BreachExchange mailing list archives
2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 9 Jan 2020 09:04:23 -0600
https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/ Whether you are working in IT or not, you’re probably familiar with Microsoft’s Monthly Patch Tuesday. Introduced in 2003, this is when the software giant releases updates and patches for its software products. As we discussed in September 2018, we have seen more and more vendors piggybacking on this approach and releasing their own patches on the same day. Now, with 2020 barely underway, we kick off the year with an almost-unprecedented schedule of substantial releases of new patches to fix known vulnerabilities. When two hurricanes collide, the phenomenon is called the Fujiwhara effect. The vulnerability intelligence world is about to experience just such an event, on steroids, as the release dates for several major vendors, including Oracle and Microsoft, collide. This event, which last occurred in 2014, will happen three times this year. What makes this event unprecedented is that organizations face an impending collision between six vendors. Organizations, and their vulnerability intelligence teams, are in for a rough year. As per the norm, next Tuesday, January 14th, 2020, several prominent vendors will be disclosing a long list of vulnerabilities that organizations will have to assess. But what is making this coming Patch Tuesday even more significant is the impending collision. In addition to the expected Microsoft Patches, Oracle will be releasing their quarterly Critical Patch Updates as well. These two vendors are in addition to several others that co-opted “Patch Tuesday” years ago, including Adobe. 2020 Vulnerability Fujiwhara Effect Dates - January 14th, 2020 - April 14th, 2020 - July 14th, 2020 On the surface this may seem like a positive thing, and is certainly an improvement on uncoordinated disclosures (still referred to as “irresponsible disclosure” by many vendors and described as a situation that “hurts customers”). But as more vendors have gravitated towards releasing on Patch Tuesday, organizations are now being subjected to the routine updates of six vendors on the same day, with the possibility of an additional seven. This is in stark contrast to the normal day of vulnerability disclosures. “The amount of vulnerability work that is going to be dropped in the laps of already overloaded IT and cyber security teams is going to be massive.” Jake Kouns, Co-founder and Chief Information Security Officer, RBS Last month on Microsoft Patch Tuesday, our VulnDB research team analyzed and published 188 new vulnerabilities in a single day. With Oracle now planning to release on the same day, we expect vulnerability teams will have to aggregate and review a massive list (perhaps doubled) of what will most likely be critical database and product vulnerabilities. “Even in a best-case scenario, with a well-staffed team, this will take weeks. Most large organizations won’t be able to handle it at all.” Brian Martin, Vice President of Vulnerability Intelligence, RBS It can’t be ignored that there is a clear and substantial risk to organizations that do not have the necessary vulnerability intelligence and processes in place to enable the handling of the large volume of vulnerabilities being disclosed. If you are using any of the following vendors, we suggest that you prepare for the impending storms: CONFIRMED - Microsoft - Oracle - Adobe - SAP - Siemens - Schneider Electric POTENTIAL - Google - Apple - Mozilla - Intel - Cisco - F5 - Juniper At Risk Based Security, we have seen these vulnerability storms building for many years now and are prepared for our customers. We have taken the necessary steps to ensure that VulnDB continues to be the most comprehensive source of detailed and timely vulnerability intelligence. There’s never been a better time to see the power of VulnDB, and how it would help your organization handle this perfect storm of vulnerabilities that are coming, starting January 14th. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide Destry Winant (Jan 09)