The answer to the question “Why does software continue to have so many vulnerabilities?” is complex, because the software itself is so complex.
There’ve been many articles written that cover the lack of tools to test for vulnerabilities, the security knowledge and experience of the developers themselves, the endless variations of interactions between operating systems and applications, and the complexity of the network environments into which the software is deployed to name but a few contributing factors.
Ongoing research continues to find more vulnerabilities and occasionally some insight into how to remove them before they go into the wild. Still, it is a race to stay ahead of the relentless threat.
Zero Day Initiative
The Zero Day Initiative (ZDI) is one research program contributing to the early discovery of vulnerabilities and sharing their findings with vendors for quick response. Researchers are incented via a bug bounty and confidentiality is strictly maintained until the vendor has provided a fix.
The ZDI hosted their PWN2OWN VANCOUVER 2023 conference in late March with some always exciting results. The most successfully penetrated targets under attack were Windows 11, Ubuntu Desktop, and Oracle VirtualBox.
Prizes were also awarded for exploitation of Apple macOS, Adobe Reader, Microsoft SharePoint, VMware Workstation, and even a Tesla in the automotive category. Per the ZDI blog: “Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)!” The good news is that these issues will soon have fixes on the way.
Attacks in the wild
Unfortunately, attacks also continued in the wild this month without the benefits of disclosures and immediate fixes. 3CX reported a security issue with their Electron App running on Windows and macOS. This security issue appears to be the result of a supply chain attack. Making matters more complex, Kaspersky discovered second-stage backdoor malware which takes advantage of the 10-year-old vulnerability CVE-2013-3900.
This vulnerability was fixed, but the patch was only rated “recommended” by Microsoft. This brings to mind my blog in January where I commented on procrastinating at your own risk. Yes, this 10-year patch was originally released as “recommended” because back then it could break customizations customers may have done with digital signing of updates; but a lot of time has passed, and administrators should have replaced their customizations to address this issue. This update should be mandatory to prevent the recent exploitation.
Microsoft announced they are shifting the non-security, preview updates to the fourth week of the month. Per Microsoft, that’s “two weeks after your latest monthly security update and about two weeks before you’ll see these features become part of the next mandatory cumulative update,” which is the optimal time for testing. Microsoft Windows 10 20H2 for Education and Enterprise reaches end-of-support in May, so plan accordingly.
April 2023 Patch Tuesday forecast
- Microsoft has stepped up the security fixes in their operating systems so we should see that trend continue. Likewise, we’ve seen more updates to the Office suite, so plan for your on-premise and click-to-run versions to have major updates.
- Adobe Acrobat and Reader should have a major quarterly update next week.
- March 27th was a big day for Apple with the release of Big Sur 11.7.5, Monterey 12.6.4, Ventura 13.3, and Safari 16.4 for Big Sur and Monterey. Don’t expect any updates this month but deploy those releases as soon as possible.
- Google released beta updates for Chrome OS and Chrome for Desktop, so there could be a formal release for them next week.
- Mozilla continued to release on Patch Tuesday in March so expect updates for Firefox, Firefox ESR, and Thunderbird next week.
Discovering and fixing vulnerabilities prior to exploitation is a never-ending race. Often pulled along as unwilling participants, it is critical that we maintain the pace and update our systems as the patches are released to stay one step ahead of the competition.