October Patch Tuesday is here. While the next two weeks are going to be busy for system administrators as they hustle to test and deploy updates, once the cyberthreats are handled, we can all enjoy the fall festivities in peace. This Patch Tuesday has Microsoft releasing security fixes to address 87 vulnerabilities, out of which 12 are classified as Critical, 74 as Important, and one as Moderate.
After an initial discussion about the updates released, we’ll offer our advice for devising a plan to handle patch management for remote devices.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins are well-informed and have time to gear up for the new updates.
Why is Patch Tuesday important?
The most important security updates and the patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
Highlights of October Patch Tuesday
Security updates were released for the following lineup of products:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft JET Database Engine
- Azure Functions
- Azure Sphere
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- PowerShellGet
- Microsoft .NET Framework
- Microsoft Dynamics
- Adobe Flash Player
- Microsoft Windows Codecs Library
Zero-day vulnerabilities and public disclosures
No zero-day vulnerabilities were patched this month, but Microsoft did release patches for six publicly disclosed vulnerabilities. Fortunately, none of them have been exploited. Here is the list:
- CVE-2020-16938 – Windows Kernel Information Disclosure Vulnerability
- CVE-2020-16885 – Windows Storage VSP Driver Elevation of Privilege Vulnerability
- CVE-2020-16901 – Windows Kernel Information Disclosure Vulnerability
- CVE-2020-16908 – Windows Setup Elevation of Privilege Vulnerability
- CVE-2020-16909 – Windows Error Reporting Elevation of Privilege Vulnerability
- CVE-2020-16937 – .NET Framework Information Disclosure Vulnerability
Critical and noteworthy updates
Though there are no zero-days today, there are a few noteworthy remotely executable vulnerabilities that have been patched:
-
CVE-2020-16911 – GDI+ Remote Code Execution Vulnerability
-
CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability
-
CVE-2020-16891 – Windows Hyper-V Remote Code Execution Vulnerability
-
CVE-2020-16915 – Media Foundation Memory Corruption Vulnerability
The critical vulnerabilities patched have the following CVE IDs:
CVE-2020-16911, CVE-2020-16923, CVE-2020-16947, CVE-2020-17003, CVE-2020-16951, CVE-2020-16952, CVE-2020-16898, CVE-2020-16967, CVE-2020-16968, CVE-2020-16891, and CVE-2020-16915
Adobe updates
Adobe has released updates for Adobe Flash Player, fixing a critical remote code execution vulnerability in the product. The vulnerability is tracked as CVE-2020-9746. When successfully exploited, the vulnerability could lead to a crash that will then allow attackers to execute commands on the target computers remotely. This vulnerability can be fixed by installing Adobe Flash Player 32.0.0.445 as soon as possible.
Best practices to handle patch management in the current work-from-home scenario
In the wake of COVID-19, most organizations have opted to completely shift to remote work. This decision poses various challenges to IT admins, especially in terms of managing and securing endpoints. Here are a few pointers to ease the process of remote patching.
- Disable automatic updates, as one faulty patch might bring down the whole system. IT admins can educate end-users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point, a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end-users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end-users know what has to be done from their end—for instance, that they need to connect to the VPN for three hours from 6pm to 9pm.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since most users are working from home, they might not adhere to strict timings; therefore, allow end-users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical and security updates first. You might want to hold off on deploying feature packs and cumulative updates, as they are bulky updates and consume too much bandwidth.
- Schedule the non-security updates, as well as security updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.
** Optrics Inc. is a ManageEngine partner
The original article can be found here: