Experts Reacted Microsoft’s New Patch Tuesday Format: “A Bad Move” And “Disappointing”

In response to Microsoft’s new format of Patch Tuesday releases, which removes a lot of critical vulnerability detail that companies rely on to determine the severity of each flaw, Cybersecurity experts has made the following comments.

Experts Comments

November 12, 2020
Satnam Narang
Senior Research Engineer
Tenable
This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the.....Read More
This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year. Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.  Read Less
November 13, 2020
Robert Huber
Chief Security Officer
Tenable
Microsoft’s decision to remove CVE description information from its Patch Tuesday release is a bad move, plain and simple. By relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organisations of the business risk a particular flaw poses to them.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.