We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image. Circa 2010 Minimize the Impact of Patch Tuesday banner.
So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.
On the Horizon
Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.
The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.
But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!
Patch Management Tip of the Month
Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?
One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.
Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.
Your Patch Week Forecast
August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.
On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.
Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.
And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.