June Patch Tuesday Frequently Asked Questions
When it comes to June Patch Tuesday, it started relatively simple and got more and more complex as the day went on. You can hear about it on Ivanti’s Patch Tuesday Analysis webinar and in our analysis blog post.
If you’ve never been on a Patch Tuesday webinar before, you should hit up next month’s. One of the most popular pieces of the monthly webinar is the 30-minute question and answer session we host at the end of the presentation. We answer all of your questions, from broad to technical. In this blog post, review some of the most commonly asked questions and answers from the June Patch Tuesday festivities.
General Patching Questions
For the new Spectre/Meltdown patch, I previously laid down the enablement registry keys on Windows Server to protect against CVE-2017-5715 and CVE-2017-5754. Does application of this patch require re-enabling in Registry?
- There are different values that are required for this, the guidance page states the additional values that are required. See the following link for more information: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012. An additional firmware patch will most likely still be required from the respective vendor.
Does the Zero Day targeting Flash involve Meltdown and Spectre patches?
- The flash zero day is a vulnerability affects Microsoft’s flash plugin only. The Meltdown and Spectre patches are separate and independent from KB4287903.
I’m not seeing the June 2018 cumulative update for my Windows 10 1607/Server 2016 machines. How do I patch these machines?
- The June 2018 cumulative update, as well as the Flash Zero-Day patch, requires the most recent 1607 servicing stack update (KB4132216). The servicing stack update is a series of compatibility and stability fixes that Microsoft has been releasing with each version of Windows 10. https://support.microsoft.com/en-us/help/4132216/servicing-stack-update-for-windows-10-1607-may-17-2018
Do monthly rollups include servicing stack updates from prior months, or must we still apply the most recent servicing stack update?
- The Windows 10 cumulative updates do not include the servicing stack update, so they need to be installed separately.
Does the servicing stack update for Windows 10 1607/Server 2016 require a reboot?
- It may require a reboot depending on your environment, but in our testing environments, we did not require a reboot.
Is the Windows 7/2008 NIC issue different to the previous VM NIC issue?
- Yes, this is a separate NIC issue. No relation.
Are there any Microsoft patches to be excluded for Windows Server 2008/2012?
- We have not read about anything this month as widespread as the VMware NIC issue. Of course, you should always deploy to a test group and validate the results before patching your whole environment.
Regarding the end of life on the different versions of Windows 10, does this apply to servers as well?
- Server 2016 is on the LTSB branch and will be still supported until 1/11/2027.
Product Opportunity Questions
What is the best way to upgrade the Windows 10 1511 machines?
- You can re-provision the OS completely if you have an endpoint management solution like SCCM, Ivanti Endpoint Manager platform, etc,. Within our patching solutions, we also can push the branch upgrades. While these use slightly different approaches, they will both upgrade your systems to the latest versions of Windows 10. The Ivanti support pages contain documents showing how to configure these things. If you aren’t using an Ivanti tool, a provisioning tool of some sort would be your best option.
I use Qualys in my environment and it is a challenge matching up those vulnerabilities with patches. Any advice?
- Cross-referencing this information can definitely be a challenge. One thing that we’ve done in the Patch for Windows product, and we plan on extending to other patch products, is providing an API to help automate this process. The APIs allow us to script the process of pulling CVEs from the vulnerability vendor, passing those into our patch products, and building up a list of the patches that need to be deployed. From here, you can let the security team know that they should be good to go. Here is the link to our community page with full details - https://community.shavlik.com/docs/DOC-24499.