Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

4/14/2020
06:25 PM
100%
0%

Patch-a-Palooza: More Than 560 Flaws Fixed in a Single Day

Software vendors keep pushing patches to the same Tuesday once a month, or once a quarter, and the result can be overwhelming. Six enterprise software makers issued patches for 567 issues in April.

Information technology groups have their work cut out for them this month. 

On April 14, six makers of popular enterprise software — Microsoft, Oracle, SAP, Intel, Adobe, and VMware — issued patches for at least 567 software vulnerabilities. Oracle's Critical Patch Update for the month, which rolls up fixes into a single massive patch for each product, accounted for more than 70% of the patch load, addressing 405 new security vulnerabilities, according to the company. An analysis of Microsoft's April security bulletin found that the company closed 113 security vulnerabilities, while SAP, Intel, Adobe, and VMware accounted for another 49 issues.

Overall, the crowding of software fixes has turned the second Tuesday of the month — a day on which Microsoft has traditionally released patches for many years — into a deluge of work for IT groups, says Jake Kouns, CEO and co-founder of Risk Based Security, a vulnerability information and management firm.

"Patch Tuesday is all about making software updates more organized so that companies can assign resources because they know when [the patches] come out," he says. "With more and more companies piggybacking on that, it becomes a challenge. How many patches can you handle in one day?"

The massive patch load comes as companies continue to adjust to the vast majority of their employees working from home, a fact that means patching could cause significant headaches, especially if companies have not prepared a capability to efficiently push patches to workers' machines. 

"Given the shift to remote work for many organizations in combination with the current patch load from Oracle's update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams," says Jonathan Cran, head of research at vulnerability management firm Kenna Security.

Oracle issued Critical Patch Updates (CPUs) for 26 different products, including issuing fixes for 74 vulnerabilities in its E-Business Suite and 56 vulnerabilities in its Fusion Middleware.  

Microsoft closed 113 security holes in Windows, Microsoft Office, the Internet Explorer and Edge browsers, and other apps and tools. Nineteen of the vulnerabilities were rated Critical, 96 Important, five Moderate, and two Low, with nine issues rated differently, depending on the platform. One flaw, CVE 2020-0796, is a remote code execution vulnerability and is currently being used in active attacks, according to Kenna Security.

SAP patched 33 flaws, five of which were given a Common Vulnerability Scoring System rating of 9 or higher. Finally, Intel closed 9 issues in different firmware and software components, Adobe shuttered five security weaknesses, and VMware fixed two issues.

For companies that have moved to remote patch management, the workload should be manageable. Yet many companies were taken by surprise by the need to move employees to remote working, and the sheer number of fixes that need to be deployed this month could cause problems, says AJ Singh, co-founder and vice president of product at NinjaRMM, a remote monitoring and management service. 

"It is definitely a bigger hassle," he says. "And if there is a bad patch that causes issues, companies may have to put boots on the ground to actually fix the devices."

Even without the need to work during a pandemic, the move of many companies to release patches on the same day as Microsoft's original Patch Tuesday may be hurting customers more than helping them. 

Overall, the number of vulnerabilities released annually has more than doubled in the past three years. While that has largely been driven by the fact that more vulnerability reports are issued for a wider variety of products, the number of vulnerabilities released on peak days has also increased, according to Risk Based Security, which calls this perfect storm a Fujiwhara Event.

"I think it does make it more difficult," says Risk Based Security's Kouns. "Most companies — those that are dealing with remote patching before — won't have a problem. But for companies who when you ask, 'why did you adopt cloud?' and they answer, 'because of COVID' — they are going to have problems."

Related Content

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...