Which vendors have already released Tianfu Cup security fixes?
I reached out to all the vendors whose products fell to exploits during the Tianfu Cup weekend, requesting a statement regarding patching timelines for the vulnerabilities concerned. Unfortunately, the response has, if I'm honest, been very disappointing indeed.
A Microsoft spokesperson told me that "all vulnerabilities reported as part of the contest are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate servicing are normally released via our monthly Update Tuesday cadence." So, without confirming as much specifically, there is some hope that patches for the Windows 10 and Microsoft Exchange vulnerabilities on Tuesday, 9 November.
Google didn't provide a statement but did confirm for background purposes that it will roll out any patches required once issues are investigated thoroughly. However, according to
Google's security blog it would appear that the two vulnerabilities exploited during the Tianfu Cup have been fixed in Chrome 95.0.4638.69, which started rolling out on Thursday, 28 October.
The only other vendor that responded to my request for more information at the time of publication was Red Hat regarding a vulnerability in the QEMA VM. Unfortunately, the Red Hat security had nothing that could be shared with me.
I will, of course, update this article if and when I hear anything from the remaining vendors, which are Adobe, Apple, Asus, Canonical, Docker, Parallels and VMware.
In the meantime, my advice is to keep an eye out for security updates and apply them as soon as you can if you are a user of Adobe PDF, Apple iOS and Safari, Asus AX56U router, Docker CE, Microsoft Exchange and Windows 10, Parallels VM, QEMA VM, Ubuntu 20 or VMware ESXi and Workstation.
