HONG KONG SAR – Media Outreach – 18 August 2023 –
Trend Micro (TY: 4704; EAST: 4704), a global cybersecurity leader, announced at Black Hat USA 2023 that its Zero Day Initiative program issued advisories addressing more than 1,000 unique vulnerabilities in 2023. The actual impact if these vulnerabilities were to be weaponized would amount to losses time and money more than 10 times the cost of prevention.
“Our proactive investment of millions each year in vulnerability research and procurement saves billions in recovery for our customers and the industry as a whole,” said Kevin Simzer, COO at Trend. “A disturbing trend is documented among companies lacking transparency regarding vulnerability disclosure vendor patches that pose a threat to the security of the digital world.”
Today, Trend calls for an end to silent patching – the practice of slowing down or diluting public disclosure and documentation of vulnerabilities and patches. This is a major obstacle in the fight against cybercrime, but it is all too common among major vendors and cloud providers.
During a session at Black Hat USA 2023, Trend Research representatives revealed that silent patches have become particularly common among cloud providers. Companies are more frequently refraining from assigning a Common Vulnerabilities and Exposures (CVE) identifier for public documentation and instead releasing patches privately.
The lack of transparency or version numbers of cloud services hampers risk assessment and deprives the wider security community of valuable information to improve the overall security of the ecosystem.
At last year’s Black Hat event,
Trend savvy an increasing number of incomplete or faulty patches and a growing reluctance by vendors to provide authoritative plain language patch information. The gap has since widened, with some companies abandoning patches altogether, leaving their customers and industries exposed to unnecessary and growing risks.
Urgent action is needed to prioritize patches, remediate vulnerabilities, and foster collaboration among researchers, cybersecurity vendors, and cloud service providers to strengthen cloud-based services and protect users from risk potentials.
Trend is committed to patching vulnerabilities transparently and aims to improve security postures industry-wide through its Zero Day Initiative program. Through its commitment to transparent disclosure, Trend’s ZDI today released advisories on several zero-day vulnerabilities, including:
ZDI-CAN-20784 Github (CVSS 9.9)
-
This vulnerability allows remote attackers to elevate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability
-
The flaw exists in the configuration of Dev-Containers. The application does not apply the privileged flag in a development container configuration. An attacker can exploit this vulnerability to elevate privileges and execute code in the context of the hypervisor
ZDI-CAN-20771 Microsoft Azure
(CVSS 4.4)
-
This vulnerability allows remote attackers to disclose sensitive information about Microsoft Azure. An attacker must first obtain the ability to execute elevated code on the target environment in order to exploit this vulnerability
-
The flaw exists in the management of certificates. The problem results from exposing a resource to the wrong sphere of control. An attacker can take advantage of this vulnerability to leak stored credentials, leading to an additional compromise.
For a complete list of notices published by Trend Micro’s ZDI, visit: https://www.zerodayinitiative.com/advisories/published/
Trend Micro’s ZDI pioneered the vulnerability market with its focus on disrupting attackers by legitimately purchasing vulnerability research which can then be disclosed to affected vendors before the information is made public.
Hashtag: #trendmicro #ZDI #cybersecurity #cloudsecurity
The issuer is solely responsible for the content of this announcement.
