Microsoft Defender Vulnerability Management Now Reports CVEs Lacking Fixes
Microsoft is previewing the ability for organizations to see when software lacks fixes for common vulnerability and exposures (CVEs), as described in a Monday announcement.
CVEs are reported software vulnerabilities. The CVE-reporting capability in Microsoft Defender Vulnerability Management is currently available at the preview stage. The Microsoft Defender Vulnerability Management product itself is also at the preview stage.
Microsoft Defender Vulnerability Management was introduced last month as a new "standalone" product and add-on option for E5 customers and Microsoft Defender for Endpoint Plan 2 subscribers. Subscribers to the Microsoft Defender Vulnerability Management service get a bunch of asset and inventory tools, assessment tools, plus prioritization and remediation solutions.
Such tools are likely useful for a lot of organizations, but they come at an extra cost. It costs $3 per user per month for the standalone product and $2 per user per month for the E5 and Microsoft Defender for Endpoint Plan 2 add-ons. The product's add-on status for top-level E5 licensing is perhaps a new signal that Microsoft won't always include new E5 subscription capabilities without charging separately for them.
The Microsoft Defender Vulnerability Management Portal shows the new CVE-reporting capability via a "Weaknesses" page (also called a "tab" by Microsoft). It has an "Update Availability" column that displays CVE availability information, which is shown for both devices and software. This sort of information wasn't previously shown in the portal, the announcement explained:
Before the introduction of this feature, CVEs missing security updates were not shown in the Defender Vulnerability Management portal. Once a customer enables this feature in public preview, these CVEs will be reported in the Inventory and Weaknesses pages.
If there's no CVE fix, the Weaknesses tab will call out that information. Updates that are available, but just for particular software versions, also are shown. Given these capabilities, Microsoft adjusted the "Recommendations" tab in the portal to only show devices and software when security updates are available.
The new CVE-reporting capabilities were also added to Microsoft's "export software vulnerabilities assessment API." It'll surface information about software lacking CVE fixes as well.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.