{"id":36759,"date":"2022-06-15T08:10:00","date_gmt":"2022-06-15T08:10:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36759"},"modified":"2022-06-15T08:10:00","modified_gmt":"2022-06-15T08:10:00","slug":"patch-tuesday-dogged-by-concerns-over-microsoft-vulnerability-response","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36759","title":{"rendered":"Patch Tuesday dogged by concerns over Microsoft vulnerability response"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/06\/patch-tuesday-dogged-by-concerns-over-microsoft-vulnerability-response.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Microsoft dropped the last Patch Tuesday update in its current form yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately.<\/p>\n<p>Yesterday, Computer Weekly and others reported on the experience of Tzah Pahima, an Orca Security researcher, who waited nearly six months \u2013 and broke two separate patches \u2013 before Microsoft sealed <a href=\"https:\/\/www.computerweekly.com\/news\/252521500\/MS-Azure-Synapse-vulnerability-fixed-after-six-month-slog\">a critical vulnerability in Azure Synapse Analytics<\/a>.<\/p>\n<p>At the same time, our sister title SearchSecurity.com revealed researchers at Tenable were similarly dissatisfied with <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252521454\/Tenable-slams-Microsoft-over-Azure-vulnerabilities\">Microsoft\u2019s response to the disclosure of two vulnerabilities<\/a> \u2013 coincidentally also in Azure Synapse. They accused Microsoft of lacking transparency in its reporting process.<\/p>\n<p>Via emailed comments, Tenable senior research engineer Claire Tills told Computer Weekly: \u201cOn the subject of Microsoft\u2019s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft\u2019s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft\u2019s security update guide for June.\u201d<\/p>\n<p>Sebree wrote of a \u201cmajor communications disconnect\u201d between MSRC and the team responsible for Azure Synapse.<\/p>\n<p>The researchers\u2019 concerns take on an added sense of urgency given Microsoft\u2019s well-documented response to CVE-2022-30190, the zero-day known as Follina, <a href=\"https:\/\/www.computerweekly.com\/news\/252520855\/Researchers-discover-zero-day-Microsoft-vulnerability-in-Office\">which was uncovered in late May<\/a>.<\/p>\n<p>According to the anonymous hacker who uncovered it, a member of the Shadow Chaser threat hunting collective <a href=\"https:\/\/twitter.com\/CrazymanArmy\/status\/1531117401181671430?s=20&amp;t=7xvbwh1HXx2sgPh_ms7IzA\">who goes by the handle Crazyman<\/a>, MSRC dismissed Follina, a zero-click vulnerability in Microsoft Office that enables an attacker to execute PowerShell commands without user interaction, closed Crazyman\u2019s ticket, and said it was \u201cnot a security-related issue\u201d. Being a zero-day, this proved to be <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252520865\/Microsoft-zero-day-exploited-in-the-wild-workarounds-released\">demonstrably not the case<\/a> in short order.<\/p>\n<p>In a statement, Microsoft said:&nbsp;\u201cWe are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimise customer disruptions while improving protection.\u201d&nbsp;<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Follina folly fixed\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Follina folly fixed<\/h3>\n<p>Fortunately for Follina fearers, the vulnerability was indeed fixed in the Patch Tuesday update, one of 61 unique vulnerabilities, and the only zero-day to have come under active exploitation. However, according to Todd Schell of Ivanti, it may have been a somewhat rushed addition to the list.<\/p>\n<p>\u201c<span>This vulnerability has been under attack for several months.<\/span><span>&nbsp;<\/span><span>This vulnerability<\/span><span>&nbsp;<\/span><span>fix must have been a late addition this month, because although it shows up in <a href=\"https:\/\/msrc.microsoft.com\/update-guide\">the vulnerabilities list of the Security Guide<\/a>, it was not shown in the breakdown of CVEs for each patch,\u201d said Schell.<\/span><\/p>\n<p><span>Some of the other more impactful vulnerabilities addressed in Patch Tuesday\u2019s swansong are CVE-2022-30137, a remote code execution (RCE) vulnerability in Windows Network File System, which carries a sky-high CVSS score of 9.8, but may be considered more difficult to exploit because an attacker typically needs to already have network access to take advantage of it.<\/span><\/p>\n<p><span>Also worthy of note are CVE-2022-30157 and CVE-2022-30158, both RCE vulnerabilities in Microsoft SharePoint Server, which again require an attacker to have established initial access to exploit.<\/span><\/p>\n<p><span>Perhaps more likely to be exploited is CVE 2022-30147, a privilege escalation vulnerability in Windows Installer affecting both desktop and server environments, which could prove useful to attackers seeking admin privileges to \u2013 for example \u2013 exfiltrate data prior to deploying ransomware.<\/span><\/p>\n<blockquote class=\"main-article-pullquote\">\n<p><figure> \u201cA remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines. However, Microsoft has marked this vulnerability as less likely to be exploited\u201d <\/figure><figcaption> <strong>Kev Breen, Immersive Labs<\/strong> <\/figcaption><i class=\"icon\" data-icon=\"z\"><\/i> <\/p>\n<\/blockquote>\n<p>Security teams may also want to prioritise CVE-2022-30163, an RCE vulnerability in Windows Hyper-V. Kev Breen of <a href=\"https:\/\/www.immersivelabs.com\/\">Immersive Labs<\/a> commented: \u201cA remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines.<\/p>\n<p>\u201cHowever, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.\u201d<\/p>\n<p><span>Meanwhile, Allan Liska of <a href=\"https:\/\/www.recordedfuture.com\/\">Recorded Future<\/a> reflected on nearly two decades of Patch Tuesday history. He said: \u201c<\/span>The first Patch Tuesday was released 14 October 2003. Patch Tuesday was originally designed as a way for Microsoft to release all of their patches at the same time and Tuesday was chosen because it gave system administrators time to review and test the patches then get them installed before the weekend.&nbsp;&nbsp;<\/p>\n<p>\u201cThe first Patch Tuesday had <a href=\"https:\/\/www.zdnet.com\/article\/microsoft-releases-monthly-security-fixes\/\">five vulnerabilities labelled critical<\/a> by Microsoft, including <a href=\"https:\/\/docs.microsoft.com\/en-us\/security-updates\/securitybulletins\/2003\/ms03-046\">MS03-046<\/a>, a remote code execution vulnerability in Microsoft Exchange.<\/p>\n<p>\u201cThe more things change, the more they stay the same. For almost 20 years, Patch Tuesday has been a staple for system administrators, IT staff, home users and analysts, but it has also long outlived its usefulness,\u201d he said.<\/p>\n<p>\u201cMicrosoft is increasingly reliant on out-of-cycle patch releases because the bad guys are getting better at weaponising vulnerabilities and exploiting those vulnerable systems faster. Abandoning Patch Tuesday will, hopefully, allow Microsoft to respond to new vulnerabilities faster and get patches pushed out sooner,\u201d added Liska.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Autopatch repair, Autopatch replace\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Autopatch repair, Autopatch replace<\/h3>\n<p><span>From here on out, <a href=\"https:\/\/www.computerweekly.com\/news\/252515909\/Microsoft-patches-two-zero-days-10-critical-bugs\">as previously reported<\/a>, Patch Tuesday will be augmented by a new automated service, Windows Autopatch, available for <\/span>Windows Enterprise E3 licences and covering Windows 10, 11 and Windows 365. This is currently in public preview and will be offered as an opt-in. For other users, there is no change to how they receive updates.<\/p>\n<p>This service, which will keep Windows and Office software on enrolled endpoints up to date at no additional cost, was developed in response to the growing complexity of IT environments, which has massively increased the number and scope of vulnerabilities security teams have to deal with, and makes the second Tuesday of the month somewhat fraught.<\/p>\n<p>Microsoft believes that by automating patch management, it can provide more timely response to changes. Furthermore, thanks to a dedicated feature called Rings, which will \u201ccascade\u201d updates down through a core set of the user\u2019s test devices for testing and validation (including the possibility of rolling the update back should things go pear shaped), security teams can supposedly be more confident about introducing new patches without causing problems.<\/p>\n<p><em>This article was updated on 21 June to include a statement from Microsoft and to correct a factual error.<\/em><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft dropped the last Patch Tuesday update in its current form yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately. Yesterday, Computer Weekly and others reported on the experience of Tzah Pahima, an Orca Security researcher, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":36760,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36759"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36759\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36760"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}