Security
Headlines
HeadlinesLatestCVEs

Headline

Security Update Guide: Let's keep the conversation going

Hi Folks, We want to continue to highlight changes we’ve made to our Security Update Guide. We have received a lot of feedback, much of which has been very positive. We acknowledge there have been some stability problems and we are actively working through reports of older browsers not being able to run the new application.

msrc-blog
#vulnerability#microsoft#perl

Hi Folks,

We want to continue to highlight changes we’ve made to our Security Update Guide. We have received a lot of feedback, much of which has been very positive. We acknowledge there have been some stability problems and we are actively working through reports of older browsers not being able to run the new application. We really appreciate your feedback as we review these issues.

We’ve heard frustrations over the removal of the previous Executive Summary section and we particularly appreciate specific examples of CVEs which needed more details in order to properly perform risk analysis on the more complex vulnerabilities. This change reflects our intentional efforts to add more information to the Frequently Asked Questions (FAQs) for certain types of CVEs over the last several years, for example:

  • For Information Disclosure vulnerabilities, we incorporate “What type of information might be disclosed?”
  • Office Desktop application vulnerabilities include possible Preview Pane attack vectors
  • If a Group Policy _needs to be adjusted, the FAQ reflects that.

These FAQ content examples are a result of your direct feedback. Some are generated systemically for certain common types of vulnerabilities, while others are manually created for particularly unusual CVEs. We feel this strikes a good balance between providing our customers useful and actionable information while not describing the vulnerability in such detail that helps our adversaries build an exploit.

In the Security Update Guide updated design, we focus on features which provide the ability to tailor the information for a specific user’s function. We now offer three different views:

  • All: A general view that shows All available information
  • Deployments : The best view for people who are responsible for deploy ing updates into their environment.
  • Vulnerabilities : This view focuses on the vulnerabilities and relevant information associated with each.

Looking more closely, each of the tabs allows you to choose which columns are displayed, and can be exported as a spreadsheet.

The “ All ” tab has access to all of the different data items and you can further filter by changing column options with the Edit Columns pane. So, for example, if you want to see the CVEs sorted by the highest CVSS base score first, you can choose to add Base Score to the grid and sort by that column.

The second tab is designed with the Deployment team in mind, where CVE information is less important. The Edit Column on this tab allows you to get a unique list of packages for the month by unselecting the Product and Platform columns. This list can be exported to Excel to setup a deployment schedule.

The Vulnerabilities tab puts focus on the CVEs, front and center. Here, the Edit Column include options like links to FAQs, Articles, mitigations and workarounds.

We realized that many Executive Summaries reused content which has become stale and aren’t particularly actionable, feedback indicates they aren’t often read. In every Update Tuesday, there are specific vulnerabilities which are tricky and need more information which Executive Summaries contain. That’s why we replaced the Executive Summaries with the more comprehensive CVSS scores, alongside the launch of the more flexible Security Update Guide. As the Security Update Guide now includes scoring for all CVEs, sort entries by highest severity then drill down into the provided articles for more information.

For example, let’s take three complex CVEs from November 2020:

  • The FAQ for CVE-2020-17040 describes the attack vector and configurations for this vulnerability
  • CVE-2020-17049raised a bunch of questions post release. We decided that an executive summary might help in this case so we added one. We also added to the list of questions in the FAQ.
  • CVE-2020-17051 has an FAQ that lists the Frequently Asked Questions that we’ve received.

These changes create a platform that meet different needs across a wide range of users. Please continue to share your constructive feedback to help us make it even better!

_Lisa Olson, Senior Security Program Manager, _Microsoft Security Response Center

Related news

Red Hat Security Advisory 2024-0252-03

Red Hat Security Advisory 2024-0252-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include bypass and cross site request forgery vulnerabilities.

Gentoo Linux Security Advisory 202309-06

Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:2570: Red Hat Security Advisory: krb5 security, bug fix, and enhancement update

An update for krb5 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-17049: It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default