November Patch Tuesday FAQ
November Patch Tuesday included 60+ vulnerabilities resolved by Microsoft and third-party vendors, plus a zero day and two public disclosures. You can watch our analysis webinar, where we go through the November patches in detail, as well as answer user questions. Here is a compilation of the most frequently asked questions in regards to November Patch Tuesday, along with their answers.
Be sure to register for our December Patch Tuesday webinar to stay in the know!
Q: Is there a way to subscribe to Ivanti’s weekly patch blogs?
Q: Is a KB the same as a bulletin?
A: We use KB to refer to the actual Knowledge Base article from Microsoft and use their numbering. We have kept the bulletin concept alive to group logical KB updates.
Q: Can you suggest anything to help get IT, management, and executives on board with server maintenance windows?
A: This is a common source of contention that is one of the reasons that patch management can be so difficult. We recommend reminding those who push back about the importance of the security of these environments and the potential consequences of an exploit. Reminding them of the major breaches to hopefully scare them into compliance!
Feel free to reach out to use directly and we can talk about a more customized plan for your needs and workflows.
Q: Is it bad to install patches on servers and let them sit for a week before actually rebooting after installing?
A: We don’t recommend that. You’ll be in a half-installed state that could affect stability as certain files will be updated while others will remain that the vulnerable state. You want to try and reboot as quickly as possible so issues don’t arise.
Q: Is there a master list of servicing stack (SSU) KBs?
A: Please see here.
Q: Does the SSU (if installed previously) need a reboot?
A: The SSU should not require a reboot in our testing. Of course, I don’t want to guarantee it as your mileage can always vary, but the odds are that a reboot won’t be required.
Q: What is the experience people have had dealing with the Servicing Stack Updates for Win 7 and 2008 R2?
A: We’ve heard a few instances of the notorious "stuck on stage 2 of 2", but otherwise there have not been any major issues.
Q: Does the SSU need to be installed before the roll up?
A: Microsoft does recommend the servicing stack be installed before any further rollups or bundles for stability reasons, but the patch does not require the SSU to be installed for successful patch deployment (except for Windows 10 1607).
Q: To get the latest servicing stack, do we need to update to the latest cumulative for Windows 10?
A: No, the servicing stack is separate and can be installed at any time.
Q: If you disable hyperthreading, are you still vulnerable to PortSmash?
A: Disabling hyperthreading on the BIOS level should remediate PortSmash until a proper patch is released.
Q: Was the exchange update for CVE 2018 8581? There is no update released for that.
A: There is a registry key in the FAQ of this so the CVE that is involved is unexploitable. The registry key being removed will resolve the vulnerability.
Q: I have IE9 on some client computers and need to update it to IE11. Can I use the recent monthly rollup patch that was released?
A: IE11 needs to be updated separately through the standalone IE11 installer. The monthly rollup will ignore updating earlier versions of IE while updating the rest of Windows 7/2008R2.
Q: MS18-11-W10 states that it has 12 KBs. How do you see the KB numbers it is referencing?
A: Within our products, querying MS18-11-W10 should list all of the respective KBs. Another option would be going to the Microsoft portal to filter by OS.
Q: Is there a reason why server 2016 patches seem to take longer than 2012 and 2008 to install?
A: This is a great example of the Windows 10 Cumulative Model. We have noticed these incredible install/reboot times for Windows 10 1607 and Server 2016. The packages for 2008 and 2012 are much smaller.