Author: Greg Lambert

Patch Tuesday update addresses 123 vulnerabilities, two critical zero-days

Microsoft's August Patch Tuesday release addresses 123 security issues in Microsoft Windows, Office, Exchange (it's back!) and Visual Studio — and unfortunately, we have two zero-days with reports of active exploitation in the wild. Since this is a broad update, it will require planning and testing before deployment.

The first (CVE-2022-34713) occurs in the Windows diagnostic tools and the second (CVE-2022-30134) affects Microsoft Exchange. Basically, the holidays are over and it's time to pay attention to Microsoft updates again. We have made "Patch Now" recommendations for Windows, Exchange and Adobe for this month.

To read this article in full, please click here

With a light July Patch Tuesday, it’s time to invest in your IT processes

Though we get a reprieve from Exchange updates in this month's Patch Tuesday update, more printer updates are on the way. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is back with 15 critical updates for Adobe Reader. And Microsoft's new patch deployment tool Auto-Patch is now live. (I always thought application testing was the main problem here, but actually getting patches deployed is still tough.)

Though the numbers are still quite high (with 86+ reported vulnerabilities), the testing and deployment profile for July should be fairly moderate. We suggest taking the time to harden your Exchange Server defenses and mitigation processes, and invest in your testing processes.

To read this article in full, please click here

Microsoft delivers solid Windows-focused updates for June’s Patch Tuesday

June's Patch Tuesday updates, released on June 14, address 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (though there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows component, CVE-2022-30190, led to a “Patch Now” recommendation for Windows, while the .NET, Office and SQL Server updates can be included in a standard release schedule.

To read this article in full, please click here

May’s Patch Tuesday updates make urgent patching a must

This past week's Patch Tuesday started with 73 updates, but ended up (so far) with three revisions and a late addition (CVE-2022-30138) for a total of 77 vulnerabilities addressed this month. Compared with the broad set of updates released in April, we see a greater urgency in patching Windows — especially wiith three zero-days and several very serious flaws in key server and authentication areas. Exchange will require attention, too, due to new server update technology.

To read this article in full, please click here

April’s Patch Tuesday: a lot of large, diverse and urgent updates

This week's Patch Tuesday release was huge, diverse, risky, and urgent, with late update arrivals for Microsoft browsers (CVE-2022-1364) and two zero-day vulnerabilities affecting Windows (CVE-2022-26809 and CVE-2022-24500). Fortunately, Microsoft has not released any patches for Microsoft Exchange, but this month we do have to deal with more Adobe (PDF) printing related vulnerabilities and associated testing efforts. We have added the Windows and Adobe updates to our "Patch Now" schedule, and will be watching closely to see what happens with any further Microsoft Office updates. 

To read this article in full, please click here

Microsoft delivers a solid, low-impact Patch Tuesday

March brings us a solid set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues requiring a “Patch Now” release schedule (though Microsoft Exchange will require some technical effort this month). We have published some testing guidelines, with a focus on printing, remote desktop over VPN connections, and server-based networking changes. We also recommend testing your Windows installer packages with a specific focus on roll-back and uninstall functionality.

You can find more information about the risk of deploying these Patch Tuesday updates with this useful infographic. And, if you are looking for more information on .NET updates, there is a great post from Microsoft that highlights this month's changes.

To read this article in full, please click here

Take your time testing these February Patch Tuesday updates

There are (as of now) 51 patches to the Windows ecosystem for February, but no critical updates and no "Patch Now" recommendations from the Readiness team. I'm hoping that with this month's list of Patch Tuesday updates, we can enjoy the quiet after the storm. January was tough for a lot of folks. And, with this month's very light release from Microsoft, corporate security and systems administrators can take the time needed to test their applications and desktop/server builds. It's also important to invest in their testing methodologies, release practices, and how their applications may be affected by OS-level updates and patches.

To read this article in full, please click here

Patch Tuesday gets off to a busy start for January

For this week's Patch Tuesday, the first of the year, Microsoft addressed 97 security issues, six of them rated critical. Though six vulnerabilities have been publicly reported, I do not classify them as zero-days. Microsoft has fixed a lot of security related issues and is aware of several known issues that may have inadvertently caused significant server issues including:

  • Hyper-V, which no longer starts with the message, "Virtual machine xxx could not be started because the hypervisor is not running."
  • ReFS (Resilient) file systems that are no longer accessible (which is kind of ironic).
  • And Windows domain controller boot loops.

There are a variety of known issues this month, and I'm not sure whether we'll see more issues reported with the January server patches. You can find more information on the risk of deploying these latest updates with our helpful infographic.

To read this article in full, please click here

Patching isn’t enough for December’s Patch Tuesday

This month's Patch Tuesday update is important for several reasons. With 67 unique vulnerabilities addressed, six publicly-reported issues and one already exploited, this month's updates still pale in comparison to dealing with the Log4j issue. (Fortunately, there are no browser or Microsoft Exchange updates and minimal changes to Microsoft Office.)

We have added the Windows updates and Visual Studio updates to our "Patch Now" release cycle recommendations, while Office updates are relegated to a normal release cadence. You can find more information on the risk of deploying these Patch Tuesday updates in this infographic.

To read this article in full, please click here

Updates to Exchange and Microsoft Installer drive Patch Tuesday testing

This is a relatively light Patch Tuesday update from Microsoft, though wo significant vulnerabilities in the Windows platform (CVE-2021-38631 and CVE-2021-41371), both relating to Remote Desktop Protocol handling, have been disclosed and are lending some urgency to applying Windows updates. And we have another technically challenging update to Microsoft Exchange Server to manage as well.

To read this article in full, please click here