[BreachExchange] To Spread or Not to Spread, That Is the Question

Mon Feb 17 10:26:22 EST 2020

https://www.riskbasedsecurity.com/2020/02/13/to-spread-or-not-to-spread-that-is-the-question/

THE VULNERABILITY FUJIWHARA EFFECT

We recently wrote two posts about the Fujuwhara storm of vendor
disclosures, when the schedules of Microsoft, Oracle and a number of
other vendors all collided. This became a very busy day for IT teams,
and it is happening again in April and July 2020.

A (Disclosure) Sea of Troubles

Even before the recent Microsoft and Oracle disclosure collision, it
has long been the norm for vendors to piggy-back on Patch Tuesday
(originally known as Microsoft Tuesday). Back in October 2003,
Microsoft formalized their release schedule to be on the 2nd Tuesday
of each month. In 2012, Adobe changed their release schedule to
coincide with Microsoft’s release dates. Since then, various vendors
including SAP, Siemens, Schneider Electric, Intel, and Lenovo have
jumped on the bandwagon.

Over the years we’ve had discussions about this with some of these
vendors. Their main argument is that customers requested this, and
that it is in their customers’ best interest that many major vendors
release on the same day. This allows customers to plan ahead and
address everything at once.

Is it really in your best interest, though? Are customers requesting
this? And perhaps, most importantly, is it even possible to address so
many patches all at once?

“There is an advantage in having vendors disclose at known intervals,
but it is becoming a significant problem that so many vendors
piggy-back on the same day. When major vendor disclosures are
scheduled in a way that doesn’t prevent them from clashing, it becomes
even worse for customers who would prefer to focus on select vendor
disclosures like Microsoft and Adobe.”

Carsten Eiram, Chief Research Officer, Risk Based Security

Organizations without a highly mature vulnerability management
program, which includes a vulnerability intelligence solution, have no
efficient way to deal with this short of just starting from one end
and working their way through. This could easily take weeks and may
result in critical vulnerabilities not being addressed in a timely
manner. In the meantime, other critical vulnerabilities coming in
after Patch Tuesday may be outright missed or end up in the backlog
for an undefined amount of time.

Most of our customers we’ve discussed this with have expressed
unhappiness regarding the decision of so many vendors to cram Patch
Tuesday with their releases. Instead, they’d prefer to focus only on
the Microsoft and Adobe disclosures. Though they do appreciate the
predictability of knowing when to expect vendor disclosures, the
consensus is that vendor disclosures should be properly spread out.

Those Who Would Bear the Whips Disclosures and Scorns of Time

We’re very curious about your views. We’ve created a poll that asks:
“Do you prefer that the disclosures all happen on the same day versus
being spread out?” The poll is available on Facebook and Twitter, and
we would greatly appreciate your input.

Risk Based Security at RiskBased

The vulnerability #Fujiwhara effect, when major vendors disclose and
patch on the same day, is expected to hit three times this year.
#Poll: Should #vulnerability disclosures be spread out, or happen on
the same day?

If you’re not yet our customer, and would value access to a
vulnerability intelligence solution that is superior to the basic
vulnerability management products out there, please don’t hesitate to
contact us for a demo and trial account.