Connect with us

Tech

Final Patch Tuesday dogged by concerns over Microsoft vulnerability response

Published

on

Final Patch Tuesday dogged by concerns over Microsoft vulnerability response

The last ever Patch Tuesday – at least in its current form – is overshadowed by persistent concerns about how Microsoft deals with vulnerability disclosure

Alex Scroxton

By

Published: 15 Jun 2022 13: 10

Microsoft dropped the last ever Patch Tuesday update – at least in its current form – yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately.

Yesterday, Computer Weekly and others reported on the experience of Tzah Pahima, an Orca Security researcher, who waited nearly six months – and broke two separate patches – before Microsoft sealed a critical vulnerability in Azure Synapse Analytics.

At the same time, our sister title SearchSecurity.com revealed researchers at Tenable were similarly dissatisfied with Microsoft’s response to the disclosure of two vulnerabilities – coincidentally also in Azure Synapse. They accused Microsoft of lacking transparency in its reporting process.

Via emailed comments, Tenable senior research engineer Claire Tills told Computer Weekly: “On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”

Sebree wrote of a “major communications disconnect” between MSRC and the team responsible for Azure Synapse.

The researchers’ concerns take on an added sense of urgency given Microsoft’s well-documented response to CVE-2022-30190, the zero-day known as Follina, which was uncovered in late May.

According to the anonymous hacker who uncovered it, a member of the Shadow Chaser threat hunting collective who goes by the handle Crazyman, MSRC dismissed Follina, a zero-click vulnerability in Microsoft Office that enables an attacker to execute PowerShell commands without user interaction, closed Crazyman’s ticket, and said it was “not a security-related issue”. Being a zero-day, this proved to be demonstrably not the case in short order.

Computer Weekly reached out to Microsoft with questions about its disclosure procedures but had not received a response at the time of publication.

Final fling fixes Follina folly

Fortunately for Follina fearers, the vulnerability was indeed fixed in the last Patch Tuesday update, one of 61 unique vulnerabilities, and the only zero-day to have come under active exploitation. However, according to Todd Schell of Ivanti, it may have been a somewhat rushed addition to the list.

This vulnerability has been under attack for several months. This vulnerability fix must have been a late addition this month, because although it shows up in the vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch,” said Schell.

Some of the other more impactful vulnerabilities addressed in Patch Tuesday’s swansong are CVE-2022-30137, a remote code execution (RCE) vulnerability in Windows Network File System, which carries a sky-high CVSS score of 9.8, but may be considered more difficult to exploit because an attacker typically needs to already have network access to take advantage of it.

Also worthy of note are CVE-2022-30157 and CVE-2022-30158, both RCE vulnerabilities in Microsoft SharePoint Server, which again require an attacker to have established initial access to exploit.

Perhaps more likely to be exploited is CVE 2022-30147, a privilege escalation vulnerability in Windows Installer affecting both desktop and server environments, which could prove useful to attackers seeking admin privileges to – for example – exfiltrate data prior to deploying ransomware.

“A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines. However, Microsoft has marked this vulnerability as less likely to be exploited”
Kev Breen, Immersive Labs

Security teams may also want to prioritise CVE-2022-30163, an RCE vulnerability in Windows Hyper-V. Kev Breen of Immersive Labs commented: “A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines.

“However, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.”

Meanwhile, Allan Liska of Recorded Future reflected on nearly two decades of Patch Tuesday history. He said: “The first Patch Tuesday was released 14 October 2003. Patch Tuesday was originally designed as a way for Microsoft to release all of their patches at the same time and Tuesday was chosen because it gave system administrators time to review and test the patches then get them installed before the weekend.  

“The first Patch Tuesday had five vulnerabilities labelled critical by Microsoft, including MS03-046, a remote code execution vulnerability in Microsoft Exchange.

“The more things change, the more they stay the same. For almost 20 years, Patch Tuesday has been a staple for system administrators, IT staff, home users and analysts, but it has also long outlived its usefulness,” he said.

“Microsoft is increasingly reliant on out-of-cycle patch releases because the bad guys are getting better at weaponising vulnerabilities and exploiting those vulnerable systems faster. Abandoning Patch Tuesday will, hopefully, allow Microsoft to respond to new vulnerabilities faster and get patches pushed out sooner,” added Liska.

Autopatch repair, Autopatch replace

From here on out, as previously reported, Patch Tuesday will be replaced by a new automated service, Windows Autopatch, available for Windows Enterprise E3 licences and covering Windows 10, 11 and Windows 365.

This service, which will keep Windows and Office software on enrolled endpoints up to date at no additional cost, was developed in response to the growing complexity of IT environments, which has massively increased the number and scope of vulnerabilities security teams have to deal with, and makes the second Tuesday of the month somewhat fraught.

Microsoft believes that by automating patch management, it can provide more timely response to changes. Furthermore, thanks to a dedicated feature called Rings, which will “cascade” updates down through a core set of the user’s test devices for testing and validation (including the possibility of rolling the update back should things go pear shaped), security teams can supposedly be more confident about introducing new patches without causing problems.





Read more on Application security and coding requirements

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

USB logos finally make sense, thanks to a redesign

Published

on

By

USB logos finally make sense, thanks to a redesign


Author: Mark Hachman
, Senior Editor

As PCWorld’s senior editor, Mark focuses on Microsoft news and chip technology, among other beats. He has formerly written for PCMag, BYTE, Slashdot, eWEEK, and ReadWrite.

Read More

Continue Reading

Tech

Cheaper OLED monitors might be coming soon

Published

on

By

Cheaper OLED monitors might be coming soon


Author: Michael Crider
, Staff Writer

Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.

Read More

Continue Reading

Tech

New Pixel Watch leak reveals watch faces, strap styles and more

Published

on

By

New Pixel Watch leak reveals watch faces, strap styles and more
Google Pixel watch



The Google Pixel Watch is incoming
(Image credit: Google)

We’re expecting the Google Pixel Watch to make its full debut on Thursday, October 6 – alongside the Pixel 7 and the Pixel 7 Pro – but in the meantime a major leak has revealed much more about the upcoming smartwatch.

Seasoned tipster @OnLeaks (opens in new tab) has posted the haul, which shows off some of the color options and band styles that we can look forward to next week. We also get a few shots of the watch interface and a picture of it being synced with a smartphone.

Watch faces are included in the leak too, covering a variety of different approaches to displaying the time – both in analog and digital formats. Another image shows the watch being used to take an ECG reading to assess heartbeat rate.

Just got my hands on a bunch of #Google #PixelWatch promo material showing all color options and Watch Bands for the first time. Some details revealed as well…@Slashleaks 👉🏻 https://t.co/HzbWeGGSKP pic.twitter.com/N0uiKaKXo0October 1, 2022

See more

Full colors

If the leak is accurate, then we’ve got four silicone straps on the way: black, gray, white, and what seems to be a very pale green. Leather straps look to cover black, orange, green and white, while there’s also a fabric option in red, black and green.

We already know that the Pixel Watch is going to work in tandem with the Fitbit app for logging all your vital statistics, and included in the leaked pictures is an image of the Pixel Watch alongside the Fitbit app running on an Android phone.

There’s plenty of material to look through here if you can’t wait until the big day – and we will of course be bringing you all the news and announcements as the Google event unfolds. It gets underway at 7am PT / 10am ET / 3pm BST / 12am AEDT (October 7).


Analysis: a big moment for Google

It’s been a fair while since Google launched itself into a new hardware category, and you could argue that there’s more riding on the Pixel Watch than there is on the Pixel 7 and Pixel 7 Pro – as Google has been making phones for years at this point.

While Wear OS has been around for a considerable amount of time, Google has been leaving it to third-party manufacturers and partners to make the actual hardware. Samsung recently made the switch back to Wear OS for the Galaxy Watch 5 and the Galaxy Watch 5 Pro, for example.

Deciding to go through with its own smartwatch is therefore a big step, and it’s clear that Google is envious of the success of the Apple Watch. It’s the obvious choice for a wearable for anyone who owns an iPhone, and Google will be hoping that Pixel phones and Pixel Watches will have a similar sort of relationship.

What’s intriguing is how Fitbit fits in – the company is now run by Google, but so far we haven’t seen many signs of the Fitbit and the Pixel lines merging, even if the Pixel Watch is going to come with support for the Fitbit app.

Dave is a freelance tech journalist who has been writing about gadgets, apps and the web for more than two decades. Based out of Stockport, England, on TechRadar you’ll find him covering news, features and reviews, particularly for phones, tablets and wearables. Working to ensure our breaking news coverage is the best in the business over weekends, David also has bylines at Gizmodo, T3, PopSci and a few other places besides, as well as being many years editing the likes of PC Explorer and The Hardware Handbook.

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan