August Patch Tuesday Frequently Asked Questions
Still scratching your head after August Patch Tuesday last week? Never fear! We complied the questions and answers to all of the questions asked in Ivanti’s monthly Patch Tuesday analysis webinar. We hope they help you navigate the troubled waters of Patch Tuesday. And of course, don’t forget to join us for the Patch Tuesday webinar next month.
We had many questions around the recommended approach to the stability issues that came with July Patch Tuesday. Microsoft released a series of out of band non-security patches the week after to fix these high-profile bugs. For reference, we detailed these patches in our weekly blog the same week that they were released.
Q: With the four out of band patches Microsoft released, what is the recommended install method? We excluded many of the patches from the July Patch Tuesday release that had known issues. Can we just install these patches to resolve the vulnerabilities?
- A: If you are currently patching with the Security Only bundles, make sure to deploy the non-securities alongside July’s bundle. These non-securities will not remediate the July vulnerabilities alone.
Q: My company runs about a month behind on the patching, so we have not done the July patches yet. Would you recommend skipping July or patch July than immediately patch August?
- A: If you are following a monthly rollup method vs the security only patching groups, the August rollup should be a more stable update and I would definitely recommend it. If you run security only, I would still recommend installing the non-securities mentioned earlier.
Q: Do you know if the August patch fixed the issue with the July patch for Web servers?
- A: The August monthly rollups will include that fix. If you are running a security-only patching method, the separate non-securities mentioned will fix these explicitly.
Q: Do you know if the August patch fixed the issue with July patch for web servers, specifically ActiveX components?
- A: If you do run a monthly rollup cycle, yes, this will include that. However, if you’re trying to do a minimal patching security-only, you will still need the out of band non-security.
Q: Do you know if the bug-riddled July .NET security patches has been fixed?
- A: Earlier in July, Microsoft did release a quality preview rollup for the .NET issues. They did not release just a piecemeal fix like they did for the OSes. So if you do apply the monthly rollup, you should ideally have the stability fix, the August Security-Only update will most likely not fix the issue.
Q: Is it best to deploy the monthly rollup rather than security-only? Is it possible to uninstall a single update from the monthly rollup?
- A: This definitely depends on the patching approach you are trying to take. Applying the security-only bundles will not include any non-security fixes, but it should lay down the minimum amount of changes to your endpoint. The monthly rollup is far simpler with a single update including over 2 years' worth of patches, but will change far more files on the endpoint. It is not possible to uninstall a single update from a monthly rollup.
Q: If I deploy both the monthly rollup and security-only patches, the SCCM, which one takes effect?
- A: Actually both will deploy at the same time. I have run through those scenarios in installing one first, the rollup first, and security-only next or vice versa. I haven’t really seen any stability problems. However, there could be more risk around stability with the dual deployment.
Q: Where do we stand with up-to-date driver patches with Foreshadow, for example, HP driver BIOS?
- A: When Spectre and Meltdown were detailed, each vendor had a dedicated security advisory with a comprehensive list of each model and respective BIOS update. The same software/firmware combination is necessary for complete Foreshadow remediation. Here are a few vendors, but this is far from the complete list:
Q: How soon should we be installing the updates for CVE-2018-8373?
- A: This CVE is one of the two zero-days remediated with August Patch Tuesday. Update as soon as possible as it is currently reported as exploited.
Q: Did I see the Windows 7/2008R2 zero-day update disables the NIC? How are we supposed to reenable that remotely if the NIC is disabled?
- A: There is a known issue in the Monthly Rollup where the NIC can be disabled on Windows 7/Server 2008 R2 endpoints. This issue has been present in the last few months and is not new. Hopefully, if you have not run into the issue yet, you won’t run into it now. Workaround instructions can be found on the latest rollup notes.
Q: What is the patch ID for that detect-only patch for Windows 10 1607/Server 2016?
- A: Windows 10 1607 and Server 2016 still require the May Servicing stack update (KB4132216) the bulletin is MS18-08-W10-4343887, the and the KB will end in D to differentiate detection (Q4343887D).
Q: Are the Creator Update and the Feature Update the same?
- A: A Feature Update is a category bringing Windows 10 to a next major build (i.e. 1607 to 1703). The Creators update is the alternative name for build 1703.
Q: Do the Feature Updates show up in the Windows update?
- A: Feature updates should be offered via Windows update. If you’re using SCCM, you will need to ensure that the Feature Upgrades category is approved.
Q: Windows Update offers me a OneNote patch even if I don’t have it installed. Can I ignore it?
- A: A lot of the office updates patch far more than is expected. Even though they state Word, Outlook, OneNote, etc. in the title does not necessarily mean that’s all they’re patching. For example, a Word patch can affect the suite, Visio, Project, and a multitude of other components. I would recommend applying the patch to your systems.
Q: What can you tell me about VMware ESXi?
- A: Vmware ESXi is vulnerable to the Foreshadow vulnerability. The VMSA bulletin will include the ESXi versions to remediate it.