[BreachExchange] 2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide

[Destry Winant]

https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/

Whether you are working in IT or not, you’re probably familiar with
Microsoft’s Monthly Patch Tuesday. Introduced in 2003, this is when
the software giant releases updates and patches for its software
products. As we discussed in September 2018, we have seen more and
more vendors piggybacking on this approach and releasing their own
patches on the same day. Now, with 2020 barely underway, we kick off
the year with an almost-unprecedented schedule of substantial releases
of new patches to fix known vulnerabilities.

When two hurricanes collide, the phenomenon is called the Fujiwhara
effect. The vulnerability intelligence world is about to experience
just such an event, on steroids, as the release dates for several
major vendors, including Oracle and Microsoft, collide. This event,
which last occurred in 2014, will happen three times this year. What
makes this event unprecedented is that organizations face an impending
collision between six vendors. Organizations, and their vulnerability
intelligence teams, are in for a rough year.

As per the norm, next Tuesday, January 14th, 2020, several prominent
vendors will be disclosing a long list of vulnerabilities that
organizations will have to assess. But what is making this coming
Patch Tuesday even more significant is the impending collision. In
addition to the expected Microsoft Patches, Oracle will be releasing
their quarterly Critical Patch Updates as well. These two vendors are
in addition to several others that co-opted “Patch Tuesday” years ago,
including Adobe.

2020 Vulnerability Fujiwhara Effect Dates

- January 14th, 2020
- April 14th, 2020
- July 14th, 2020

On the surface this may seem like a positive thing, and is certainly
an improvement on uncoordinated disclosures (still referred to as
“irresponsible disclosure” by many vendors and described as a
situation that “hurts customers”). But as more vendors have gravitated
towards releasing on Patch Tuesday, organizations are now being
subjected to the routine updates of six vendors on the same day, with
the possibility of an additional seven. This is in stark contrast to
the normal day of vulnerability disclosures.

“The amount of vulnerability work that is going to be dropped in the
laps of already overloaded IT and cyber security teams is going to be
massive.”

Jake Kouns, Co-founder and Chief Information Security Officer, RBS

Last month on Microsoft Patch Tuesday, our VulnDB research team
analyzed and published 188 new vulnerabilities in a single day. With
Oracle now planning to release on the same day, we expect
vulnerability teams will have to aggregate and review a massive list
(perhaps doubled) of what will most likely be critical database and
product vulnerabilities.

“Even in a best-case scenario, with a well-staffed team, this will
take weeks. Most large organizations won’t be able to handle it at
all.”

Brian Martin, Vice President of Vulnerability Intelligence, RBS

It can’t be ignored that there is a clear and substantial risk to
organizations that do not have the necessary vulnerability
intelligence and processes in place to enable the handling of the
large volume of vulnerabilities being disclosed.

If you are using any of the following vendors, we suggest that you
prepare for the impending storms:

CONFIRMED

- Microsoft
- Oracle
- Adobe
- SAP
- Siemens
- Schneider Electric

POTENTIAL

- Google
- Apple
- Mozilla
- Intel
- Cisco
- F5
- Juniper

At Risk Based Security, we have seen these vulnerability storms
building for many years now and are prepared for our customers. We
have taken the necessary steps to ensure that VulnDB continues to be
the most comprehensive source of detailed and timely vulnerability
intelligence.

There’s never been a better time to see the power of VulnDB, and how
it would help your organization handle this perfect storm of
vulnerabilities that are coming, starting January 14th.