2020 Vulnerability Fujiwhara: The Writing on the Wall
September 21, 2020 • RBS
You can read the full article in our 2020 Mid Year Vulnerability QuickView Report.
In January, Risk Based Security published a blog warning about the upcoming “Vulnerability Fujiwhara”, a term we adopted for the colliding of Oracle and Microsoft patches on the same day. These Vulnerability Fujiwhara would be a completely different beast compared to usual “Patch Tuesday” events, which had already become the conglomeration of as many as a dozen vendors all releasing patches at once. But with the inclusion of Oracle, who typically releases over 400 patches in a single day, these Fujiwhara storms would undoubtedly become a significant event in the lives of IT staff.
These Fujiwhara events are typically rare, but 2020 saw three of them: January 14, April 14, and July 14. The last two observed pre-2020 Fujiwhara events occurred in 2015 and the next two will be seen in 2025 – beginning on January 14! That illustrates just how infrequent these events are and why they stand out as a point of stress and additional risk for organizations. It is also important to note that 2015’s single Fujiwhara event saw a total of 277 disclosed vulnerabilities from all reports that day, less than half of what we saw from the April Fujiwhara this year.
That big increase is precisely the reason Risk Based Security sounded the alarm on these three days. During April’s Fujiwhara event we saw 506 new vulnerabilities reported, 79% of which came from seven vendors. Compared to other Patch Tuesdays this year, the highest reported “only” 273 new vulnerabilities on June 9th. These Fujiwhara incidents, even though there are just three this year, are the writing on-the-wall so to speak. In the coming years, these increased totals will steadily become the norm.
Even if companies have been forced to become acclimated to already large coordinated patch days, how many vulnerability disclosures can they handle before it simply is too much? What is absurd about where we find ourselves is that the vendors creating the vulnerable software that put its paying customers at risk are also the ones creating the circumstance that adds additional risk. Perhaps “business as usual” needs to be re-examined.
Fujiwhara By The Numbers
While Patch Tuesday originated with Microsoft, Adobe began releasing on the same day around 2012. In more recent years, additional vendors have begun to join the fray and reliably release on those days as well. They include SAP, Siemens, and Schneider Electric. To make the day more “convenient”, other vendors such as Apple, Mozilla, Intel, Cisco, and others sometimes participate in the festivities. As we saw with the latest Fujiwhara (July 14), Apple ended up releasing 27 new vulnerabilities, and Cisco 32, turning that event into a 48 hour, non-stop stream of triage for organizations. Although July’s event falls outside of the mid year, here is what all three Fujiwhara incidents look like by the numbers:
As you can see, just two days accounted for 818 vulnerabilities, or 7.3% of the entire mid year’s disclosures so far. However, if we include July’s Fujiwhara event (which falls after the mid-year reporting period in this report), three days will have been responsible for 10.5% of all 2020 vulnerabilities – 13% if you factor in the following day for each. In the middle of a global pandemic with many teams working with reduced staff, that is an incredible number of issues that must go through the triage process.
Tuesday is Now 48 Hours Long
Around the inception of Patch Tuesday, we saw Microsoft and Adobe normally release a substantial number of vulnerabilities in the span of a few hours – a habit that they have kept since. Our research team knew that it would take a few hours to process the information and then we would move on with the rest of the day. However, over time, as more vendors began to adopt the Patch Tuesday movement, that window of expected disclosures has increased dramatically.
Whenever Oracle is involved, we know that we are in for a long day as they tend to release at the end of business hours (EST). Once SAP joined the fray, it further extended our hours considerably as they typically release in the early hours of the morning US time. With just these two vendors alone, our dedicated and fully staffed team is often looking at an 18 – 20 hour day. Does this experience sound familiar? If your organization is performing its own vulnerability research it should be all too familiar. When additional vendors are part of the mix, the sheer volume can cause us to perform triage and prioritize which entries we process first. The increased volume makes it easy for us to envision a full 24 hour cycle doing nothing but Patch Tuesday vulnerabilities.
In some cases, we may all need to block out a portion of Wednesday as well. A day after July 14th’s Fujiwhara incident, we ran into the situation where Cisco and Apple released a total of 59 vulnerabilities between them. That meant that between Tuesday and Wednesday we saw a grand total of 623 new vulnerabilities, creating a 48-hour cycle of disclosures.
Unfortunately for all of us, the writing is on the wall. This is likely something we can expect to occur more frequently in the future, even without the Vulnerability Fujiwhara effect. We have to ask, “Who benefits from this all-at-once disclosure of vulnerabilities?” Certainly not the paying customers. Due to the workload this places on IT departments, an unintended beneficiary may well be the bad actors waiting in the wings to exploit the newly released vulnerabilities. Are the software vendors looking to hide their releases in the crowd? If so, we’ll do our best not to let that happen.
About the QuickView Report and VulnDB
The quarterly Vulnerability QuickView report is a service of VulnDB, which is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-party library monitoring.
It provides actionable intelligence about the latest in security vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.