Patch Tuesday May is upon us and Microsoft has issued a number of updates as expected. Adobe has also released updates for Adobe Acrobat and Reader.
Starting with Microsoft, a total of 111 unique common vulnerabilities and exploits (CVEs) are resolved in today’s release, 16 of which are rated as Critical. There are no publicly disclosed or exploited vulnerabilities this month! Along with the normal lineup of operating system, browser, Office and SharePoint updates, Microsoft has also released updates for .NET Framework, .NET Core, Visual Studio, Power BI, Windows Defender and Microsoft Dynamics.
Most of the Critical vulnerabilities are resolved by the OS and browser updates, but there are four critical vulnerabilities in SharePoint and one in Visual Studio. If you look at the Exploitability Assessment, a number of Important CVEs are concerning. Ten of this month’s 111 CVEs carried exploit ratings of 1 meaning exploitation is more likely for this vulnerability. What is interesting and often overlooked is seven of the ten CVEs at higher risk of exploit are only rated as Important. It is not uncommon to look to the Critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as Important. If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics such as Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process.
For those of you who are on a Microsoft ESU for extended coverage for Windows 7, Server 2008, or Server 2008 R2 there is a pre-requisite this month. You have to deploy the new SSUs before you can deploy this month’s updates.
Adobe’s Acrobat and Reader updates resolve 24 unique CVEs, 12 of which are rated as Critical. No Publicly Disclosed or Exploited vulnerabilities in Adobe’s release either. The Adobe Flash Player update is non-security related this month.
Priorities this month:
- Windows OS
- Office and more importantly SharePoint
- Adobe Acrobat and Reader
- Re-assess your prioritization criteria. Are you capturing the right risk metrics to prioritize effectively?