2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide

Whether you are working in IT or not, you’re probably familiar with Microsoft’s Monthly Patch Tuesday. Introduced in 2003, this is when the software giant releases updates and patches for its software products. As we discussed in September 2018, we have seen more and more vendors piggybacking on this approach and releasing their own patches on the same day. Now, with 2020 barely underway, we kick off the year with an almost-unprecedented schedule of substantial releases of new patches to fix known vulnerabilities.

When two hurricanes collide, the phenomenon is called the Fujiwhara effect. The vulnerability intelligence world is about to experience just such an event, on steroids, as the release dates for several major vendors, including Oracle and Microsoft, collide. This event, which last occurred in 2014, will happen three times this year. What makes this event unprecedented is that organizations face an impending collision between six vendors. Organizations, and their vulnerability intelligence teams, are in for a rough year.

As per the norm, next Tuesday, January 14th, 2020, several prominent vendors will be disclosing a long list of vulnerabilities that organizations will have to assess. But what is making this coming Patch Tuesday even more significant is the impending collision. In addition to the expected Microsoft Patches, Oracle will be releasing their quarterly Critical Patch Updates as well. These two vendors are in addition to several others that co-opted “Patch Tuesday” years ago, including Adobe.

2020 Vulnerability Fujiwhara Effect Dates

• January 14th, 2020
• April 14th, 2020
• July 14th, 2020

On the surface this may seem like a positive thing, and is certainly an improvement on uncoordinated disclosures (still referred to as “irresponsible disclosure” by many vendors and described as a situation that “hurts customers”). But as more vendors have gravitated towards releasing on Patch Tuesday, organizations are now being subjected to the routine updates of six vendors on the same day, with the possibility of an additional seven. This is in stark contrast to the normal day of vulnerability disclosures.

Last month on Microsoft Patch Tuesday, our VulnDB research team analyzed and published 188 new vulnerabilities in a single day. With Oracle now planning to release on the same day, we expect vulnerability teams will have to aggregate and review a massive list (perhaps doubled) of what will most likely be critical database and product vulnerabilities.

It can’t be ignored that there is a clear and substantial risk to organizations that do not have the necessary vulnerability intelligence and processes in place to enable the handling of the large volume of vulnerabilities being disclosed.

If you are using any of the following vendors, we suggest that you prepare for the impending storms:

CONFIRMED

• Microsoft
• Oracle
• Adobe
• SAP
• Siemens
• Schneider Electric

POTENTIAL

• Google
• Apple
• Mozilla
• Intel
• Cisco
• F5
• Juniper