



It answers the question, why do software continue to have so many vulnerabilities? It’s complicated because the software itself is very complicated.

Many articles covering the lack of tools for testing vulnerabilities, the security knowledge and experience of developers themselves, the infinite variations in interactions between operating systems and applications, and the complexity of the network environments in which software is deployed. is written. Here are some factors.

Ongoing research uncovers more vulnerabilities and sometimes provides insight on how to remove them before they actually occur. Still, it’s a race to stay ahead of the relentless threat.

zero-day initiative

The Zero Day Initiative (ZDI) is a research program that contributes to the early detection of vulnerabilities and shares the findings with vendors for faster remediation. Researchers are encouraged by bug bounties and confidentiality is strictly maintained until the vendor provides a fix.

ZDI hosted the PWN2OWN VANCOUVER 2023 conference in late March with always exciting results. The most successfully compromised targets under attack were Windows 11, Ubuntu Desktop, and Oracle VirtualBox.

Awards were given for exploiting Apple macOS, Adobe Reader, Microsoft SharePoint, VMware Workstation and even Tesla in the automotive sector. According to the ZDI blog, entrants unveiled 27 unique zero-days and won a combined $1,035,000 (plus a car)! Fortunately, these issues will be fixed soon.

attack in the wild

Unfortunately, attacks continued this month without the benefit of disclosure or immediate remediation. 3CX reported a security issue with Electron apps running on Windows and macOS. This security issue appears to be the result of a supply chain attack. Complicating matters further, Kaspersky discovered a second-stage backdoor in his malware that exploits the decade-old vulnerability CVE-2013-3900.

Although this vulnerability was fixed, this patch was only a Microsoft Recommended Rating. This reminds me of my blog in January where he commented on procrastinating at your own risk. Yes, this patch of his decade was originally released as recommended. Back then, it would break any customizations the customer might have made in digitally signing updates. However, a considerable amount of time has passed, and administrators have had to replace their customizations to address this issue. This update is mandatory to prevent recent exploits.

Microsoft has announced a shift of non-security preview updates to the fourth week of the month. According to Microsoft, two weeks after the latest monthly security update and about two weeks before these features become part of the next mandatory cumulative update, this is the best time to test. Microsoft Windows 10 20H2 for Education and Enterprise reaches end of support in May, so plan accordingly.

April 2023 Patch Monthly Forecast We expect this trend to continue as Microsoft ramps up its operating system security fixes. Similarly, Office suite updates are on the rise, so plan to apply major updates to your on-premises and Click-to-Run versions. Adobe Acrobat and Reader will have a major quarterly update next week. March 27th was a big day for Apple with the release of Big Sur 11.7.5, Monterey 12.6.4, Ventura 13.3 and Safari 16.4 for Big Sur and Monterey. We are not planning to update this month, but please roll out the release as soon as possible. Google has released beta updates for Chrome OS and Chrome for Desktop, so an official release is likely next week. Updates for Firefox, Firefox ESR, and Thunderbird are expected next week, as Mozilla continues to release with his March Patch Tuesday.

Finding and fixing vulnerabilities before they can be exploited is a never-ending race. It’s often pulled as an unwilling participant, so it’s important to keep pace and update your system with each patch release in order to stay ahead of the competition.

