Patch Tuesday: The Fujiwhara Storm Is Over for Now, But It’ll Be Back Soon
January 22, 2020 • RBS
As we recently warned about, Tuesday January 14th started the year with a cornucopia of vulnerability disclosures from Microsoft, Oracle, Adobe, Intel, Siemens, SAP, VMware, Schneider Electric, Apache, Symantec, and Lenovo. All on the same day!
2:00 AM EST: The Eye of the Storm
SAP and Siemens started very early by releasing 10 and 18 new or updated security advisories, respectively. After that warm-up, Adobe graciously released two security advisories covering nine vulnerabilities in their Adobe Illustrator and Adobe Experience Manager products. Out of character, Adobe released their advisories a few hours earlier than normal and did not release any advisories for Flash Player or Acrobat Reader. Microsoft followed with a relatively light release of “only” 49 security advisories.
Other major vendors also published advisories, which has become the norm on “Microsoft Tuesday” or “Patch Tuesday”, as it is more appropriately referred to these days. These releases were all on the smaller side. Many other vendors, who are also known to release on Patch Tuesday, opted out completely.
In total, the major vendor disclosures covered 80 newly reported vulnerabilities. While fairly low for a Patch Tuesday, it still adds up to a very busy day for system administrators and security teams. Normally, this would be the end of a normal Patch Tuesday, but the disclosures had only just begun.
4:30 PM EST: Landfall
A few hours after the release of the Microsoft security advisories, Oracle dropped their quarterly CPU of 333 vulnerabilities across 93 products, with 205 of them being new disclosures. In total, our VulnDB team published 325 new vulnerability reports on January 14th to our customers and updated an additional 312 entries. Considering the average number of newly published vulnerabilities in a day is around 61, it was clearly a busy day.
“Here at Risk Based Security, our teams of VulnDB analysts and researchers in the USA and EU closely monitored these disclosures and jumped on them as soon as they came out. They worked for about 22 hours straight to properly analyze and process them.
Carsten Eiram, Chief Research Officer at Risk Based Security
This ensured that our customers got the vulnerability intelligence in a standardised and easily digestible format with clear descriptions, solutions, and metadata.
This provides a great advantage and starting point for making better decisions about the risk to their organisations and proper prioritisation. It also saves a significant amount of time and resources that should have otherwise been spent on collecting and analysing these disclosures prior to focusing on remediation.“
Many larger organizations are sure to be using products from most, if not all, of the vendors that disclosed vulnerabilities on Patch Tuesday. There is no way around the fact that it’s quite a challenge for an organization to deal with so many vendor disclosures in an efficient and properly prioritised manner. The number of man hours required by IT security teams to collect, analyze, triage, and then address that many vulnerabilities is significant.
The Aftermath: Notable Vulnerabilities
While CVE-2020-0601 (VulnDB 221392), a vulnerability in the Windows CryptoAPI that allows spoofing ECC certificates, got the most attention, it’s still important to note that many of the other vulnerabilities disclosed that day should also receive timely attention and not just be thrown in the backlog.
On top of the disclosures during Patch Tuesday, Microsoft released a security advisory on January 17th covering a 0-day vulnerability in the Internet Explorer scripting engine (CVE-2020-0674) that allows arbitrary code execution. This is being actively exploited and currently has no fixes available.
More Storms Expected This Year
The bad news is that while the storm is over for now, it’ll be back in three (and also six) months, where the Microsoft and Oracle disclosures collide yet again with a lot of other vendors’ disclosures on top.
The good news is that there are solutions that can help you weather the storm like our VulnDB vulnerability intelligence solution, whereas basic patch and vulnerability management solutions come up short. VulnDB helps you prepare, prioritize, and process the vulnerability reports in the most efficient manner. Please don’t hesitate to reach out for a demo, so you can be properly equipped to not only deal with the upcoming storms but also the daily vulnerability reports that may impact your organization.