[BreachExchange] A Familiar Storm Approaches: April 14th’s Vulnerability Fujiwhara Event

[Destry Winant]

https://www.riskbasedsecurity.com/2020/04/08/a-familiar-storm-approaches-april-14ths-vulnerability-fujiwhara-event/

 Back in January, we first warned organizations about the
Vulnerability Fujiwhara Effect that will hit three times this year.
These major security events, in which Microsoft, Oracle and other
multiple large vendors disclose vulnerabilities in popular products on
the same day, pose a particular challenge for Vulnerability Management
teams who are left analyzing and prioritizing hundreds of disclosures
before remediation can even begin. We have already seen the impacts of
the first storm that occurred on January 14th.

The next Fujiwhara will hit organizations on April 14th, 2020.

What We Observed From The First Storm

Microsoft’s monthly Patch Tuesday has proven to be a very busy day for
IT teams, as many vendors have adopted the same routine. The first
such event of the year, on January 14th, saw the following vendors
participate in Patch Tuesday:

- Microsoft
- Oracle
- Adobe
- SAP
- Siemens
- Schneider Electric
- Symantec
- Apache
- VMWare
- Intel
- F5

Starting at 2:00 AM EST, our VulnDB team began the long day which
consisted of analyzing and publishing new vulnerability reports to our
customers, and updating an additional 300+ entries. Among the
disclosed vulnerabilities were a number of high-profile ones such as
the Microsoft pre-auth RCE vulnerability and the 0-day vulnerability
in the IE scripting engine, however there were many others that
deserved the same scrutiny.

Here is a visual breakdown based on CVSS severity of all the
vulnerabilities pushed out during the first storm:

A High of 500+, With Lows Around 300

Even with companies such as Google announcing that they would pause
upcoming Chrome and Chrome OS release, they stated that they would
continue to prioritize any updates related to security. This is for
good reason as the discovery and disclosure of vulnerabilities doesn’t
pause for the Coronavirus pandemic, of course. The upcoming storm next
week will be hitting organizations hard on April 14th despite the
ongoing business disruption faced by organizations and their security
teams.

In our recent Vulnerability Management In the Time of a Pandemic we
touched on the topic, noting that for each of the remaining two
Vulnerability Fujiwhara events of the year, organizations could expect
to see, on the high end, 500 or more vulnerabilities disclosed. That
is a significant increase when compared to the average number of newly
published vulnerabilities in a day, which typically is around 60. Even
for large organizations, processing these new “Patch Tuesday”
disclosures can take weeks, and that’s with a well-funded and
coordinated team. The hours required for IT security teams to collect,
analyze, triage, and then address the coming vulnerabilities will be
considerable.

2020: A COMPLICATED SITUATION

If there wasn’t enough going on already, organizations must somehow
manage the coming Vulnerability Fujiwhara Effect despite the current
business disruption and pressure on security budgets. If Risk
Management teams do not have the resources they need to manage the
staggering volume of vulnerabilities that are coming, analysis and
remediation will inevitably be slower, putting organizations at risk.

Organizations may also face increased exposure to data breaches at
this time as research has shown that cybercrime increases during a
recession. So far, we have seen over 700 organizations face lawsuits
after suffering a data breach, and we believe that the number is
drastically under-reported. While some security regulations have been
relaxed due to the ongoing pandemic, organizations need to ensure that
their security teams can perform necessary patching and remediation to
keep systems secure to avoid any potential legal fallout.

Equip Your Teams With The Intelligence That They Need

At times like these, Better Data Matters® and is even more important.
Organizations will greatly benefit from a comprehensive source of
vulnerability intelligence, so that their security teams can spend
less time on vulnerability assessment, and more time on vulnerability
management.

If you do not have the proper intelligence and processes in place,
don’t hesitate to reach out. Ensure that you are properly equipped to
not only deal with the upcoming storm on April and July 14th, but also
the daily vulnerability reports that may impact your organization. If
we can help you with that, get in touch.

For a focused look into the state of vulnerability intelligence, as
well as further information on how to prepare for this upcoming Patch
Tuesday including insights on 2020, please view our webinar which is
available on demand.