Aug 24 — IT administrators and security professionals who apply security patches report that determining the impact of the patches is becoming increasingly difficult. Worsening the problem is the fact that it is patch quality seems to be declining. Experts report seeing re-patches for bugs that weren’t fixed correctly the first time.
Vulnerability management problems
CVSS is an industry standard that’s intended to assist professionals in assessing the severity of security vulnerabilities. On the scoring scale, 10 represents the most sever and 1 the least severe. A vulnerability with a score of 10 means that it must be addressed as quickly as possible. However, a CVSS score may be low overall, yet the vulnerability may affect your industry or architecture in a way that makes the bug more dangerous than average. Conversely, a bug with a high severity score may affect the majority of groups in a severe way, but may affect other industries or architecture quite minimally.
For example, in August, Microsoft rolled out security updates to fix the Windows Network File System remote code execution vulnerability. The CVSS score was 9.8. This indicated a severe concern, putting security experts on high alert. However, the bug only impacts Server 2022 and then only if the NFS 4.0 role service has been installed.
Since Microsoft’s removal of bug information from its security bulletins, determining whether certain vulnerabilities apply to a given organization’s situation has become more of a challenge. Some security managers now review social media posts and attacker-controlled domains in order to further their understanding about the need for and implications of certain security updates.
Roughly 10-20% of vulnerabilities are under review by software providers or vendors and are being repatched. An organization that believes itself protected from the SharePoint remote execution bug may not actually be protected, given that it wasn’t resolved properly the first time around, and that hackers are aware of how to bypass a recently applied patch. An organization may not realize that it should follow mitigation guidance rather than relying on patching.
To get the latest information about vulnerabilities and risk, look to information provided by government agencies and industry-specific groups.
In addition, consider using vulnerability scanners, which automatically look for exploitable weaknesses within applications, IT infrastructure and endpoints. Vulnerability scans are commonly a regulatory compliance requirement and generally help minimize cyber security risk. Learn more about vulnerability scanning tools and processes here.