Twenty years ago Microsoft was leading the concept of Patch Tuesday to “reduce the burden on IT administrators by providing greater levels of predictability and manageability.” The goal of Patch Tuesday was to structure a largely ad hoc process.
By consolidating most security updates and required patches into a planned release cycle, IT departments and system administrators were able to better plan and allocate resources to eliminate the chaos that followed a patch release. Patch Tuesday still exists today. Microsoft continues to release security updates on the second Tuesday of every month.
But while the schedule has remained constant – with exceptions for occasional emergency fixes – the world has changed since October 2003. To support remote work, companies embraced the digital age by quickly moving to the cloud and removing traditional security boundaries. The number of endpoints, connected devices, applications and cloud systems that need to be managed has skyrocketed, increasing the attack surface for vulnerabilities.
The Microsoft product ecosystem has also expanded dramatically to include a range of technologies, software, applications, cloud offerings and more. This has led to a greater number of vulnerabilities spanning the entire technology space and an expansion of enterprise risk. The burden of dealing with this massive increase in vulnerabilities – and the cyberattacks that target them – is all too often shifted from the provider to the customer.
Because of this, for many security and IT teams, Patch Tuesday is no longer a glimmer of hope in the chaos of patching. It has become emblematic of the nightmare they face every month as they struggle to prioritize patches, understand the downstream impact, and act before an attacker can exploit the vulnerabilities that put them at risk.
20 years later: Microsoft’s vulnerability problem has grown
The ubiquity of Microsoft products and the number of Microsoft vulnerabilities have created a massive attack surface. This shouldn’t be surprising given the popularity of Microsoft’s operating system and office software. According to a study, Microsoft Windows is the world’s largest most commonly used operating system (Desktop, Tablet and Console).
Attackers are constantly looking for vulnerabilities in potential victims’ environments. And as we’ve seen with the growth of Patch Tuesday over the years, Microsoft vulnerabilities provide a wide target for attackers.
Since Patch Tuesday began, Microsoft has released more than 10,900 patches, most of them in the last few years alone. Since 2016, Microsoft has patched 124 zero-day vulnerabilities, more than 1,200 critical vulnerabilities, and more than 5,300 important vulnerabilities. There are more than 630 exploits for critical and important vulnerabilities. Microsoft already has patches in 2023 alone for more than 800 security vulnerabilities published.
This data can be found at CVE details.
These numbers may seem high, but they hide the extent of the problem. If we extrapolate the 1,200+ critical vulnerabilities that Microsoft has released patches for since 2016 to account for the same vulnerabilities impacting multiple Microsoft products, the number of critical vulnerabilities rises to nearly 21,000+. While most Microsoft patches address multiple affected Microsoft products with a single installation, there are always exceptional cases and specific patching processes may vary.
The massive growth of the Microsoft vulnerability problem has more than offset the efficiency gains from improving the patching process. For many security and IT teams, Patch Tuesday has become a greater burden. You need to try to figure out which vulnerabilities are a priority, which pose the greatest threat, which impact the IT department, and which could put the business at risk. It often seems that just as the team is figuring out which vulnerabilities should be prioritized, another batch of vulnerabilities pops up.
This has huge implications in terms of time, cost, resources and risk. According to the Infosec Institute On average, it takes between 60 and 150 days for a security vulnerability to be closed. Some security and IT teams require “at least 38 days to create a patch.” The pace of patch deployment cannot keep up with the speed of modern attackers and their ability to exploit vulnerabilities.
When a vulnerability is not patched quickly enough and a security breach occurs, the victim is often blamed for not following security practices and not installing patches. This ignores the fact that the sheer scale of Microsoft’s vulnerabilities has shifted the burden back to the customer – a burden that only grows as attackers weaponize the vulnerabilities.
Microsoft Vulnerabilities: The Attack Surface of the Modern Attacker
Vulnerabilities in Microsoft products have become a de facto attack surface for modern attackers. It should come as no surprise that attackers are weaponizing this growing problem.
According to a release released by the Cybersecurity and Infrastructure Security Agency (CISA). Study includes four of the 12 most commonly exploited vulnerabilities in Microsoft products. CISA also found that Microsoft tops the list of exploited CVEs, used in ransomware attacks. More than 40% of vulnerabilities that are exploited to spread ransomwareare related to Microsoft products.
Not only are attackers exploiting existing vulnerabilities, but they are also ushering in a new era of “vulnerability rediscovery.” The CrowdStrike 2023 Global Threat Report has found that attackers modify or reapply the same vulnerability to attack other, similarly vulnerable products. They also bypass previous patches.
As an example of this activity, the report highlights: “…the proxy mechanisms exploited to compromise Microsoft Exchange during the ProxyLogon and ProxyShell campaigns in 2021 were attacked again in the fourth quarter of 2022, this time using an authenticated variant called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). ProxyNotShell mitigation measures were subsequently bypassed when ransomware-affiliated actors used an alternative exploit vector that abused CVE-2022-41080 to achieve the same goals.”
Modern attackers are faster, smarter and more ruthless than ever before, while the volume of vulnerabilities and the process of testing and patching can slow down teams trying to protect their organizations from attacks.
Patch Tuesday was intended to give security and IT teams an advantage over attackers, but the sheer volume of Microsoft vulnerabilities in recent years has had the opposite effect. Patching systems, changing configurations, and similar actions impact organizations’ tools and workflows. These changes can have a significant impact on productivity. Added to this is the risk that arises if patches are not installed. The speed at which attackers exploit vulnerabilities continues to increase.
While Patch Tuesday itself isn’t the problem, it has become emblematic of the broader problem of security vulnerabilities plaguing the industry. Until companies like Microsoft start building more secure products out of the box and reducing the burden of patching, companies must understand the risks they face and take proactive steps to discover and prioritize the vulnerabilities that pose the greatest risks can cause damage.
When it comes to protection, it’s worth asking: Who can you trust? Can you trust the vendor that sells security when they are also responsible for such a large number of critical vulnerabilities?
Additional resources