[BreachExchange] 2020 Vulnerability Fujiwhara: The Writing on the Wall

[Destry Winant]

https://www.riskbasedsecurity.com/2020/09/21/2020-vulnerability-fujiwhara-the-writing-on-the-wall/

In January, Risk Based Security published a blog warning about the upcoming
“Vulnerability Fujiwhara”, a term we adopted for the colliding of Oracle
and Microsoft patches on the same day. These Vulnerability Fujiwhara would
be a completely different beast compared to usual “Patch Tuesday” events,
which had already become the conglomeration of as many as a dozen vendors
all releasing patches at once. But with the inclusion of Oracle, who
typically releases over 400 patches in a single day, these Fujiwhara storms
would undoubtedly become a significant event in the lives of IT staff.

These Fujiwhara events are typically rare, but 2020 saw three of them:
January 14, April 14, and July 14. The last two observed pre-2020 Fujiwhara
events occurred in 2015 and the next two will be seen in 2025 – beginning
on January 14! That illustrates just how infrequent these events are and
why they stand out as a point of stress and additional risk for
organizations. It is also important to note that 2015’s single Fujiwhara
event saw a total of 277 disclosed vulnerabilities from all reports that
day, less than half of what we saw from the April Fujiwhara this year.

That big increase is precisely the reason Risk Based Security sounded the
alarm on these three days. During April’s Fujiwhara event we saw 506 new
vulnerabilities reported, 79% of which came from seven vendors. Compared to
other Patch Tuesdays this year, the highest reported “only” 273 new
vulnerabilities on June 9th. These Fujiwhara incidents, even though there
are just three this year, are the writing on-the-wall so to speak. In the
coming years, these increased totals will steadily become the norm.

Even if companies have been forced to become acclimated to already large
coordinated patch days, how many vulnerability disclosures can they handle
before it simply is too much? What is absurd about where we find ourselves
is that the vendors creating the vulnerable software that put its paying
customers at risk are also the ones creating the circumstance that adds
additional risk. Perhaps “business as usual” needs to be re-examined.

Fujiwhara By The Numbers

While Patch Tuesday originated with Microsoft, Adobe began releasing on the
same day around 2012. In more recent years, additional vendors have begun
to join the fray and reliably release on those days as well. They include
SAP, Siemens, and Schneider Electric. To make the day more “convenient”,
other vendors such as Apple, Mozilla, Intel, Cisco, and others sometimes
participate in the festivities. As we saw with the latest Fujiwhara (July
14), Apple ended up releasing 27 new vulnerabilities, and Cisco 32, turning
that event into a 48 hour, non-stop stream of triage for organizations.
Although July’s event falls outside of the mid year, here is what all three
Fujiwhara incidents look like by the numbers:

As you can see, just two days accounted for 818 vulnerabilities, or 7.3% of
the entire mid year’s disclosures so far. However, if we include July’s
Fujiwhara event (which falls after the mid-year reporting period in this
report), three days will have been responsible for 10.5% of all 2020
vulnerabilities – 13% if you factor in the following day for each. In the
middle of a global pandemic with many teams working with reduced staff,
that is an incredible number of issues that must go through the triage
process.

Tuesday is Now 48 Hours Long

Around the inception of Patch Tuesday, we saw Microsoft and Adobe normally
release a substantial number of vulnerabilities in the span of a few hours
– a habit that they have kept since. Our research team knew that it would
take a few hours to process the information and then we would move on with
the rest of the day. However, over time, as more vendors began to adopt the
Patch Tuesday movement, that window of expected disclosures has increased
dramatically.

Whenever Oracle is involved, we know that we are in for a long day as they
tend to release at the end of business hours (EST). Once SAP joined the
fray, it further extended our hours considerably as they typically release
in the early hours of the morning US time. With just these two vendors
alone, our dedicated and fully staffed team is often looking at an 18 – 20
hour day. Does this experience sound familiar? If your organization is
performing its own vulnerability research it should be all too familiar.
When additional vendors are part of the mix, the sheer volume can cause us
to perform triage and prioritize which entries we process first. The
increased volume makes it easy for us to envision a full 24 hour cycle
doing nothing but Patch Tuesday vulnerabilities.

In some cases, we may all need to block out a portion of Wednesday as well.
A day after July 14th’s Fujiwhara incident, we ran into the situation where
Cisco and Apple released a total of 59 vulnerabilities between them. That
meant that between Tuesday and Wednesday we saw a grand total of 623 new
vulnerabilities, creating a 48-hour cycle of disclosures.

Unfortunately for all of us, the writing is on the wall. This is likely
something we can expect to occur more frequently in the future, even
without the Vulnerability Fujiwhara effect. We have to ask, “Who benefits
from this all-at-once disclosure of vulnerabilities?” Certainly not the
paying customers. Due to the workload this places on IT departments, an
unintended beneficiary may well be the bad actors waiting in the wings to
exploit the newly released vulnerabilities. Are the software vendors
looking to hide their releases in the crowd? If so, we’ll do our best not
to let that happen.

About the QuickView Report and VulnDB

The quarterly Vulnerability QuickView report is a service of VulnDB, which
is the world’s most comprehensive, detailed and timely source of
vulnerability intelligence and third-party library monitoring.

It provides actionable intelligence about the latest in security
vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and
e-mail alerting. Leveraging VulnDB is simpler than ever with our connectors
to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42,
Recorded Future, and more.

Request a Demo <https://www.riskbasedsecurity.com/contact/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200922/1f614025/attachment.html>