March 2023 Patch Tuesday forecast: It’s not about luck
Every month I touch on a few hot topics related to security around patching and some important updates to look out for on the upcoming Patch Tuesday. Diligence to this ongoing patch process, and not luck, is critical to protecting systems and avoiding a security breach.
Patching priority
Ransomware continues to be a major threat, and a recent report provides some interesting supporting statistics. There was a 19% year-over-year increase in 2022 in the number of vulnerabilities associated with ransomware attacks which means that attackers are continuing to investigate and exploit the latest found vulnerabilities.
I mentioned last month there were some discrepancies in the CVSS reported numbers by vendors and the NIST National Vulnerability Database (NVD). This recent report revealed that 57 of the vulnerabilities in active ransomware carry low to medium CVSS numbers but can still cause major issues when exploited.
Basing your patching priority solely on the highest CVSS numbers is a good starting point, but you also need to consider threat intelligence showing which are being exploited and how. But probably the most important finding from an IT perspective, and not unexpected, is that 76% of the vulnerabilities still being exploited are from 2020 and earlier, with some going back to 2012.
Most of these vulnerabilities have patches available, which means that if software vendors have updated their products appropriately and we have implemented the patches properly, our current known attack surface should be reasonably small against active ransomware. Granted, ransomware is just one type of attack we are up against. Still, again, diligence in the patch process on time continues to be the foundation of computer and network security.
Microsoft activity
Microsoft has been active this month in releasing a few announcements, some interesting preview releases, and out-of-band updates. Since the release of Windows 11 22H2, the first major update for Windows 11, they’ve been working on a bug associated with system provisioning. Per Microsoft, “Provisioning packages are .PPKG files which are used to help configure new devices for use on business or school networks.”
There have been a few interim attempts to fix this issue, but in a preview released this month it appears to be resolved. We can expect this fix to be included in next week’s updates. Microsoft also released a preview of their ‘Moment 2’ cumulative update recently which includes feature updates to the Windows Taskbar, desktop links to iOS for Apple phones, a new tabbed Windows Notepad and much more. This will be included in the March update for Windows 11 so be prepared.
And as a reminder, the ‘Moment’ updates are Microsoft’s new approach to providing smaller features outside of the annual update. The Windows 11 Moment 1 update came in October last year. And finally on a lesser note, Microsoft released the out-of-band update KB 5019178 for security vulnerabilities in some Intel processors for Windows 11. This is a distribution of microcode updates that Intel released under INTEL-SA-0615 as a stale data update.
March 2023 Patch Tuesday forecast
- The February release was small in terms of CVEs addressed as predicted with only 33 in Windows 11 and Server 2012, and 36 in Windows 10. I expect this trend to continue in March for the operating systems as the focus has been on the performance bug fixes and the Moment release as I mentioned previously. Don’t expect any .NET framework or SQL updates for a while.
- There hasn’t been an update for Adobe Acrobat or Reader since the major update in January, so we could see a minor update this month.
- Apple Big Sur, Ventura, and Safari were updated in mid-February so don’t expect another one next week, but be on the lookout for a possible Monterey update.
- Google released Chrome 112 Desktop into all their beta channels for Windows, Linux and macOS this week, so there could be a formal release next week.
- Mozilla seems to be synching up with Patch Tuesday of late so expect updates for Firefox, Firefox ESR, and Thunderbird next week.
It looks to be a fairly light Patch Tuesday from a security perspective for next week. Deploy all your updates in a timely fashion and you should be able to relax on Friday and enjoy St Patrick’s Day with a beverage of your choice knowing you are not counting on luck for system security!