Some CVEs may lack the required security updates for all or a subset of affected software, which prevents successful remediation efforts. Today, we are excited to announce that support and reporting on the availability of security updates for CVEs is now in public preview in Microsoft Defender Vulnerability Management.
This new feature will show security update availability information for each CVE and actively exclude software lacking updates from the recommendations tab. (Note: Before the introduction of this feature, CVEs missing security updates were not shown in the Defender Vulnerability Management portal. Once a customer enables this feature in public preview, these CVEs will be reported in the Inventory and Weaknesses pages.)
Below is a detailed overview of the new functionality.
Update as of October 24
Several Linux platforms have high numbers of CVEs that are reported in official channels as not having a fix available (Red Hat, CentOS, Debian, and Ubuntu). While some of these CVEs reflect true exposure, visibility into a high volume of non-actionable exposure is undesired by most customers.
To address this going forward, these CVEs, on the above Linux platforms, will not be reported on by Microsoft Defender Vulnerability Management.
Note: The new behavior may lead to reporting of fewer exposed devices and lower organization exposure score.
Weaknesses page
Within the Weaknesses tab, there is a new “Update availability” column in the “Exposed devices” and “Related software” tabs of the CVE details pane.
Selecting on a CVE on the Weaknesses page will show CVEs tagged with one of the following tags:
- No security update – there are no security updates that remediate the vulnerability for any of the related software packages. This CVE will not appear in the Recommendations tab.
- Some updates available – security updates that fix the vulnerability are available only for a subset of all related software packages.
Figure 1: Last column indicates availability of security update for specific device.Figure 2: Last column indicates availability of security update for specific software.Figure 3: Last column indicates availability of security update for specific device.Figure 4: Last column indicates availability of security update for specific software.
Device page
Update availability tags also appear in Tags column of the Discovered vulnerabilities tab in the device page.
Figure 5: Tags column shows update availability tags.
Recommendations
Recommendations will include only devices and software packages for which security updates are available.
Advanced Hunting
A new column CveTags was added to table DeviceTvmSoftwareVulnerabilities. The column type is dynamic. The column value is an array of tags relevant to the CVE. The tags that are currently supported are “ZeroDay” and “NoSecurityUpdate”.
Export API
The export software vulnerabilities assessment API was extended to support CVEs with no security updates. A new Boolean field SecurityUpdateAvailable was added to response.
For more information on this feature, see Vulnerabilities in my organization.
Learn more & Get started
- Check out the latest announcement on Microsoft Defender Vulnerability Management, now in public preview.
- Sign up for public preview.
-
For customers interested in the full Defender Vulnerability Management solution, sign up here.
-
For Microsoft Defender for Endpoint Plan 2 customers interested in the Defender Vulnerability Management add-on, sign up here.
-
- To learn how to use Defender Vulnerability Management, visit aka.ms/MDVM and our documentation.
Updated Oct 20, 2022
Version 2.0Michael_Kapelevich
Former Employee
Joined June 13, 2022
Microsoft Defender Vulnerability Management Blog
Follow this blog board to get notified when there's new activity