Support for Common Vulnerabilities and Exposures (CVEs) without a security update in public preview

Some CVEs may lack the required security updates for all or a subset of affected software, which prevents successful remediation efforts. Today, we are excited to announce that support and reporting on the availability of security updates for CVEs is now in public preview in Microsoft Defender Vulnerability Management.

This new feature will show security update availability information for each CVE and actively exclude software lacking updates from the recommendations tab. (Note: Before the introduction of this feature, CVEs missing security updates were not shown in the Defender Vulnerability Management portal. Once a customer enables this feature in public preview,  these CVEs will be reported in the Inventory and Weaknesses pages.)

Below is a detailed overview of the new functionality.

Update as of October 24

Several Linux platforms have high numbers of CVEs that are reported in official channels as not having a fix available (Red Hat, CentOS, Debian, and Ubuntu). While some of these CVEs reflect true exposure, visibility into a high volume of non-actionable exposure is undesired by most customers.

To address this going forward, these CVEs, on the above Linux platforms, will not be reported on by Microsoft Defender Vulnerability Management.

Note: The new behavior may lead to reporting of fewer exposed devices and lower organization exposure score.

Weaknesses page

Within the Weaknesses tab, there is a new “Update availability” column in the “Exposed devices” and “Related software” tabs of the CVE details pane.

Selecting on a CVE on the Weaknesses page will show CVEs tagged with one of the following tags:

• No security update – there are no security updates that remediate the vulnerability for any of the related software packages. This CVE will not appear in the Recommendations tab.
• Some updates available – security updates that fix the vulnerability are available only for a subset of all related software packages.

Figure 1: Last column indicates availability of security update for specific device.Figure 2: Last column indicates availability of security update for specific software.Figure 3: Last column indicates availability of security update for specific device.Figure 4: Last column indicates availability of security update for specific software.

Device page

Update availability tags also appear in Tags column of the Discovered vulnerabilities tab in the device page.

Figure 5: Tags column shows update availability tags.

Recommendations

Recommendations will include only devices and software packages for which security updates are available.

Advanced Hunting

A new column CveTags was added to table DeviceTvmSoftwareVulnerabilities. The column type is dynamic. The column value is an array of tags relevant to the CVE. The tags that are currently supported are “ZeroDay” and “NoSecurityUpdate”.

Export API

The export software vulnerabilities assessment API was extended to support CVEs with no security updates. A new Boolean field SecurityUpdateAvailable was added to response.

For more information on this feature, see Vulnerabilities in my organization.

Learn more & Get started

1. Check out the latest announcement  on Microsoft Defender Vulnerability Management, now in public preview.
2. Sign up for public preview.

   • For customers interested in the full Defender Vulnerability Management solution, sign up here.

   • For Microsoft Defender for Endpoint Plan 2 customers interested in the Defender Vulnerability Management add-on, sign up here.

3. To learn how to use Defender Vulnerability Management, visit  aka.ms/MDVM and our documentation.