The Zero Day Initiative published over 1 vulnerability reports in the first half of 2023. Among the vulnerabilities are critical Microsoft zero-days. Initiator of the Zero Day Initiative Trend Micro warns of more and more faulty or incomplete patches.
Trend Micro, one of the world's leading providers of cybersecurity solutions, announces that its Zero Day Initiative (ZDI) has already published over 1.000 advisories on individual vulnerabilities in IT products this year. Against this background, the company warns that faulty or incomplete patches are being published more and more frequently, or that the affected manufacturers are secretly rolling them out.
Silent patching hides vulnerabilities
Trend Micro advocates an end to "silent patching" - a practice that delays or downplays the disclosure and documentation of vulnerabilities and patches. As one of the biggest obstacles in fighting cybercrime, this method is particularly common among large vendors and cloud providers.
“The Zero Day Initiative was founded to close vulnerabilities before they are exploited by cybercriminals. The need for such measures is further emphasized in the European Union by the new NIS2 directive,” explains Richard Werner, Business Consultant at Trend Micro. “However, we are seeing a worrying trend of a lack of transparency in the disclosure of vulnerabilities associated with vendor patches. This poses a threat to the IT security of the digital world, as it deprives customers of the opportunity to take their own further measures.”
Many cloud providers rely on silent patching
At the Black Hat USA 2023 security conference, representatives from Trend Research showed that silent patching is particularly common among cloud providers. Increasingly, these refrain from assigning a Common Vulnerabilities and Exposures (CVE) ID, which enables traceable documentation, and instead issue patches in non-public processes. The lack of transparency or version numbers for cloud services hampers risk assessment and deprives the security community of valuable information to improve security across the ecosystem.
As early as last year, Trend Micro warned of a growing number of incomplete or incorrect patches and an increasing reluctance on the part of vendors to provide reliable information about patches in plain language. In the meantime, this trend has intensified, with some companies neglecting patching altogether. As a result, their customers and entire industries are exposed to avoidable and increasing risks. Therefore, there is an urgent need for action to prioritize patches, fix vulnerabilities, and encourage collaboration between researchers, cybersecurity vendors, and cloud service providers to strengthen cloud-based services and protect users from potential risks.
Over 1.000 vulnerabilities in the 2023 list
With the ZDI program, Trend Micro is committed to transparent patching of vulnerabilities and an improvement in security throughout the industry. As part of this commitment, the Zero Day Initiative has recently published notifications of several zero-day vulnerabilities. One The full list of vulnerability advisories published by the Trend Micro Zero Day Initiative (ZDI) is available in English on the initiative's website. Here is an excerpt of the vulnerabilities with a CVSS value of 9.9 or 9.8. The list on the Zero Day Initiative website lists over 1.000 other vulnerabilities with a CVSS value of 9.1 to 2.5.
Excerpt of 39 vulnerabilities with CVSS 9.9 and 9.8
ZDI ID | AFFECTED VENDOR(S) | CVE | CVSS v3.0 |
ZDI-23-1044 | Microsoft | 9.9 | |
ZDI-23-055 | VMware | CVE-2022-31702 | 9.8 |
ZDI-23-093 | Cacti | CVE-2022-46169 | 9.8 |
ZDI-23-094 | nettalk | CVE-2022-43634 | 9.8 |
ZDI-23-115 | VMware | CVE-2022-31706 | 9.8 |
ZDI-23-118 | Oracle | CVE-2023-21838 | 9.8 |
ZDI-23-168 | Solarwinds | CVE-2022-47506 | 9.8 |
ZDI-23-175 | Oracle | CVE-2023-21890 | 9.8 |
ZDI-23-228 | Ivant | CVE-2022-44574 | 9.8 |
ZDI-23-233 | PaperCut | CVE-2023-27350 | 9.8 |
ZDI-23-444 | Schneider Electric | CVE-2023-29411 | 9.8 |
ZDI-23-445 | Schneider Electric | CVE-2023-29412 | 9.8 |
ZDI-23-452 | TP-Link | CVE-2023-27359 | 9.8 |
ZDI-23-482 | VMware | CVE-2023-20864 | 9.8 |
ZDI-23-490 | KeySight | CVE-2023-1967 | 9.8 |
ZDI-23-587 | Trend Micro | CVE-2023-32523 | 9.8 |
ZDI-23-588 | Trend Micro | CVE-2023-32524 | 9.8 |
ZDI-23-636 | Schneider Electric | CVE-2022-42970 | 9.8 |
ZDI-23-637 | Schneider Electric | CVE-2022-42971 | 9.8 |
ZDI-23-672 | delta electronics | CVE-2023-1133 | 9.8 |
ZDI-23-674 | delta electronics | CVE-2023-1140 | 9.8 |
ZDI-23-679 | delta electronics | CVE-2023-1136 | 9.8 |
ZDI-23-680 | delta electronics | CVE-2023-1139 | 9.8 |
ZDI-23-681 | delta electronics | CVE-2023-1145 | 9.8 |
ZDI-23-683 | delta electronics | CVE-2023-1133 | 9.8 |
ZDI-23-687 | Canonical | 9.8 | |
ZDI-23-690 | Canonical | 9.8 | |
ZDI-23-702 | Linux | CVE-2023-32254 | 9.8 |
ZDI-23-714 | D-Link | CVE-2023-32169 | 9.8 |
ZDI-23-716 | D-Link | CVE-2023-32165 | 9.8 |
ZDI-23-720 | Moxa | CVE-2023-33236 | 9.8 |
ZDI-23-840 | VMware | CVE-2023-20887 | 9.8 |
ZDI-23-882 | Microsoft | CVE-2023-29357 | 9.8 |
ZDI-23-897 | progress software | CVE-2023-36934 | 9.8 |
ZDI-23-906 | delta electronics | CVE-2023-34347 | 9.8 |
ZDI-23-920 | NETGEAR | CVE-2023-38096 | 9.8 |
ZDI-23-1025 | Triangle MicroWorks | CVE-2023-39457 | 9.8 |
ZDI-23-1046 | Inductive automation | CVE-2023-39476 | 9.8 |
ZDI-23-1047 | Inductive automation | CVE-2023-39475 | 9.8 |
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.