Experts Reacted Microsoft’s New Patch Tuesday Format: “A Bad Move” And “Disappointing”

By   ISBuzz Team
Writer , Information Security Buzz | Nov 12, 2020 05:05 am PST

In response to Microsoft’s new format of Patch Tuesday releases, which removes a lot of critical vulnerability detail that companies rely on to determine the severity of each flaw, Cybersecurity experts has made the following comments.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Robert Huber
Robert Huber , Chief Security Officer
InfoSec Expert
November 13, 2020 11:12 am

Microsoft’s decision to remove CVE description information from its Patch Tuesday release is a bad move, plain and simple. By relying on CVSSv3 ratings alone, Microsoft is eliminating a ton of valuable vulnerability data that can help inform organisations of the business risk a particular flaw poses to them.

Last edited 2 years ago by Robert Huber
Satnam Narang
Satnam Narang , Senior Research Engineer
InfoSec Expert
November 12, 2020 1:25 pm

This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs.

One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year.

Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.

Last edited 2 years ago by Satnam Narang

Recent Posts

Would love your thoughts, please comment.x