Patch Tuesday Forecast October 2016

October is here already and should be an interesting lineup of updates coming in the next few weeks.  There are also some things you need to know about servicing model changes from Microsoft and on distribution changes for Adobe Flash. Oracle is also going to be dropping their quarterly CPU this month.  Read on for more details:

On the Horizon

This is the month Microsoft will have its first delivery under the new servicing model and there is a lot of uncertainty amongst companies as to what really is going to change. I interviewed LANDESK CSO Phil Richards on the subject and he had a lot to say. You can check out the full interview here, but it boils down to this:

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

Oracle will be releasing their quarterly critical patch update this month. I always try to emphasize this as they will not release on Patch Tuesday, but on the following Tuesday. Oracle’s release schedule is the first month of each quarter on the Tuesday closest to the 17, which falls to Tuesday October 18 this month. The Oracle CPU always brings a lot of fixes for some pretty nasty vulnerabilities. Take July’s release for JRE. This update included 13 security fixes, nine of which were remotely exploitable without authentication. Four of these updates were rated as CVSSv2 9.6, are exploitable remotely without authentication, are rated as low complexity, meaning they are easier to exploit, and rate as high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities likely to be exploited within two weeks of release from the vendor.

Adobe has changed availability of Flash Player for distribution. This change has been looming for some time now. We first caught wind of this late last year and since they have pushed the date multiple times, but September 29 they finally took the plunge. From the distribution page you now get two directions to go: for consumers and for companies wanting to distribute. Follow the link to request approval for distribution. I personally went through the process and it was quick and painless and, once approved, you will receive details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.

Patch Management Tip of the Month

In a conversation I had yesterday with one of our customers, we shared details of the change Microsoft described in its blog and through other sources like the customers Microsoft TAM and talked through some scenarios to figure out a plan to proceed this month and going forward. Here is where we left the conversation understanding full well that “No plan survives contact with enemy.”

  • For systems currently in operation plan to test and rollout the October security bundle, which will include updates for IE and the OS in a single package. This package should be security-only updates and also should not be cumulative. In other words, if you need to exclude this bundle for any reason, you should be able to take November’s security bundle without it forcing application of the October security bundle. Expect to take the security bundle each month until you hit a situation where non-security updates (bug fixes) would force the need to apply the cumulative rollup.
  • For new systems implemented after the servicing model change, they are planning to start with the cumulative rollup until a point where they hit an exception, in which case they would switch to the security bundle for those systems until the event which caused the exception can be resolved, allowing application of the cumulative rollup once again.

And I will re-emphasize last month’s tip which is to expand your pilot group for application compatibility testing. Getting power users from the parts of your organization that rely on business critical apps will help you to ensure that these larger bundles of updates do not cause impacts earlier in the test process.  Many companies have test systems, but only validate some high level functionality like login to the system and basic data rendering. Many issues could occur deeper in legacy apps from rendering of PDFs to printing documents, etc. This year alone we have seen both PDF and GDI updates nearly every month from Microsoft. These are common components to be updated as they are high profile targets for user targeted attacks like phishing scams. A vulnerability exploiting a user is often the first point of entry into a company’s network.

Your Patch Tuesday Forecast

From this point on you can expect an average of three to four Microsoft updates. Under the new servicing model, we will typically see the Security Bundle (IE and OS updates), Flash for IE, .Net, Office and occasionally Sharepoint, SQL, Exchange and other applications.

Oracle will release on October 18, so expect a critical update for Java and many other Oracle solutions.

Adobe is due for an Adobe Acrobat and Reader update, so I am forecasting at least two bulletins from Adobe this month. Adobe Reader and Flash Player with likely use Acrobat as well. If Flash drops we will see the Flash for IE bulletin from Microsoft and plug-in updates for Google Chrome and Mozilla Firefox.

It has been nearly a month since the last Google Chrome release on September 15. They did a re-release late in the month, but with only a minor change. The beta channel for Desktop was updated yesterday so we are not far off. There is a good chance we will see a Chrome update on or before Patch Tuesday.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.