determined - Fotolia
Security Update Guide brings growing pains to Patch Tuesday
Microsoft fundamentally changes how IT pros will consume Patch Tuesday releases with the Security Update Guide and brings fixes for an actively exploited Word zero-day.
With Microsoft's April 2017 Patch Tuesday release, the company has officially ditched its familiar security bulletin format in favor of the new Security Update Guide, but there have been some growing pains with the changes.
The biggest change is the switch from bulletin updates, which grouped fixes by product, to the Security Update Guide, which focuses more on the Common Vulnerabilities and Exposures (CVE) being targeted in a specific patch.
Amol Sarwate, director of vulnerability labs at Qualys Inc., said the "new Security Update Guide offers same amount and granularity of information per vulnerability and offers better search capabilities."
"The new setup is geared more toward automation and supports APIs to download information into a structured format," Sarwate told SearchSecurity. "In my opinion, to understand, prioritize and get a holistic view of the monthly updates, organizations now need to create their own scripts or computer programs that perform information crunching."
However, analysts are finding it more difficult to parse the data because of the need to develop new tools while the new Security Update Guide breaks old tools.
Tyler Reguly, manager of Tripwire's vulnerability and exposure research team (VERT), said that the change made it impossible to maintain its alert format.
"When Microsoft launched their security bulletins and introduced the concept of Patch Tuesday, they unknowingly set the gold standard in vendor-customer security communication. Other vendors still struggle to duplicate what Microsoft accomplished years ago," Reguly wrote in a blog post. "The portal, in its current iteration, is not an adequate replacement for security bulletins, but we can hope that Microsoft is taking feedback, listening to security professionals and customers, and working to improve the system to create a solution that far exceeds the previous offering."
Greg Wiseman, senior security researcher at Rapid7, said the Security Update Guide is currently "a bit of a mixed bag, with several improved aspects but also some new pain points," but remained optimistic that the flexibility of the new system is the right way forward.
"The guide lacks a summary listing all the CVEs on a single page, so there's a lot more clicking involved while navigating it. A glitch that will hopefully be fixed soon is the inconsistent way they reference CVEs in the Security Update table, which makes the new search capability less effective," Wiseman told SearchSecurity. "On the other hand, with the new focus on CVEs, Microsoft is providing more detailed information about individual vulnerabilities. The main benefit of the guide for enterprises is the ability to filter and sort by product and severity, which was lacking in the older static bulletin pages. This makes it easier to prioritize critical fixes and ignore products that aren't relevant to the organization."
Critical Patch Tuesday releases
Once experts got used to the Security Update Guide they were able to pinpoint a few high-priority zero-day vulnerabilities and critical fixes in the April Patch Tuesday, which contained 45 total vulnerability patches.
Topping the list was a patch for a Microsoft Word zero-day vulnerability (CVE-2017-0199) which was disclosed over the weekend and found being actively exploited in phishing schemes. The issue affects all supported versions of Microsoft Office and is especially dangerous because it could allow an attacker to take full control of a system without making the victim enable macros, as most Word exploits would.
Microsoft also patched a zero-day vulnerability in Internet Explorer (CVE-2017-0210), which is an elevation of privilege flaw in that it "could allow an attacker to access information from one domain and inject it into another domain," according to Microsoft.
The Microsoft Edge browser received a patch (CVE-2017-0203) for a security bypass flaw that has been publicly disclosed, but Microsoft said is "unlikely" to be exploited, as well as three critical vulnerabilities (CVE-2017-0093, CVE-2017-0200, CVE-2017-0205) which could allow attackers to take complete control of the target system.
Experts noted organizations may want to keep an eye on the Hyper-V patches listed in the new Security Update Guide, even though Microsoft didn't specifically call them out in the April Patch Tuesday release notes.
Microsoft released patches for three remote code execution vulnerabilities found in Hyper-V: CVE-2017-0162, CVE-2017-0163 and CVE-2017-0180.
"As IT departments continues to virtualize more and more systems, the number of hypervisors in the enterprise will continue to increase," Reguly wrote on the topic. "A number of Hyper-V vulnerabilities are patched including a pair of Guest OS escapes that could allow authenticated users on a Hyper-V Guest to execute code on the Hyper-V Host."
According to Reguly, another point of confusion in the new Security Update Guide "were two other documents published that look like CVEs but aren't."
"These documents were published [as] document IDs in the details column using the format YYYY-####, this leads to a misunderstanding as the assumption is made that it is the same a CVE (CVE-YYYY-####)," Reguly wrote.
The first such post was 2017-2605, which was a critical "Defense-in-Depth Update for Microsoft Office." Experts pointed this out because a defense-in-depth update usually doesn't carry a critical rating from Microsoft. The fix was aimed at mitigating "limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter" by turning off the EPS filter in Office by default.
The second non-CVE document was 2017-3447, which was the listing for all of the Adobe Flash patches for the month.
Catch up on March 2017 Patch Tuesday news.
Learn why experts have questioned Microsoft's zero-day response.
Find out when you should switch from Hyper-V replication to Storage Replica.