Microsoft dropped the last ever Patch Tuesday update – at least in its current form – yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately.
Yesterday, Computer Weekly and others reported on the experience of Tzah Pahima, an Orca Security researcher, who waited nearly six months – and broke two separate patches – before Microsoft sealed a critical vulnerability in Azure Synapse Analytics.
At the same time, our sister title SearchSecurity.com revealed researchers at Tenable were similarly dissatisfied with Microsoft’s response to the disclosure of two vulnerabilities – coincidentally also in Azure Synapse. They accused Microsoft of lacking transparency in its reporting process.
Via emailed comments, Tenable senior research engineer Claire Tills told Computer Weekly: “On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”
Sebree wrote of a “major communications disconnect” between MSRC and the team responsible for Azure Synapse.
The researchers’ concerns take on an added sense of urgency given Microsoft’s well-documented response to CVE-2022-30190, the zero-day known as Follina, which was uncovered in late May.
According to the anonymous hacker who uncovered it, a member of the Shadow Chaser threat hunting collective who goes by the handle Crazyman, MSRC dismissed Follina, a zero-click vulnerability in Microsoft Office that enables an attacker to execute PowerShell commands without user interaction, closed Crazyman’s ticket, and said it was “not a security-related issue”. Being a zero-day, this proved to be demonstrably not the case in short order.
Computer Weekly reached out to Microsoft with questions about its disclosure procedures but had not received a response at the time of publication.
Final fling fixes Follina folly
Fortunately for Follina fearers, the vulnerability was indeed fixed in the last Patch Tuesday update, one of 61 unique vulnerabilities, and the only zero-day to have come under active exploitation. However, according to Todd Schell of Ivanti, it may have been a somewhat rushed addition to the list.
“This vulnerability has been under attack for several months. This vulnerability fix must have been a late addition this month, because although it shows up in the vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch,” said Schell.
Some of the other more impactful vulnerabilities addressed in Patch Tuesday’s swansong are CVE-2022-30137, a remote code execution (RCE) vulnerability in Windows Network File System, which carries a sky-high CVSS score of 9.8, but may be considered more difficult to exploit because an attacker typically needs to already have network access to take advantage of it.
Also worthy of note are CVE-2022-30157 and CVE-2022-30158, both RCE vulnerabilities in Microsoft SharePoint Server, which again require an attacker to have established initial access to exploit.
Perhaps more likely to be exploited is CVE 2022-30147, a privilege escalation vulnerability in Windows Installer affecting both desktop and server environments, which could prove useful to attackers seeking admin privileges to – for example – exfiltrate data prior to deploying ransomware.
Kev Breen, Immersive Labs
Security teams may also want to prioritise CVE-2022-30163, an RCE vulnerability in Windows Hyper-V. Kev Breen of Immersive Labs commented: “A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines.
“However, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.”
Meanwhile, Allan Liska of Recorded Future reflected on nearly two decades of Patch Tuesday history. He said: “The first Patch Tuesday was released 14 October 2003. Patch Tuesday was originally designed as a way for Microsoft to release all of their patches at the same time and Tuesday was chosen because it gave system administrators time to review and test the patches then get them installed before the weekend.
“The first Patch Tuesday had five vulnerabilities labelled critical by Microsoft, including MS03-046, a remote code execution vulnerability in Microsoft Exchange.
“The more things change, the more they stay the same. For almost 20 years, Patch Tuesday has been a staple for system administrators, IT staff, home users and analysts, but it has also long outlived its usefulness,” he said.
“Microsoft is increasingly reliant on out-of-cycle patch releases because the bad guys are getting better at weaponising vulnerabilities and exploiting those vulnerable systems faster. Abandoning Patch Tuesday will, hopefully, allow Microsoft to respond to new vulnerabilities faster and get patches pushed out sooner,” added Liska.
Autopatch repair, Autopatch replace
From here on out, as previously reported, Patch Tuesday will be replaced by a new automated service, Windows Autopatch, available for Windows Enterprise E3 licences and covering Windows 10, 11 and Windows 365.
This service, which will keep Windows and Office software on enrolled endpoints up to date at no additional cost, was developed in response to the growing complexity of IT environments, which has massively increased the number and scope of vulnerabilities security teams have to deal with, and makes the second Tuesday of the month somewhat fraught.
Microsoft believes that by automating patch management, it can provide more timely response to changes. Furthermore, thanks to a dedicated feature called Rings, which will “cascade” updates down through a core set of the user’s test devices for testing and validation (including the possibility of rolling the update back should things go pear shaped), security teams can supposedly be more confident about introducing new patches without causing problems.