November 2020 Patch Tuesday forecast: Significant OS changes ahead

November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.

November 2020 Patch Tuesday forecast

The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.

A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.

This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.

Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.

November 2020 Patch Tuesday forecast

  • Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
  • Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
  • Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
  • Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
  • Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
  • It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.

Ivanti simplifies the IT management experience while adding support for devices of all types

Ivanti announces new capabilities for Ivanti Unified Endpoint Manager and Ivanti User Workspace Manager. New capabilities extend endpoint management features for Windows, Android, Mac, iOS and Linux devices while giving IT teams the ability to deliver a more ambient, personalized device experience for their end-users.

“At Ivanti we are committed to delivering innovation that gives users better experiences and businesses better outcomes,” said Alan Braithwaite, senior director, product management, Ivanti.

“Our latest releases of Unified Endpoint Manager and User Workspace Manager further simplify the IT management experience while adding robust support for devices of all types, securing and controlling them no matter where and how they are accessing corporate data – all from a single and intuitive console.

“When combined with the hyper-automated Ivanti Neurons platform, these expanded solutions further enable the self-healing, autonomous edge.”

Unified Endpoint Manager 2020.1 Service Update 2 delivers timely innovations to support IT teams with greater granular control, regardless of where devices are being used and they automate security to mitigate risk exposure.

New features support endpoints of all types, whether users are accessing company data on company-issued or non-issued devices, or operating using home, public or company networks.

New Unified Endpoint Manager enhancements include:

  • Patch automation and agentless vulnerability scanning help streamline endpoint protection to improve a company’s security posture, regardless of where users are working.
  • MacOS and iOS management enhancements give admins more control, featuring iOS Portal, Apple Business Manager Apps and Books in the Portal, ability to Enable and Remove Activation Lock, iOS device QR code MDM enrollment, ability to reset EPM Agent using a MDM Package and simplified the Apple Push Notification Service (APNS) support.
  • Remote control updates now include full-screen capability and Alt+Tab keyboard switching between applications for a better service experience for remote and distributed workers.
  • Improved remote Linux management and agent settings enable admins to remotely manage Linux devices without requiring a VPN. Additional features include the ability to schedule inventory, manage software distribution and integrate with Ivanti Patch Manager.
  • Enhanced Modern Device Management (MDM) simplifies the MDM user interface and end user enrollment process across Android, MacOS and iOS devices.

Ivanti User Workspace Manager 2020.2 has also been enhanced to deliver a more ambient Windows experience for users, wherever they may be working.

Building on core User Workspace Manager capabilities, the enhanced solution offers new features to enhance digital workspace management in the areas of user personalization, application control, privilege management and file and data synchronization.

New enhancements in Ivanti User Workspace Manager include:

  • A Windows Start Menu Designer, Windows Settings sync over VPN, and on-demand Windows 10 privilege elevation capabilities to enhance the user experience
  • A URL re-Direction for Edge Browser, authenticated web-proxy support, OneDrive Delta API support, and File Director administration tools to increase functionality for IT teams

Ivanti Unified Endpoint Manager and User Workspace Manager updates are available now. To further enhance IT outcomes, these solutions may be used with the Ivanti Neurons platform which features hyper-automation bots to self-heal and self-secure devices and provide proactive support for better user experiences.

Microsoft Patch Tuesday, October 2020 Edition

It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.

Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.

Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).

Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”

Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.

While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.

Other patches released today tackle problems in Exchange Server, Visual Studio, .NET Framework, and a whole mess of other core Windows components.

For any of you who’ve been pining for a Flash Player patch from Adobe, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe’s shipped an update that fixes a single — albeit critical — flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.

Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Microsoft Patch Tuesday, Sept. 2020 Edition

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.

Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.

Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

September 2020 Patch Tuesday forecast: Back to school?

Another month has passed working from home and September Patch Tuesday is upon us. For most of us here in the US, September usually signals back to school for our children and with that comes a huge increase in traffic on our highways. But I suspect with the big push for remote learning from home, those of us in IT may be more worried about the increase in network traffic. So, should we expect a large number of updates this Patch Tuesday that will bog down our networks?

The good news is that I expect a more limited release of updates from Microsoft and third-party vendors this month. In August, we saw a HUGE set of updates for Office and also an unexpected .NET release after just having one in July.

Also looking back to last month, there were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Let’s hope the updates are more stable this month without the need to re-apply, or worse, redistribute these large updates across our networks using even more bandwidth.

Last month I talked about software end-of-life (EOL) and making sure you had a plan in place to properly protect your systems in advance. Just as an early reminder we have the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued Extended Security Updates (ESUs) for critical and important security updates just like they did for Windows 7 and Server 2008.

These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021 along with the announcement that Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience. These changes are all still a few months out but plan accordingly.

September 2020 Patch Tuesday forecast

  • We’ll see the standard operating system updates, but as I mentioned earlier, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
  • Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
  • A security update for Acrobat and Reader came out last Patch Tuesday. There are no pre-announcements on their web site so we may see a small update, if any.
  • Apple released security updates last month for iTunes and iCloud, so we should get a break this month if they maintain their quarterly schedule.
  • Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
  • We’re due for a Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.

Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.

August 2020 Patch Tuesday forecast: Planning for the end?

There doesn’t seem to be an end in sight to the COVID-19 crisis, but there are some important end-of-life/end-of-support dates we should be aware of when it comes to software.

August 2020 Patch Tuesday forecast

Before we dig into this month’s forecast of updates, I want to spend a little time on the importance of planning ahead to avoid the high costs associated with extended support contracts, or sometimes worse, modifying your network environment to mitigate risks.

Remember when Windows XP end-of-life was a ‘date on the horizon’ that you would deal with when it got closer? Suddenly Windows 7 has reached the same point. In fact, we’ve just gone over the six-month point in the first year of Extended Support Updates for Windows 7 and Server 2008.

The operational lifespan of an operating system version is shrinking, and the model has changed as Microsoft moved to the software-as-a-service model for Windows 10. It is imperative we keep track of critical dates associated with both operating systems and applications in order to maintain a functional work environment.

Microsoft has extended the support dates on a few operating systems, but those dates are rapidly approaching. The Enterprise and Education editions of Windows 10 versions 1709 and 1803 reach end of service in October and November respectively this year. The Home and Professional editions of Windows 10 version 1809 reach end-of-service in November as well. Double check your applications to ensure compatibility as you make the operating system upgrades on these systems – you only have 2-3 months left!

We have a little breathing room for the remaining non-Windows 10 operating systems. Both Windows 8.1 and the Server 2012 variations reach their end-of-extended-support in October 2023. Once we reach that point in time, we’ll only have Windows 10 left (or the latest new operating system from Microsoft).

There will be situations where you’ll reach the end of support and there won’t be new patches for the system, but you need to maintain the operating systems and their legacy applications to meet business needs. You’ll need to look at other options to mitigate the security risks introduced by these increasingly vulnerable systems.

Consider virtualization or locking down the system to run only the specific applications you need. Electronic separation is another option—moving them from direct internet connectivity or into more protected parts of your network. Heightened monitoring through next-gen antivirus or endpoint detection and response solutions can also provide added protection. Choose what works best for you but have a plan and timeline in place for their replacement.

My forecast last month was accurate with regards to record numbers of CVEs addressed. I don’t believe we’ll see this sustained growth but expect a higher than average number to be addressed again this month.

August 2020 Patch Tuesday forecast

  • Expect a normal set of operating system and application updates, including ESUs, from Microsoft. I’ve been anticipating a SQL server or Exchange server update, so maybe it will happen this month?
  • Every operating system received a service stack update (SSU) last month. We may get a break here next week.
  • In keeping with the ‘planning for the end’ theme this month, Adobe Flash reaches end-of-life at the end of the year. Plan accordingly because a lot of applications still rely on Flash. Adobe may be giving Flash extra attention as we near the end of its life, so be on the lookout.
  • We have a pre-notification from Adobe that APSB20-48 for Acrobat and Reader should release on patch Tuesday.
  • Apple released security update 12.10.8 for Windows iTunes at the end of July. We could see a similar update for iCloud this week.
  • Google Chrome 85 is in the beta channel and may be released next week.
  • Mozilla provided security updates for Firefox 79, Firefox 68 ESR and 78 ESR, as well as Thunderbird 68 and 78 the last week of July. There is a small possibility of a minor security update for some of these applications next week.

The days of sitting on an operating system for 5-10 years with just patching are gone. Patching remains critical for the tactical protection of your systems, but strategic planning for the ongoing upgrades of operating systems and applications is the key to their long-term stability and security.

July 2020 Patch Tuesday forecast: Will the CVE trend continue?

Microsoft has averaged roughly 90 common vulnerabilities and exposures (CVE) fixes per month over the past five months. With everyone working from home and apparently focused on bug fixes, I expect this large CVE fixing trend to continue. Despite these record CVE numbers, the actual number of updates have been down; we haven’t seen Exchange or SQL Server updates in a while.

July 2020 Patch Tuesday forecast

The hot topic of conversation over the last two weeks has been the release of out-of-band security updates for CVE-2020-1425 and CVE-2020-1427, both of which address a memory issue within the Microsoft Windows Codecs Library.

While Microsoft does security updates out-of-band from time to time, the points of contention were these updates were only available from the Microsoft Store and were released with very limited information. The fact that CVE-2020-1425 is rated critical with limited availability through the store has many people wondering why this is the case. This is an unusual release for Microsoft. Keep your eyes open on Tuesday to see if these CVEs show up in the cumulative monthly update.

We’ll see another set of updates for Windows 10 version 2004 and Windows Server version 2004. It’s now been over a full month since the May 27 release of this ‘new’ operating system. As with all operating system releases you’ll want to stay on top of these updates because a larger number of security fixes, as well as important stability updates, are made over the first couple of months.

If you are experiencing any particular issues as you roll out this new operating system you should check out the known issues page for the latest information. You may find a fix is already available or will soon be on the way.

Continue to be diligent with your vulnerability management and system updates as we move deeper into the summer. It’s been kind of quiet in the news regarding new publicly reported exploits, but old vulnerabilities remain and new variants on ransomware and other malicious software continue to surface – Try2Cry being a good example. Here’s what’s been released recently and what to expect next week.

July 2020 Patch Tuesday forecast

  • Expect to see a larger number of Microsoft updates this month. We are due for a new set of .NET updates and, as I mentioned above, we are overdue for a SQL server or Exchange server update.
  • Servicing stack updates (SSUs) and Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 are expected in the group release as usual.
  • The Oracle Critical Product Update (CPU) aligns with patch Tuesday once again this quarter. Don’t forget your Java update and other OpenJDK-based products such as Amazon Correto, AdoptOpenJDK, and others which will follow close behind.
  • After the surprise Adobe Flash release last month, could we see another? Unlikely, but be on the lookout. The last major security update for Acrobat and Reader was in early May so look for a security release this week.
  • Apple released their security updates for iTunes and iCloud back in late May and have been releasing roughly every other month. We may not see a release on Tuesday but be on the lookout later this month.
  • Google released a security update for Chrome 84 this week.
  • Mozilla provided minor security updates this week for Firefox 78, and major updates for Firefox ESR 68 and Thunderbird 68 the last week of June. We may see a minor update for these applications next week.

June 2020 Patch Tuesday forecast: Steady as she goes

It’s hard to believe we’re almost halfway through our 2020 Patch Tuesdays already. Working from home has a strange effect on time – each day seems very long, but the weeks are flying by. Regardless, another patch Tuesday is coming next week. May 2020 Patch Tuesday was pretty light on updates as predicted, so I’m expecting we’ll see a more standard release of updates from Microsoft this month.

June 2020 Patch Tuesday forecast

Windows 10 and Windows Server

One item to factor into your patch Tuesday process is the new release of Windows 10 version 2004 and Windows Server version 2004. These latest versions of Windows 10 were released without major fanfare, as Microsoft pre-announced, on May 27.

Unlike the 1903 to 1909 update which was done via feature enablement, this is a full, new release. The good news is that the update time has come down significantly from earlier versions such as 1703 which could take up to 90 minutes on average

For those of you using Windows Update for Business for deployment, there are several enhancements to check out. One of operational importance is the new ability in InTune to identify the target version you want to update to and maintain on all your devices. You can also configure this as a Group Policy or Configuration Service Provider (CSP) policy.

This update also contains enhancements to existing security features in Windows 10. Application Guard, which uses containers, now supports Microsoft Edge on Chromium and can be enabled to enforce protection when Microsoft 365 applications are opened. Microsoft also rolled out more configuration options around their Sandbox feature which was introduced back in version 1903. Windows 10 version 2004 will follow the usual 18-month support model and you can find out more details around the entire set of 2004 features here.

Microsoft announced that starting in May 2020, they are pausing all optional, non-security updates for Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2). They are doing this to relieve the pressure of updating systems while everyone is working remotely. These updates will be included in the regular patch Tuesday releases.

Just a quick reminder Microsoft also delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13 and the Sharepoint 2010 Family (SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010) to April 13, 2021. Along with this extended timeline comes the need to continue patching these older systems with the latest security updates.

June 2020 Patch Tuesday forecast

  • Expect to see the full set of Microsoft operating system and application updates this month with the exception of .NET updates which were released in May. We didn’t see any of the server updates last month, e.g. SQL, Exchange, etc. so expect at least a few of these.
  • A new set of Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released along with the standard updates.
  • Servicing stack updates (SSUs) have continued to be released almost monthly and some are mandatory to install before deploying the latest cumulative or security updates. Pay careful attention to the requirements surrounding these in order to prevent problems during your patch cycle.
  • Adobe released a major security update for Acrobat and Reader last month and a minor security release this week. Adobe Flash has not seen a security update for a while, so it could happen.
  • Apple released their security updates for iTunes, iCloud, and the supported operating systems last week.
  • Google released a security update for Chrome 83 this week.
  • Mozilla provided security updates this week for Firefox 77, Firefox ESR 68.9, and Thunderbird 68.9

June Patch Tuesday will be light on major third-party releases, allowing us to focus on the Microsoft releases. With 2-3 months of managing updates in this strange new world and an expected standard release set from Microsoft, June Patch Tuesday should be steady as she goes.

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday

April 2020 Patch Tuesday forecast: Uncertainty reigns, but patching endures through pandemic

I should have reserved the title from last month’s article – Let’s put the madness behind us for this month. Of course, it has a completely different meaning now in the wake of the COVID-19 pandemic chaos. The biggest change and challenge for most of us is managing and securing an IT environment while working from home.

April 2020 Patch Tuesday forecast

Extending the edge of the corporate network through VPNs has taxed many environments, placing greater reliance on collaboration and communication tools. And with that, vulnerabilities have surfaced, and in some cases, exploitation has occurred. Let’s look at some important events since last patch Tuesday.

The cyber threat of COVID-19

COVID-19 has been not only a threat in a physical sense, but also generated one of the larger cybersecurity threats in recent memory. Attackers have built on the public’s need for the latest, global COVID-19 information by creating widespread phishing attacks. These phishing attacks often contain downloaders which exploit known vulnerabilities.

Many of these attacks are posing as the World Health Organization, National Institutes of Health, or other trusted sources for information. During this crisis it remains a priority to make employees aware of these attacks and to continue to apply the software updates needed to protect your systems.

Attacks on collaboration software

I mentioned recent attacks on collaboration software, with Zoom unfortunately being the leader in the news. Several vulnerabilities concerning passwords and privilege escalation have been discovered in this widely used application, and the overall security of the product has been questioned by many.

Attackers have been able to interrupt live sessions. In this time of working from home, the need for regular interaction to accomplish our jobs is more important than ever, and we need to trust the tools we are using. Zoom has been responding rapidly, providing updates to combat this recent wave of attacks.

Windows SMBv3 vulnerability

Two days after March Patch Tuesday Microsoft released an update for the Windows SMBv3 vulnerability associated with CVE-2020-0796.

This vulnerability exists in Windows 10 1903 and 1909 and garnered a lot of attention because it received the highest Common Vulnerability Scoring System (CVSS) score of 10. It does not require user authentication and could be used to propagate a worm. Please make sure you’ve applied this update.

Windows 10

Microsoft delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 from April 14 until October 13. Per Microsoft, this will remove at least one burden for those who were in the process of updating to a new edition. Of course, this means that both Windows 10 1709 and 1803 will reach end-of-support within a month of each other – 1803 ends November 10 so plan accordingly!

While on the subject of Windows 10, the release of Windows 10 2004 may be happening soon and there is cause for concern with so many people working from home. There is no control over the update being applied on a system running Home edition, so for employees, or their children doing schoolwork, this update could be very disruptive. Watch for more information from Microsoft and let your employees know what to expect.

The IT world is changing rapidly and as we’ve seen with Zoom, Microsoft and others, both policies and patch releases are being adapted to address the situation. The entire work-from-home scenario is forcing vendors to continuously assess the security state of their applications, so I anticipate we will see more releases addressing a smaller number of vulnerabilities as they are discovered and fixed.

April 2020 Patch Tuesday forecast

  • Microsoft should provide their regular updates across the board for the latest Windows 10 workstations and servers as well as the usual applications, i.e. Office, SharePoint, etc. Be on the lookout for a fix to the font vulnerability reported in Advisory 20006, Type 1 Font Parsing Remote Code Execution Vulnerability.
  • Mozilla provided security updates this week for Firefox, Firefox ESR and Thunderbird. We may not see anything from them next week.
  • Likewise, Google released a security update for Chrome this week, so I don’t expect to see anything on Patch Tuesday.
  • There are no pre-announcements for Adobe Acrobat, Reader, or Flash but I wouldn’t rule out an update next week.

We should have a smaller set of updates than usual released next week. But with the rising number of attacks coupled with the chaos surrounding the COVID-19 pandemic, it is more important than ever to protect our work-from-home employees. Once again, patch endures.

Ivanti Assistants: Enabling endpoint self-healing capabilities

Ivanti, the company that unifies IT to better manage and secure the digital workplace, announced the expansion of its growing portfolio of enterprise service management (ESM) solutions with the launch of Ivanti Assistants which enable endpoint self-healing capabilities.

Designed to automate detection and remediation of a range of IT issues impacting users, the new suite of automation bots helps ease the burden on service management and helpdesk teams while also enabling those teams to proactively connect with end users, fixing issues that would otherwise have been unreported or ignored.

“Ivanti Assistants are a new family of cloud-based automation bots that provide endpoint self-healing capabilities and give IT organizations their very own 24/7 virtual support team,” said Ian Aitchison, senior product director at Ivanti.

“These powerful, automation bots allow IT service desks to do what was never thought possible before – proactively monitor, identify and automatically fix endpoint issues before users even know they are there.

“Additionally, Assistants also enable IT to proactively reach out to help end users who might not typically contact IT when faced with a service interruption. It’s a win-win for IT organizations everywhere that struggle to both enable automation and improve the human relationship, while addressing the individual and diverse needs of end users in a timely manner.”

Ivanti currently offers four Ivanti Assistants, each focused on maintaining a high level of service to their individual areas of end user IT expertise: security and compliance, business continuity, user productivity and resource optimization.

Each Assistant runs through a series of regularly scheduled checks across an organization’s endpoints to determine where end users are experiencing challenges. These include common issues such as lengthy login times, application errors or lack of required security settings.

Each Assistant also has a library of monitored items within their area of expertise, and customers can add to that library for their business needs.

With Ivanti Assistants, any issue detected can either drive immediate automated correction – such as switching a firewall back on – or if the issue is not immediately resolvable, the Assistant can create an incident ticket in Ivanti Service Manager.

That incident can encourage human interaction, reference learned knowledge, and follow automated workflow to either achieve a good ESM/IT service management (ITSM) aligned resolution, or, lead to truly proactive problem management – resolving the cause of tomorrow’s incidents today.

Most significantly, Ivanti Assistants’ detection and ticket creation allow IT service desk staff to now proactively contact end users, and offer to fix the annoying recurring issues that are not typically reported to IT, yet still impact productivity and damage the perception of IT.

“By adding a specialist virtual support team to Ivanti Service Manager, our customers are increasing uptime, reducing unreported IT errors, driving productivity, and – more importantly – improving the positive perception of IT. We’re helping end end user frustration over those IT issues that have never really been addressed properly,” continued Aitchison.

March 2020 Patch Tuesday forecast: Let’s put the madness behind us

Did you survive the madness of February 2020 Patch Tuesday and its aftermath? We saw Windows 7 and Server 2008 finally move into extended security support and then Microsoft pulled a rare, standalone Windows 10 security patch following some unexpected results.

March 2020 Patch Tuesday forecast

For some of us, these two events caused a bit of chaos until they were sorted out. Let’s take a quick look in the rearview mirror, before jumping ahead to what looks like an easy drive for March.

Microsoft did a great job providing information and testing tools in advance of the Windows 7 and Server 2008 end-of-life, but that doesn’t mean everyone was ready when it happened. The extended security updates (ESUs) are supplied as part of the update catalog, but installation on the endpoint fails without first installing and activating a subscription key. Other pre-requisites include the appropriate SHA-2 code signing update and latest service stack updates (SSUs) which, if you have been patching regularly, you will have already installed.

So, last Patch Tuesday, as you can imagine, getting the systems to the proper state with all three components in place – activated key, SHA-2 update, and latest SSU, and then applying the new ESU patches was disruptive for some. But now that everyone has been through the procedure, the process of applying the March updates should be much smoother.

The release and subsequent removal of KBs 4524244 and 4502496 created a lot of discussion and confusion. Woody Leonhard provided a detailed chronology and technical breakdown in his article. This is a complicated situation involving the Unified Extensible Firmware Interface (UEFI) boot loader.

In summary, Microsoft released this security update to fix an issue where a third-party UEFI boot manager could allow a reboot, bypassing secure boot entirely. By launching from a hostile operating system, the system would be compromised. Keep in mind this does require physical access to the system. Unfortunately, there were unexpected side effects to the fix which included breaking other boot routines, most notably on HP PCs with Ryzen processors. The updates were pulled, and we are waiting to see if Microsoft re-releases a more comprehensive fix this patch Tuesday.

I mentioned in the forecast last month that the Microsoft Security Advisory 190023 contained more detail on the upcoming security features for the Lightweight Directory Access Protocol (LDAP). This advisory was again updated on February 28, with recommendations on using the new options to harden this protocol.

The advisory specifically stated, “The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.” These features will be included in the March Patch Tuesday updates, so take advantage and enable them. Also follow best practices and experiment on your test systems before rolling out to production.

March 2020 Patch Tuesday forecast

  • Microsoft addressed the highest number of CVEs in recent memory last month, so expect a lighter set of updates next week. The ESUs should again track the CVEs addressed with the other standard support operating systems. Office updates were light last month, so there may be a few more coming.
  • Mozilla had some major updates for all products last month but expect a minor update next week. Vulnerabilities continue to pop up in browser-related products.
  • Google just released their security update for Chrome this week, so I don’t expect to see anything on patch Tuesday.
  • Apple released their first major updates in January, so we may see a minor update.
  • Adobe issued major updates for Reader and Acrobat last month, so we should only see a minor update this month if any. I’ll go out on limb and say we won’t see a Flash update this month.

The forecast for updates looks light this month, so breathe a sigh of relief as we leave the February madness behind.

43% of IT professionals are still tracking assets in spreadsheets

43% of IT professionals report using spreadsheets as one of their resources for tracking assets, according to Ivanti.

tracking assets

Further, 56% currently do not manage the entire asset lifecycle, risking redundant assets, potentially creating a risk, and causing unnecessary and costly purchases.

Findings from the survey demonstrate the need for greater alignment between ITSM and ITAM processes, especially when looking at the time spent reconciling inventory/assets. Nearly a quarter of respondents reported spending hours per week on this process.

Fixing devices under warranty

Another time-intensive process for IT professionals is dealing with out-of-warranty/out-of-support-policy assets, with 28% of respondents reporting they spend hours per week supporting these assets. And, when asked how often they have spent time fixing devices that were later identified to still be under warranty, 50% of respondents said “sometimes.”

“It’s clear that there is room for improvement when it comes to managing assets,” said Ian Aitchison, senior product director at Ivanti.

“While IT teams are starting to better track their assets, collaborating with other teams and understanding the benefits of combining asset and service processes, time and money advantages are being lost as they don’t have the data they need to effectively manage and optimize their assets and services.”

Benefits of combining ITSM and ITAM processes

When asked about the benefits of combining ITSM and ITAM processes, the survey found that respondents expected to see:

  • Better visibility of their IT estate: 63%
  • Increased IT staff productivity: 59%
  • Optimized costs: 54%
  • Improved service delivery: 53%

Aitchison added, “When ITSM and ITAM are closely aligned and integrated, many activities and processes become more automated, efficient and responsive, with fewer things ‘falling through the cracks.’

“IT teams gain more insight and are better positioned to move from reactive activities to more proactive practices, delivering higher service levels and efficiency at lower costs.”

tracking assets

Tracking assets: IT pros missing key information

According to the survey, IT professionals are also somewhat dissatisfied with the available asset information, or data, they have access to within their organizations.

When asked if they incorporate and monitor purchase data, contracts and/or warranty data as part of their IT asset management program, 39% of respondents said yes, 42% said partially and 19% said no.

This means more than 60% of IT professionals are missing key information in their IT asset management program to effectively manage their IT assets from cradle to grave.

February 2020 Patch Tuesday forecast: A lot of love coming our way

The January 2020 Patch Tuesday was a light one as predicted; everyone was still catching up from the end-of-year holidays. As we gain momentum into February and move towards Valentine’s Day, I anticipate Microsoft, and at least Mozilla, will give plenty of love and attention to their applications and operating systems.

February 2020 Patch Tuesday forecast

LDAP

Microsoft had announced back in August with Advisory 190023 that they were planning several updates to their implementation of the Lightweight Directory Access Protocol (LDAP). That advisory explained the need for LDAP channel binding and LDAP signing to increase security. Originally planned for Q4 2019, Microsoft has pushed the first part of this update out to March 2020.

The company is planning a two-part rollout, with the March release paving the way for major change and enforcement later in the year. As explained in the advisory, the “Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.”

Microsoft delayed this until March so administrators can properly test the LDAP configuration changes. There’s been a lot of discussion on the various security forums concerning this, so factor in some extra test time next month.

Windows 7 and Server 2008/2008 R2 patches

Getting back to February Patch Tuesday, the big change will be the lack of Windows 7 and Server 2008/2008 R2 patches this month. I say that tongue-in-cheek because they will still be publicly available but require a special key to install on the endpoint; this key is issued as part of the Microsoft Extended Security Update (ESU) program.

Microsoft has made this as painless as possible to accommodate the large, remaining installed base of these systems. However, with the end of any operating system there is always some confusion and panic as reality sets in.

If you have systems you just can’t migrate/upgrade yet to Windows 10 and you don’t have a planned ESU program in place, you should consider some additional options to mitigate their security risk. Consider virtualizing some of the workload and locking down the system to run only the specific applications you need. Application control can help with this lockdown and often provides some privilege management protection as well.

You can also consider a segmentation approach, i.e. remove them from direct internet connectivity or move them to more protected parts of your network.

Finally, add on some next-gen anti-virus (AV) or endpoint detection and response (EDR) solutions for added protection. You know these systems will become targets, so due diligence is important to their protection until you can migrate them.

February 2020 Patch Tuesday forecast

  • Microsoft is overdue to release some major updates, so expect them this month. We should see updates across the board with a large number of CVEs addressed in all of them. In addition to the usual OS and Office updates, we should see server updates for SharePoint, Exchange, and SQL. I don’t expect another .NET update since one was released in January, but you never know.
  • Mozilla is also overdue for a set of major updates across their product lines.
  • Google released major updates for Chrome this week, so we should only see a minor update, if any, on patch Tuesday.
  • Apple released their first major updates of the year last week, so similar to Google, we expect only minor updates, if any at all.
  • Adobe is a bit unpredictable this month. Their last major security update for Acrobat and Reader was back in early December, so the pressure is mounting for another one. Keep an eye for their pre-announcement bulletins and plan accordingly.

Even if we have a heavy patch release next Tuesday, make sure you set some time aside to spend with your significant other or a close friend the following Friday – Happy Valentine’s Day!

January 2020 Patch Tuesday forecast: Let’s start the new decade right

The holidays are over, and another Patch Tuesday is rapidly approaching. My New Year’s resolution was to stop procrastinating when it comes to getting organized. I have several locations in my house where I store things and every time I open a drawer or door, I think “I really could make better use of this space if I just took the time to get it organized.”

January 2020 Patch Tuesday forecast

Over the holidays, I finally took the time to get started. I cleared out stuff I no longer needed, cleaned out the area, arranged what was left, and was amazed at the results. One less thing I had to worry about, and I felt better about myself too. Maybe there is a lesson here to be carried over to our security operations?

We all have those systems that always have issues during updates. We know they are there and dread working on them, just because they slow down our patch cycle. In the end, they are either the last to get patched or they don’t get patched at all and we just wait another month worrying about them being in a possible vulnerable state. Maybe we need a resolution to tackle these systems head-on so we don’t need to worry about them anymore.

Take the time to resolve the issues, or if they are old, consider a complete replacement of the hardware and software. We have enough stress in our lives so don’t prolong it worrying about these systems month after month. Take the time to fix the issues and you will be more efficient overall. Join me in this resolution and we can start the new decade right.

The January 2020 Patch Tuesday will provide us with the last free update of Windows 7 and Server 2008/2008 R2. We’ve talked about it for the last several months and it is finally here. Microsoft released additional guidance if you are planning on subscribing to extended security updates; make sure your systems are prepared.

It’s challenging to forecast what we will see from Microsoft this month. I was expecting to finish out last year with a bang, but we really ended on a whimper. The OS updates contained minimal CVE fixes with only 16 for Windows 10 and the low teens across the remaining legacy systems.

Other than these OS updates, we had the usual Office releases but no Exchange, Sharepoint, .NET, or other updates. It was one of the lightest patch Tuesday releases in a long time. Microsoft may have ‘saved up’ other updates for January Patch Tuesday, but I suspect not.

January is a typically a light month for releases, and I expect that trend to continue.

January 2020 Patch Tuesday Forecast

  • We are overdue, so expect a .NET update from Microsoft. Windows 7 and Server 2008/2008 R2 may get some special attention this month since it is the final public security release.
  • Mozilla released a major update on Tuesday, so if we get anything next week it will only be a minor update.
  • Google released their last major updates back on December 10 and a minor update this week, so I don’t expect anything here.
  • We saw security updates for Acrobat, Reader, and Flash (after several months with none) last month. Be on the lookout for a possible Flash update, but no pre-announcements have been made for any of these products so far.
  • Apple released major security updates on December Patch Tuesday, so I don’t expect any this month.

With a light January 2020 Patch Tuesday forecast, give some thought to starting the decade right!

December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates

Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.

The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was the result of servers not properly configured, allowing open public access. This was reported in April and additional accounts were exposed in September. Proper security configuration is definitely a challenge across thousands of servers, but it is THE fundamental security requirement before dealing with software vulnerabilities.

Next up in public view was the compromise of Epic Games’ servers that hosted the wildly popular Fortnite game. This security incident back in January was the result of several software vulnerabilities being exploited, resulting in another situation where personal account information was stolen. It is estimated that the security compromise impacted over 200 million gamers worldwide.

Breaches and data loss were not limited to these two social or consumer sites. Reported breaches included Capital One and First American from the financial industry, LabCorp and Quest Diagnostics from the medical field, and the Federal Emergency Management Agency (FEMA) from the government sector. From the report estimates I’ve seen, there will be an unprecedented 5+ billion records stolen this year.

Getting back to the Patch Tuesday forecast, the big news (maybe the elephant in the room to use an old phrase) is that next month, January Patch Tuesday, we’ll see the last free update of Windows 7 and Server 2008/2008 R2. Windows 7 continues to be a popular operating system only being overtaken by Window 10 in January 2019.

Despite the approaching end-of-life, Windows 7 slowly dropped from 36% to 28% in worldwide Microsoft market share throughout the year. After that final update, a lot of consumer desktops and laptops will go unpatched until they finally stop working and are replaced. Many will be compromised, resulting in stolen personal data, but even worse they will be used for additional attacks against our corporate systems.

It will be interesting to see how this possible threat plays out in 2020. In the meantime, be aware that Microsoft has released additional guidance on preparing your Windows 7 machines for extended security updates if you continue to subscribe.

This looks like a busy Patch Tuesday coming up, so I am going to trust all of you to configure and update your systems. It’s time to buy those last presents online. Now where did I put that credit card again?

December 2019 Patch Tuesday Forecast

  • Microsoft will provide the usual round of updates including the monthly rollups and security-only patches for all the operating systems, along with Office, SharePoint server, and Internet Explorer. Based on their current track record, expect another round of service stack updates as well. We may also see a .NET update this month.
  • An update is coming for Acrobat and Reader; Adobe provided a pre-notification they will release APSB19-55 next week. The most recent security Flash release was September Patch Tuesday, so we may see a final one to close out the year, but no promises.
  • Chrome 79 is scheduled for release from Google.
  • We may see an ‘Apple Patch Tuesday,’ although they don’t always release on Tuesday, with security updates for macOS, iTunes and/or iCloud for Windows. Keep an eye on these because I suspect Apple wants to wrap up the year with up-to-date, secure software.
  • Mozilla released security updates for Firefox 71, Thunderbird 68.3 and Firefox ESR 68.3 on Monday this week. Anything released next week would be minor bugfixes, but definitely make sure you install these security fixes.