From MSRC API to ZDI chart

ZDI, a.k.a ZeroDayInitiative, has a nice chart about updates published by the MSRC

I wondered how I could get the same in a grid view with PowerShell…

#Requires -Module MsrcSecurityUpdates
(Get-MSRCCvrfDocument ID "$((Get-Date).ToString('yyyy-MMM',[System.Globalization.CultureInfo]'en-US'))").Vulnerability |
Foreach-Object {
$v = $_
$Disclosed = $Exploited = $null
$Disclosed = ([regex]'Publicly\sDisclosed:(?<D>(Yes|No));').Match("$(($v.Threats | Where-Object { $_.Type -eq 1}).Description.Value)") |
Select-Object ExpandProperty Groups| Select-Object Last 1 ExpandProperty Value
$Exploited = ([regex]'Exploited:(?<E>(Yes|No));').Match("$(($v.Threats | Where-Object { $_.Type -eq 1}).Description.Value)") |
Select-Object ExpandProperty Groups| Select-Object Last 1 ExpandProperty Value
[PSCustomObject]@{
CVEID = $v.CVE
Tag = $($v.Notes | Where-Object { $_.Type -eq 7}).Value
CNA = $($v.Notes | Where-Object {$_.Type -eq 8}).Value
Title = $v.Title.Value
Date = $($v.RevisionHistory | Select-Object First 1 ExpandProperty Date)
Revision = $($v.RevisionHistory | Select-Object First 1 ExpandProperty Number)
Severity = $( ($v.Threats | Where-Object { $_.Type -eq 3 }).Description | Select-Object ExpandProperty Value ErrorAction SilentlyContinue | Sort-Object Unique)
CVSS = '{0:N1}' -f $($v.CVSSScoreSets.BaseScore | Sort-Object Unique | ForEach-Object { [double]$_} | Sort-Object Descending | Select-Object First 1)
Public = $Disclosed
Exploited = $Exploited
Type = $( ($v.Threats | Where-Object { $_.Type -eq 0 }).Description | Select-Object ExpandProperty Value ErrorAction SilentlyContinue | Sort-Object Unique)
}
} |
Select-Object Property CVEID,Title,Severity,CVSS,Public,Exploited,Type |
Out-GridView

Here’s what the result looks like for February 2022:

Advertisement

9 thoughts on “From MSRC API to ZDI chart

  1. Am I missing something here?
    Import-Module: The specified module ‘MsrcSecurityUpdates’ was not loaded because no valid module file was found in any module directory.

  2. Thank you for this script. Is it possible to get the security updates for the day of Patch Tuesday only? Or does it get all updates for the month?

  3. I am wondering why CVE-2021-26414 was not pulled into the report. This CVE was originally published a year ago but it was re-issued on June Patch Tuesday.
    If it were possible to get these added to the report, it would be helpful to see these revisions with the original release date.
    These were the other revision increments from the last Patch Tuesday:
    * CVE-2021-26414
    * CVE-2022-23267
    * CVE-2022-24513
    * CVE-2022-24527
    * CVE-2022-26832
    * CVE-2022-30190
    Thank you!

    • The reason why CVE-2021-26414 is not pulled in the report is because it’s not part of the msrc cvrf document published this month. CVE-2021-26414 is in the msrc doc from June 2021.
      You’re asking about tracking revisions. This is another purpose. A new piece of code would be required.
      Let me also add that it’s not been reissued (would mean that there’s a new binary).
      CVE-2021-26414 has only been revised to indicate that some other binaries released in June 2022 set the enforcement:

      RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers is now enabled by default

      • I feel I have pushed my luck to the limit but I would be interested in a report that generates these CVE revisions particularly since quite a few of them occur on Patch Tuesday. Thank you for the explainer and for all your expertise!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.