The appointment is scheduled every second Tuesday of the month Patch Tuesday Microsoft. This is the day dedicated to the distribution of security updates intended for Windows and all other software from the Redmond company.
The concept of Patch Tuesday it was introduced by Microsoft in 2003 and this year marks 20 years since the launch of the historic initiative. CrowdStrike highlights that while on the one hand the “functioning” of the program has remained constant (with the exception of the release of some emergency fixes Out-of-Band), on the other hand, the world of IT has literally changed from October 2023 to today.
To support it smart working, companies have had to quickly adapt to the changes imposed by the digital transition by migrating, in whole or in part, to the cloud. As a result, due to the increase in the number of endpointof connected devices, applications and cloud resources to manage, the areas which become important to deal with vulnerability resolution have grown exponentially.
The problem of Microsoft security vulnerabilities 20 years later
The ubiquity of Microsoft products and the growing volume of vulnerability connected to these products have caused a profound expansion of the attack surface. This should not be surprising, CrowdStrike explains, given the popularity of the Microsoft operating system and software.
From the start of the program Patch Tuesday, Microsoft has released more than 10,900 patches, most of them in the last few years alone. Since 2016, Microsoft has patched 124 vulnerabilities zero-day unique, over 1,200 unique vulnerabilities classified as “critical” and over 5,300 classified as “important”. There are more than 630 exploit for critical and important vulnerabilities. In 2023 alone, Microsoft released fix patches for over 800 vulnerabilities. The graph we publish below is eloquent.
These numbers may seem high, but in reality they hide the true extent of the problem. As of 2016, if we extrapolate the over 1,200 unique critical vulnerabilities for which Microsoft has released patches (which have impacted multiple products from the company led by Satya Nadella), the number of critical vulnerabilities totals would rise to more than 21,000.
While most Microsoft patches address issues that affect multiple products with a single installation, there are always exceptional cases, and the processes for specifically addressing them may vary.
Patch Tuesday has become a burden for IT administrators and businesses, according to CrowdStrike
I cyber criminals today are faster, smarter and smarter than ever, while the volume of vulnerabilities and the testing and patching process tend to inexorably slow down the teams that must take care of the security of corporate networks and devices.
While it is true that the patches gradually released by Microsoft must be applied, their installation can be source of problems for IT administrators and for managing workflows within any enterprise. Patching, we observe, requires the system reboot (apart from a few, limited, exceptions); furthermore, technicians are called every month to check which security updates should be given ownership and which can instead be postponed. Not to mention the compatibility, stability and reliability issues that sometimes arise.
“Patch Tuesday is no longer a beacon of hope in the patch chaos. Indeed, it has become the symbol of the nightmare that companies and professionals have to face every month, in the race to define patch priorities, understanding the impact downstream and at intervention, to act before an attacker is able to exploit these weaknesses“, observes CrowdStrike which hopes for a paradigm shift. “While Patch Tuesday itself isn’t the problem, it has become symbolic of a larger problem affecting the entire industry. Until companies like Microsoft start to design safer products and to reduce the patch burden, enterprises will need to understand the risks they face and take proactive measures to identify and classify the issues that can cause the most damage“.
Attackers often return to security vulnerabilities that have already been patched in the past
Confirming CrowdStrike’s thesis, which hopes for the promotion of a campaign aimed at improve software security from the inside, even before a security vulnerability emerges, the company explains that attackers are increasingly returning to target vulnerabilities that have already been the subject of corrective updates in the past. This means that the patch did not do its job because it only partially solved the problem.
CrowdStrike’s 2023 Global Threat Report found that attackers are retrieving and modifying precedents exploit codes to return to attack vulnerable software products, possibly bypassing the protection provided by official patches.
The company gives a concrete example: i attack mechanisms exploited to attack Microsoft Exchange with the 2021 ProxyLogon and ProxyShell campaigns, are exploited again. The ProxyNotShell attack in late 2022 clearly highlighted this.
What is the solution to the “jungle of patches” released every month by Microsoft
Microsoft is progressively embracing the use of codice Rust to strengthen critical areas of the operating system and its other products, recognizing that memory safety is essential. Suffice it to say that 70% of the problems discovered every year on the software side by Microsoft technicians have to do with this very topic.
In the meantime, however, it remains to equip the company with endpoint protection solutions that offer a solid system of patch managementEDR functionality, of threat hunting e threat intelligence for immediate response to any incidents.
Use a reliable system for patch management in your infrastructure, allows you to focus only on updates critical to your configuration, avoiding wasting time and resources by automatically deploying and applying updates. Also because the tempo The average time taken by companies to apply patches seems to be too long to counteract the action of cyber criminals and their ability to exploit vulnerabilities.
Opening image credit: iStock.com/champpixs