the phenomenon is called the Fujiwhara effect. The vulnerability intelligence world is about to experience just such an event, on steroids, as the release dates for several major vendors, including Oracle and Microsoft, collide. This event, which last occurred in 2014, will happen three times this year. What makes this event unprecedented is that organizations face an impending collision between six vendors. Organizations, and their vulnerability intelligence teams, are in for a rough year.
As per the norm, next Tuesday, January 14th, 2020, several prominent vendors will be disclosing a long list of vulnerabilities that organizations will have to assess. But what is making this coming Patch Tuesday even more significant is the impending collision. In addition to the expected Microsoft Patches, Oracle will be releasing their quarterly Critical Patch Updates as well. These two vendors are in addition to several others that co-opted “Patch Tuesday” years ago, including Adobe.
2020 Vulnerability Fujiwhara Effect Dates
- January 14th, 2020
- April 14th, 2020
- July 14th, 2020
On the surface this may seem like a positive thing, and is certainly an improvement on uncoordinated disclosures (still referred to as “irresponsible disclosure” by many vendors and described as a situation that “hurts customers”). But as more vendors have gravitated towards releasing on Patch Tuesday, organizations are now being subjected to the routine updates of six vendors on the same day, with the possibility of an additional seven. This is in stark contrast to the normal day of vulnerability disclosures.
“The amount of vulnerability work that is going to be dropped in the laps of already overloaded IT and cyber security teams is going to be massive.”Jake Kouns, Co-founder and Chief Information Security Officer, RBS
Last month on Microsoft Patch Tuesday, our VulnDB research team analyzed and published 188 new vulnerabilities in a single day. With Oracle now planning to release on the same day, we expect vulnerability teams will have to aggregate and review a massive list (perhaps doubled) of what will most likely be critical database and product vulnerabilities.
“Even in a best-case scenario, with a well-staffed team, this will take weeks. Most large organizations won’t be able to handle it at all.”Brian Martin, Vice President of Vulnerability Intelligence, RBS
It can’t be ignored that there is a clear and substantial risk to organizations that do not have the necessary vulnerability intelligence and processes in place to enable the handling of the large volume of vulnerabilities being disclosed.
If you are using any of the following vendors, we suggest that you prepare for the impending storms:
- Schneider Electric
** Updated: 01/13/2020 **
It looks like the Microsoft portion of The Fujiwhara Effect is going to be quite severe. Early on Monday, January 13th, 2020, Will Dormann from CERT/CC tweeted the following ominous message:
Later in the day KrebsOnSecurity posted an article that provided more specific details including information from a source that seemed to validate the severity:
Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
** Updated: 01/14/2020 **
More details about the Microsoft Patch Tuesday has emerged, and from it, CVE-2020-0601 has been born.
Reported by the National Security Agency (NSA), CVE-2020-0601 is essentially a mistake in the computer code for Microsoft’s Windows 10 operating system.
This vulnerability potentially enables a hacker to forge digital signatures and install spyware or ransomware on computers by disguising them as legitimate programs.
According to the Washington Post, Anne Neuberger, the director of the NSA’s Cybersecurity Directorate is expected to announce Tuesday the discovery of the flaw and their warning to Microsoft.
The impending Vulnerability Fujiwhara Effect is already formidable and as we have said before, organizations are being subjected to the updates of five other vendors on the same day, with the possibility of an additional seven.
At Risk Based Security, we have seen these vulnerability storms building for many years now and are prepared for our customers. We have taken the necessary steps to ensure that VulnDB continues to be the most comprehensive source of detailed and timely vulnerability intelligence.
There’s never been a better time to see the power of VulnDB, and how it would help your organization handle this perfect storm of vulnerabilities that are coming.