Two decades ago, Microsoft inaugurated Patch Tuesday with the aim of “reducing the burden on IT administrators by introducing an element of predictability and greater management”. The aim was to provide structure to what was largely a process ad hoc. By consolidating the majority of required security updates and patches into a planned release cycle, IT departments and system administrators could better plan and allocate resources to resolve some of the dilemmas that follow the release of a patch. Today, Patch Tuesday remains relevant, with Microsoft releasing security updates every second Tuesday of the month.
However, while the schedule has remained constant, with exceptions for one-off emergency fixes, things have evolved since October 2003. Companies have rapidly adopted the cloud and eliminated traditional security perimeters to support the remote working, leading to a significant increase in the number of endpoints, connected devices, applications and cloud environments to manage. This created a larger attack surface for vulnerabilities to appear.
The Microsoft product ecosystem has also seen significant growth, spanning a range of technologies, software, applications and cloud computing offerings. This has resulted in an increase in the number of vulnerabilities affecting all technologies and an increase in threats to enterprise security. However, the responsibility for managing this massive growth in vulnerabilities, as well as the cyberattacks that target them, is often shifted from the vendor to the customer.
This explains why, for many security and/or IT teams, Patch Tuesday is no longer a promising sign in the contentious patching landscape. Instead, it has become a symbol of the nightmare that awaits them every month, as these teams struggle to prioritize patches, understand their impact upstream, and act before an adversary can exploit vulnerabilities compromising their security.
More than two decades later, Microsoft’s vulnerabilities have multiplied
The ubiquity of Microsoft products and the number of their vulnerabilities have created a massive attack surface, which is not surprising given the popularity of the Microsoft Windows operating system – the most widely used in the world for computers. desktop and tablets, study finds.
Adversaries are constantly looking for weak points in environments that can lead to casualties. As evidenced by the growth of Patch Tuesday over the years, Microsoft’s vulnerabilities provide a large breeding ground for attacks.
Since Patch Tuesday was implemented, Microsoft has issued more than 10,900 patches, the majority in recent years. Thus, since 2016, Microsoft has fixed 124 unique zero-day vulnerabilities and more than 1,200 vulnerabilities classified as critical, while more than 5,300 were classified as important in terms of severity. Regarding so-called “critical” and “important” vulnerabilities, there are more than 630 exploitation vectors. In 2023 alone, Microsoft has already released fixes covering over 800 vulnerabilities.
All this data is available on the CVE Details company website.
The high number of vulnerabilities may seem large, but it actually hides the scale of the problem. Indeed, if we consider the more than 1,200 unique critical vulnerabilities that Microsoft has released patches for since 2016 and take into account the same vulnerabilities affecting multiple Microsoft products, the total number of critical vulnerabilities rises to more than 21,000. However, there are always exceptions and specific remediation processes may vary.
Microsoft’s proliferation of vulnerabilities has more than offset the efficiency gains gained from improving the patching process. For many IT and security teams, Patch Tuesday has become a real burden, forcing them to redouble their efforts to identify the critical points to prioritize, those which expose them the most to danger, those likely to have a significant impact on IT and those who can save or ruin the company. It is often the case that as the team tries to determine priorities, new vulnerabilities emerge.
The consequences of all this are considerable in terms of time, costs, resources and risks. According to the Infosec Institute, the average time it takes to patch a vulnerability can range from 60 to 150 days, and some security and IT teams take “at least 38 days to release a patch.” The pace of interventions does not match the speed of the modern adversary and its ability to exploit vulnerabilities.
If a vulnerability is not fixed quickly enough and a breach occurs, the victim is often held responsible for not following security measures and not applying patches. Thus, what remains unknown is that the scale of Microsoft’s flaws has once again shifted the problem to the customer, a problem that continues to grow as adversaries continue to exploit the flaws for malicious purposes.
Microsoft vulnerabilities, the attack ground of the modern adversary
De facto, vulnerabilities in Microsoft products have become the attack surface of the modern adversary. So it’s no surprise that adversaries are exploiting this growing problem as a weapon.
According to a study published by the Cybersecurity and Infrastructure Security Agency (CISA), four of the top twelve regularly exploited vulnerabilities are found in Microsoft products. She also notes that Microsoft tops the list of vulnerabilities exploited in ransomware attacks. Thus, more than 40% of vulnerabilities exploited to deploy ransomware are attributable to Microsoft products.
If adversaries exploit existing vulnerabilities, they are now entering a new era, that of “rediscovery of vulnerabilities”. According to findings from the CrowdStrike 2023 Global Threat Report, adversaries are modifying or reapplying the same process to target other products with a similar vulnerability, while hijacking previous patches.
As an example of this activity, the report highlights that “proxy mechanisms exploited to compromise Microsoft Exchange during ProxyLogon and ProxyShell campaigns in 2021 were targeted again in Q4 2022, this time using an authenticated variant called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). ProxyNotShell’s mitigations were later circumvented when ransomware-affiliated actors used another exploit vector exploiting CVE-2022-41080 to achieve the same objectives.
The high volume of vulnerabilities and the testing and remediation process can slow down teams trying to protect their organization from attacks.
Patch Tuesday was supposed to give security and IT leaders an edge over the adversary, but the volume of Microsoft vulnerabilities in recent years has had the opposite effect. Patching systems, changing settings, and other similar actions impact business tools and data flows. All of these changes are likely to have a significant impact on productivity. Added to this is the risk linked to the absence of fixes. The rate at which adversaries exploit vulnerabilities continues to increase.
While Patch Tuesday is not a problem in itself, it has become emblematic of the broader problem of vulnerabilities affecting the industry. Before companies like Microsoft start building more secure products and easing the burden of patching, organizations must understand the risks they face and take proactive steps to uncover and prioritize the vulnerabilities that can cause the most damage .
When it comes to protection, the question is worth asking: who do you trust? Can a vendor that sells security be trusted when it is also responsible for such a high volume of critical vulnerabilities?