[BreachExchange] Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

Destry Winant destry at riskbasedsecurity.com
Mon Apr 13 10:26:34 EDT 2020


Software giants will release fixes for hundreds of bugs in unison for
the second time this year, at a time when IT teams are already under
pressure from mass adoption of remote working and surging cyber crime.

The forthcoming Patch Tuesday, on 14 April, will see as many as 500
vulnerabilities released by the likes of Microsoft and Oracle, causing
a phenomenon dubbed the ‘Fujiwhara effect’. Such a security event is
ordinarily rare, with the last one before 2020 occurring in 2014.

This year has been no stranger to coordinated bug fixes, with next
Tuesday representing the second ‘Fujiwhara effect’ in 2020, according
to Risk Based Security. This is in addition to a third event scheduled
to hit on 14 July.

Such coordination of bug fixes poses a challenge for security teams,
who must analyse and prioritise hundreds of disclosures before
remediation can even begin.

This coming Tuesday may see as many as 300 to 500-plus fixes released,
according to forecasts. This is significantly higher than average,
with roughly 60 flaws published per day, normally.

“Even for large organizations, processing these new “Patch Tuesday”
disclosures can take weeks, and that’s with a well-funded and
coordinated team,” said Risk Based Security. “The hours required for
IT security teams to collect, analyze, triage, and then address the
coming vulnerabilities will be considerable.

“If there wasn’t enough going on already, organizations must somehow
manage the coming Vulnerability Fujiwhara Effect despite the current
business disruption and pressure on security budgets.”

The ‘Fujiwhara effect’ in meteorology is known as an extreme weather
event in which two massive hurricanes collide or merge.

The last cyber security ‘Fujiwhara effect’ on 14 January, saw more
than ten major software players participate, including Adobe, SAP,
Schneider Electric, VMWare, Intel, as well as Oracle and Microsoft,
among others.

The release of so many patches at once, numbering more than 300, saw
IT and security teams across the world scramble to implement updates
to their business-critical systems.

Among these fixes was a Microsoft-developed patch for an
"extraordinarily serious" cryptographic flaw anchored in the
crypt32.dll Windows component, with organisations like the US military
given advanced access to the fix.

Winding forward some months, organisations are facing greater
challenges than arguably ever before, in terms of the economy and the
labour market, not to mention cyber security threats increasing
significantly over the last few weeks.

The UK’s National Cyber Security Centre (NCSC) this week issued a
joint-warning with US cyber security authorities warning businesses of
a surge in cyber criminal activity, most of which was attempting to
exploit the coronavirus pandemic.

More information about the BreachExchange mailing list