What you need to know about changes to Microsoft's Security Update Guide

The Security Update Guide now aligns more closely with the CVSS, but sometimes lacks information needed to properly respond to a vulnerability report.

skull and crossbones in binary code

Microsoft recently changed how it presents and explains its security vulnerabilities in its products. The new security guide aligns itself with security and industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System (CVSS), which presents a vulnerability’s key characteristics and assigns a numerical score to its severity. The intent of that score is to help organizations better assess a vulnerability’s risk and respond appropriately. Microsoft scores every vulnerability (except for those that it automatically patches, such as with Microsoft Edge) and displays the details that make up that score in a new version of its Security Update Guide.

What's in the new Security Update Guide

Each vulnerability bulletin in the Security Update Guide starts by explaining base score metrics. This section explains the initial attack vector. It indicates the attack source: local, adjacent network, physical, or network. Local means that the attacker must either have physical access to the vulnerable system or a local account. Adjacent network means that the attacker has access to attack in a manner close to the network (Bluetooth or ARP spoofing). Physical attacks need actual hands-on connection before they can be successful. Network attacks are often the most impactful vulnerabilities and are remotely exploitable.

bradley cvss1 CSO

Security Update Guide, top half

Next, it discusses the attack complexity. High means that the attack would be very difficult to complete. Medium means that some circumstances would make the attack hard to complete, but not impossible. Low means that the attack is easy to accomplish. The next sections discuss the needed privileges required and the amount of user interaction mandated by the attack sequence. Then the impact to components other than the named component is tracked. Finally, in the base score, the impact to the confidentiality, integrity and availability is tracked.

bradley cvss2 CSO

Security Update Guide, bottom half

The next section tracks the temporal score metrics. These include exploit code maturity, which discusses whether the exploit is reliable; remediation level, which indicates if a full fix is available; and whether the vulnerability report is reliable. In the Microsoft bulletin, the next section is about how easily exploitable this vulnerability is. Microsoft details whether the vulnerability is already being exploited.

What's missing from the new Security Update Guide

Unfortunately missing from the current security bulletins is a detailed explanation of what sort of attack the vulnerability could enable. For example, the  CVE-2021-1674 vulnerability impacts all versions of Microsoft Windows back to Windows 7 and is described as “Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability”. It is described as a network-level attack vector and easy to exploit.

As Dustin Childs put it in the Zerodayinititative blog, “This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible. “

However, potential side effects or testing protocols often delay installing updates. So how do you determine the exact threat vector and exploitation of a bug to properly protect a firm from such attacks?

For some vulnerabilities you can review resources such as Trend Micro’s Zero day Initiative that provides a liaison between researchers and vendors to ensure that security vulnerabilities are tracked down and security researchers are rewarded for their investigations. Their monthly blog posts gives information and guidance to vulnerabilities to allow administrators to better understand the source of the security vulnerability to then better defend networks from attack.

For others, you may need to use various websites to obtain information from the researcher to better understand the vulnerabilities. One such website that you can use to better understand security vulnerabilities is AttackerKB. This crowdsourcing site allows researchers and investigators to share information about a vulnerability. It also allows you to determine which vulnerabilities are most at risk for your environment and act accordingly.

Researchers often work for companies that use security research for marketing. Search on a vulnerability’s CVE number to look for websites and press releases from vendors that explain the vulnerability. Another resource, albeit a bit less precise, is social media. You can search Twitter for the CVE number to see if others are discussing a particular vulnerability.

Our sample vulnerability, CVE-2021-1674, unfortunately is not well disclosed. Social media locations repeat what we already know. When we compare the social media resources available as compared to another vulnerability impacting Exchange Server (CVE-2020-17132), there is a vast difference in the amount of information available. CVE-2020-17132 has much more social media locations such as AttackerKB that details out the risks and threats that this vulnerability exposes a firm to.

Another source of security bulletin information is the Japanese version of the Microsoft security bulletin blog page. While the pages are in Japanese, modern browsers can easily translate the language to English. The Japanese blog is often more informative than its English counterpart.

Microsoft is requesting feedback on the new security update site. Take the time to review the new Security Update Guide and give your feedback. You can either email them or fill out a form with your comments. I think that they need a better executive summary for each bulletin. Being able to understand a security bulletin for your environment helps you to better protect your network while you wait to test the updates and deploy them. Often you can develop Snort rules or other firewall protections to ensure that your systems are protected while you are waiting for the testing to be completed.

While Microsoft has released a great deal of valuable information on its SolarWinds investigation, I feel that they have taken a step back from their duty to inform and educate us on security with the new security updates. A good network isn’t secure merely because we’ve installed an update; we’re secure because we understand how the attack occurs so that we can monitor and prioritize our defense. I’m hoping that Microsoft returns to having more information in its security bulletins. Until then we will have to rely more on social media, public relations posts, and blogs for our security protection information.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)