As the 20th anniversary of Patch Tuesday approaches, it’s time to take a closer look at the program that shook up the security patch market. For many years, Microsoft’s Patch Tuesday provided the predictability required by customers, allowing for better patch management and security. The success of the program is evidenced by the many other organizations that established their own patch cycles, including Adobe, Siemens, Schneider Electric, and more.
However, while the program has been helpful in improving cybersecurity over the years, the quality of Microsoft’s vulnerability descriptions has declined in recent years. In the past, their descriptions were useful and contained information that would help practitioners prioritize vulnerabilities, but today, they are almost meaningless in terms of practicality. An example can be seen in the two CVE descriptions in the National Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554.
The poor CVE descriptions provided by Microsoft are having a significant impact on practitioners, making it harder for them to prioritize vulnerabilities and assess their importance. Good descriptions enable practitioners to understand what products are affected, the type of vulnerability, the root cause, and the impact, information necessary for assessing risk and determining the best action to take.
To help avoid confusion, MITRE has laid down well-defined rules for what is required in a CVE description. These rules include the minimum requirements, which must provide enough information for a reader to understand what products are affected and include one of the following: vulnerability type, root cause, or impact.
However, Microsoft seems to be ignoring MITRE rules, and it’s unclear why MITRE is allowing it. Because of this, other organizations are worse off, as seen in the impact on NIST’s per CVE common weakness enumeration (CWE) ID assignment. Unfortunately, Microsoft’s advisories are not up to date, and practitioners have to turn to outside sources such as Zero Day Initiative’s rundown of every Patch Tuesday or go hunting for third-party descriptions of every Microsoft vulnerability, putting them at a disadvantage.
In summary, while Patch Tuesday provides a predictable cadence, it’s time for Microsoft to address their declining CVE description quality. Providing more detail will help practitioners to prioritize vulnerabilities and assess risk better. High-quality vulnerability descriptions are essential, and it’s time for Microsoft to take charge of improving their CVE overall.