Security leader to announce critical Microsoft zero-days at Black Hat USA 2023
HONG KONG SAR 18 August 2023 – Trend Micro (TYO: 4704; TSE: 4704), a global cybersecurity leader, announced at Black Hat USA 2023 that its Zero Day Initiative program has published advisories addressing over 1000 unique vulnerabilities in 2023. The real-world impact if these vulnerabilities were to be weaponized would amount to time and financial losses of over 10 times the cost of prevention.
“Our proactive investment of millions each year into vulnerability research and purchases saves billions in recovery for both our customers and the industry as a whole,” said Kevin Simzer, COO at Trend. “A concerning trend is being documented of companies lacking transparency around vulnerability disclosure vendor patching, which pose a threat to the security of the digital world.”
Today, Trend is calling for an end to silent patching – the practice of slowing or diluting public disclosure and documentation of vulnerabilities and patches. It is a major roadblock to fighting cybercrime but is all too common among major vendors and cloud providers.
During a session at Black Hat USA 2023, Trend Research representatives revealed that silent patching has become particularly common among cloud providers. Companies are more frequently refraining from assigning a Common Vulnerabilities and Exposures (CVE) ID for public documentation and are instead privately issuing patches.
The lack of transparency or version numbers for cloud services hinders risk assessment and deprives the wider security community of valuable information for enhancing overall ecosystem security.
At last year’s Black Hat event, Trend warned of a growing number of incomplete or faulty patches and an increasing reluctance among vendors to deliver authoritative information on patches in plain language. The gap has since worsened, with some companies deprioritizing patching altogether, leaving their customers and industries exposed to unnecessary and increasing risk.
Urgent action is needed to prioritize patching, address vulnerabilities and foster collaboration among researchers, cybersecurity vendors and cloud service providers to fortify cloud-based services and protect users from potential risks.
Trend is committed to transparent vulnerability patching and aims to enhance security postures industry-wide through its Zero Day Initiative program. Through its commitment to transparent disclosure, Trend’s ZDI issued today advisories on several zero-day vulnerabilities including:
ZDI-CAN-20784 Github (CVSS 9.9)
- This vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability
- The flaw exists within the configuration of Dev-Containers. The application does not enforce the privileged flag within a dev container configuration. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor
ZDI-CAN-20771 Microsoft Azure (CVSS 4.4)
- This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability
- The flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.