Question about vulnerabilities

[Velvis]

I have recently been playing around with Action1 and it is reporting that some computers I am running it on have vulnerabilities. For example, CVE-2023-38545 which it reports as being published on October 18, 2023 and related to Microsoft 365 Apps for business - en-us (ver. 16.0.17726.20126) and is identified as a critical vulnerability.

Action 1 & the computer itself reports there are no updates available.

A google search of CVE-2023-38545 results in a lot of low level info about the vuln but no way to specifically address it.

It seems weird that a "critical vulnerability" wouldn't be patched in 8 months.

What am I missing?

 

[britechguy]

It seems weird that a "critical vulnerability" wouldn't be patched in 8 months.

Actually, no, it doesn't, because there are critical vulnerabilities and then there are actually critical vulnerabilities, and only so much tech talent to address both.

Look through the list at https://nvd.nist.gov only for critical vulnerabilities and see just how many there are that are very old and have yet to be resolved.

 

[Velvis]

Actually, no, it doesn't, because there are critical vulnerabilities and then there are actually critical vulnerabilities, and only so much tech talent to address both.

Look through the list at https://nvd.nist.gov only for critical vulnerabilities and see just how many there are that are very old and have yet to be resolved.

So, is it just Action 1 just sort of "fearmongering" and including info that is pretty much meaningless?

 

[britechguy]

All I can say is that if I want to get a true sense of how "genuinely threatening" something is, I go to the source. In this case: https://nvd.nist.gov/vuln/detail/CVE-2023-38545

You can do a quick and dirty review of what's available there and decide for yourself (at least to some extent) whether something is anything to lose sleep over. The actual search page, https://nvd.nist.gov/vuln/search, also allows you to chose whether a record of a given vulnerability actually having been exploited exists. If I check that for this particular CVE, nothing comes back. https://nvd.nist.gov/vuln/search/re...nk_types=CISA+Known+Exploited+Vulnerabilities

I have spent years arguing with the pearl clutchers and hand wringers that just because something is possible, doesn't make it likely, and that includes vulnerability exploits. There has to be some "quick and substantial" gain to be had via the exploit, and, very often, there is not.

All vulnerabilities, even within a given level classification, are not even nearly created equal. The easiest vulnerability to exploit, that gets the exploiter next to nothing or nothing, is not ever likely to be exploited. Conversely, the hardest vulnerability to exploit that would produce a huge payday for the person/entity that succeeds, goes to the front of the line.

Real risk assessment takes this into account, and remediation is approached accordingly.

 

[HCHTech]

So, is it just Action 1 just sort of "fearmongering" and including info that is pretty much meaningless?

I think it is more-likely that Action 1's "assessment" doesn't go any farther than "what category is this one". Which, frankly, is probably a common thing. I don't think it's reasonable to expect more from a tool such as that (nothing in particular against Action 1). If you want more granular analysis than that, you'll have to be paying a live body to do it, IMO.

 

[YeOldeStonecat]

If your intent is to patch/secure/attack surface reduction, the tools out there to help you with that...will tell you what they find. It's their job, you asked it to produce a list.

BTW, Microsoft 365 already does this with Defender for Endpoint, with enrolled devices....you'll get a nice landing page in Security telling you which workstations have what vulns. It's up to you with what you do with that information.

Within Microsoft 365, as part of Defender, there is "ASR"...Attach Surface Reduction, settings you can roll out.
Just an extension of what many CIS benchmarks do.