Patch Tuesday falls on Valentine’s Day this year but will it be a special date? While there have been ongoing cyber-attacks of all kinds, it has been relatively quiet on the release of new patches from Microsoft. Expect that trend to continue next week though we may have some updates from Google and Mozilla to fill out the day.
An old vulnerability in VMware ESXi being targeted by new ransomware has the been the hot topic this month. VMware released a patch back in 2021 which addressed CVE-2021-21974, a heap-overflow vulnerability, which can allow remote code execution.
This vulnerability exists in the Open Service Location Protocol (OpenSLP) and as an additional mitigation following this discovery in 2021, VMware began shipping their software with this service disabled by default to ensure out-of-the box protection. The most recent exploitation of this vulnerability was reported in early February and is referred to as the ESXiArgs attack. Ransomware has surfaced which, using this vulnerability for access to ESXi hypervisor, encrypts many of the file types associated with the virtual systems being hosted.
The US Cyber Information Security Institute has release a recovery tool which may help to decrypt some of the files, but they warned to review the readme file carefully before running the tool. The fact an older vulnerability like this is still open and being exploited shows many organizations are slow to fix and update potentially critical infrastructure systems. This can be due to ignorance of the issue, the ‘don’t touch it if it isn’t broke’ mentality, the need to stay on a specific version for business operations compatibility, or perhaps even the procrastination I mentioned last month, but in all cases, it puts the company at risk of interruption at the least and exploitation at worst.
We all must prioritize the updates we deploy each month in some manner. For many, the Common Vulnerability Scoring System (CVSS) from FIRST has been the driving force in that process. One of the major objectives behind the calculation of the actual CVSS number is to ensure standardization so all CVEs are scored consistently and can be accurately compared.
The higher the CVSS score for a vulnerability and the associated patch, the more critical it is to deploy in most environments. I was quite surprised to see the results of an analysis of CVSS scores in a recent article showed there is a discrepancy for nearly 20% of the CVSS scores (25,000). This was based on a comparison of the scores reported in the NIST National Vulnerability Database (NVD) and those reported directly by the vendors themselves.
It appears on the surface there may be some discretion on the values that are entered to compute the overall CVSS number. One important point to keep in mind is vendors have historically assigned their own terminology to severity such as critical, important, etc. The use of vendor severity scoring as a priority mechanism may work well when comparing all patches by a given vendor but does not always provide an accurate comparison of patches between vendors.
In fact, many use different terminology entirely. Likewise, vendor severity is not always a positive indicator – many zero-day vulnerabilities are rated ‘Important’ by Microsoft but may have high CVSS numbers. Regardless of the methodology used to prioritize the available updates, and if you see a conflict in results such as CVSS numbers, you should always consider the risk in terms of YOUR environment. You know your systems best and when in doubt you should patch those which are most critical.
It’s been a quiet month for releases since last Patch Tuesday. Microsoft released an out-of-band non-security update for .NET framework and .NET core to address display issues with XPS document files. These releases will not install via Windows update but can be obtained through the Microsoft Update Catalog. We’ll need to see if they become part of the general patch release next week.
February 2023 Patch Tuesday forecast
- Microsoft delivered on my prediction to address a large number of CVEs last month for the Windows 7 and Server 2008 ESU closeout. Even Windows 11 and Windows 10 had 66 and 64 CVEs addressed respectively. I suspect there will be fewer CVEs addressed this month as they have caught up a bit, so expect a light set of updates for all the server and desktop operating systems.
- Adobe released their large quarterly update for Acrobat and Reader last Patch Tuesday, so only expect a minor update this month.
- Apple released another set of updates for Ventura, Monterey, Big Sur, iOS, and Safari in late-January. I don’t expect any updates for next week.
- Google released Chrome 111 into all their beta channels this week, so get ready for formal release next week.
- Mozilla will most likely have new security updates for Firefox, Firefox ESR, and Thunderbird next week or soon thereafter.
The anticipated updates for next week look very manageable, so you should have some time to spend at the end of the day with someone you love! Enjoy!