icetray - Fotolia

Patch Tuesday dogged by concerns over Microsoft vulnerability response

The last Patch Tuesday in its current form is overshadowed by persistent concerns about how Microsoft deals with vulnerability disclosure

Microsoft dropped the last Patch Tuesday update in its current form yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately.

Yesterday, Computer Weekly and others reported on the experience of Tzah Pahima, an Orca Security researcher, who waited nearly six months – and broke two separate patches – before Microsoft sealed a critical vulnerability in Azure Synapse Analytics.

At the same time, our sister title SearchSecurity.com revealed researchers at Tenable were similarly dissatisfied with Microsoft’s response to the disclosure of two vulnerabilities – coincidentally also in Azure Synapse. They accused Microsoft of lacking transparency in its reporting process.

Via emailed comments, Tenable senior research engineer Claire Tills told Computer Weekly: “On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”

Sebree wrote of a “major communications disconnect” between MSRC and the team responsible for Azure Synapse.

The researchers’ concerns take on an added sense of urgency given Microsoft’s well-documented response to CVE-2022-30190, the zero-day known as Follina, which was uncovered in late May.

According to the anonymous hacker who uncovered it, a member of the Shadow Chaser threat hunting collective who goes by the handle Crazyman, MSRC dismissed Follina, a zero-click vulnerability in Microsoft Office that enables an attacker to execute PowerShell commands without user interaction, closed Crazyman’s ticket, and said it was “not a security-related issue”. Being a zero-day, this proved to be demonstrably not the case in short order.

In a statement, Microsoft said: “We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimise customer disruptions while improving protection.” 

Follina folly fixed

Fortunately for Follina fearers, the vulnerability was indeed fixed in the Patch Tuesday update, one of 61 unique vulnerabilities, and the only zero-day to have come under active exploitation. However, according to Todd Schell of Ivanti, it may have been a somewhat rushed addition to the list.

This vulnerability has been under attack for several months. This vulnerability fix must have been a late addition this month, because although it shows up in the vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch,” said Schell.

Some of the other more impactful vulnerabilities addressed in Patch Tuesday’s swansong are CVE-2022-30137, a remote code execution (RCE) vulnerability in Windows Network File System, which carries a sky-high CVSS score of 9.8, but may be considered more difficult to exploit because an attacker typically needs to already have network access to take advantage of it.

Also worthy of note are CVE-2022-30157 and CVE-2022-30158, both RCE vulnerabilities in Microsoft SharePoint Server, which again require an attacker to have established initial access to exploit.

Perhaps more likely to be exploited is CVE 2022-30147, a privilege escalation vulnerability in Windows Installer affecting both desktop and server environments, which could prove useful to attackers seeking admin privileges to – for example – exfiltrate data prior to deploying ransomware.

“A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines. However, Microsoft has marked this vulnerability as less likely to be exploited”
Kev Breen, Immersive Labs

Security teams may also want to prioritise CVE-2022-30163, an RCE vulnerability in Windows Hyper-V. Kev Breen of Immersive Labs commented: “A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines.

“However, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.”

Meanwhile, Allan Liska of Recorded Future reflected on nearly two decades of Patch Tuesday history. He said: “The first Patch Tuesday was released 14 October 2003. Patch Tuesday was originally designed as a way for Microsoft to release all of their patches at the same time and Tuesday was chosen because it gave system administrators time to review and test the patches then get them installed before the weekend.  

“The first Patch Tuesday had five vulnerabilities labelled critical by Microsoft, including MS03-046, a remote code execution vulnerability in Microsoft Exchange.

“The more things change, the more they stay the same. For almost 20 years, Patch Tuesday has been a staple for system administrators, IT staff, home users and analysts, but it has also long outlived its usefulness,” he said.

“Microsoft is increasingly reliant on out-of-cycle patch releases because the bad guys are getting better at weaponising vulnerabilities and exploiting those vulnerable systems faster. Abandoning Patch Tuesday will, hopefully, allow Microsoft to respond to new vulnerabilities faster and get patches pushed out sooner,” added Liska.

Autopatch repair, Autopatch replace

From here on out, as previously reported, Patch Tuesday will be augmented by a new automated service, Windows Autopatch, available for Windows Enterprise E3 licences and covering Windows 10, 11 and Windows 365. This is currently in public preview and will be offered as an opt-in. For other users, there is no change to how they receive updates.

This service, which will keep Windows and Office software on enrolled endpoints up to date at no additional cost, was developed in response to the growing complexity of IT environments, which has massively increased the number and scope of vulnerabilities security teams have to deal with, and makes the second Tuesday of the month somewhat fraught.

Microsoft believes that by automating patch management, it can provide more timely response to changes. Furthermore, thanks to a dedicated feature called Rings, which will “cascade” updates down through a core set of the user’s test devices for testing and validation (including the possibility of rolling the update back should things go pear shaped), security teams can supposedly be more confident about introducing new patches without causing problems.

This article was updated on 21 June to include a statement from Microsoft and to correct a factual error.

Read more about Patch Tuesday

Read more on Application security and coding requirements