August Patch Tuesday Analysis

August 15, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


Todd: Thank you very much for joining us today. I apologize for the slow start here. Chris is on vacation, so we have kind of the second-stringers in here today. Brian and I are gonna run the presentation today for the "Patch Tuesday" Webinar. Chris is on vacation. He's actually kind of on a working vacation with his family. He's doing the good thing. They were in Washington D.C. visiting a bunch of the monuments, and museums, and things like that. So wish him the best and hope he's enjoying his time with his family. How are you doing today, Brian? 
Brian: Doing great. How about yourself, now that we're all up and running? 
Todd: I'm much better, thanks. For the presentation today, Brian is gonna take over and kind of run the first part like Chris does in the news portion, and then I'll go through the usual bulletins. We do encourage you to, please, you know, use the Q&A section of the webinar to ask us any questions that you may have as we're going through the presentation. And I guess with that, we'll get started here. As usual, what we're gonna do is we'll go through with our usual Patch Tuesday overview, jump into "In the News" where Brian is gonna go through a lot of recent events that are occurring. I'll go through the bulletins. And of course, at the end, we will wrap up with a Q&A section. 
This month, it kind of looks very small if you take a look at the fact that we only had two updates coming out on Patch Tuesday from Adobe, but we did have a huge release of updates from Microsoft this month. And Brian and our Patch Content team were very busy making sure that they were, you know, the patches were properly tested and released out to everyone who was using our product. So definitely, a lot of different patches that came out this month, and we're gonna go through those in quite a bit of detail. In addition, we hadn't seen for the last two months any zero days, you know, hit the market, but we definitely had two vulnerabilities that were released in conjunction with the information on vulnerabilities, I should say, that were released in conjunction with the Microsoft patches this month. And we'll talk more about those as we dig into the specifics of this month's release. 
Before we do that, we'd like to go back and talk through some of the "In the News" events that have occurred. So with that, what I'm gonna do is I'll pop up some of the articles here that we have here. Erica will be sharing those with you over in the chat session. And as usual, this presentation will be available on our website after we finish up here today. And so you could go in and you definitely have access to all this information as well. So with that, Brian, I'll turn it over to you with the recent WannaCry release again. 
Brian: Perfect. Thank you, Todd. I think we're not seeing your screen right now. It looks to be a bit grayed out. 
Todd: Oh, let's see what's going on here. Let's see. Hang on just a sec. 
Brian: No problem. Well, just to give you guys a summary real quick while we're getting that together. First, I'm gonna go over a few articles that are new, some interesting stuff that happened over a month. Then after that, I will dive more into the new architecture vulnerability that everyone is talking about for Shadow. So I'll go over the details there. Perfect. So for the first article I had today was the semiconductor fabricator TSMC was actually brought down earlier this month. For a lot of the tech blogs, that was kind of a big deal because they produce hardware for NVIDIA, AMD, and even the iPhone. So after the fact, they announced that they were brought down by WannaCry, reared its head again, kind of a reminder of how much your network's only as strong as the weakest link. And in this case, they had a lot of machines that were way out of date with patches, and that made them lose a pretty substantial amount of capacity. So if you guys don't get your iPhones on time, you can blame WannaCry on this one. 
So next, we have the NetSpectre. So, of course, Spectrum Meltdown came out in January, but the majority of the exploits, albeit not very well proven, could only be done locally. The NetSpectre update could be exploited by actually hitting the network ports. They can't have a huge high poll rate. It's only about 60 bits a second. But the fact that you could hit the cache, the predictive cache from a network is definitely to be concerned about. So of course, if you're joining our webinar and you've been watching, I'm sure your systems are up-to-date. But if they're not, this is something you definitely need to make sure. As a reminder, this is for Spectre variant one. So you do need to get your operating system patch, but you also need a firmware patch that can be in form of Intel microcode update that Microsoft supplies, but also a BIOS update will be recommended. So you're not gonna be completely covered unless you have both. One thing to hit on that I didn't quite have an article for was the SamSam ransomware. They've done an analysis of how much damage that ransomware did, and they calculated is was about $6 million that was taken from about 233 companies. So it's definitely a reminder that this ransomware is profitable and I'm sure it won't be the last of the attacks we'll see there. 
Next, we saw that the proliferation of USB-C chargers is definitely gonna be a security hole in the future. Some security researchers made a prototype where they could use just a simple USB-C charger, and because that's a data port as well, they managed to actually exploit the system through that. Definitely some ways around this are gonna be through device control, making sure that the USB devices are trusted and if something isn't trusted on your network that it can be blocked. Kinda just bringing this up, as kind of a heads up because this probably won't be the last we'll see of it. I'm sure plenty of people go on Amazon or other places and just grab the cheapest charger. This might actually be a bigger issue in the future. 
So moving on to the most important thing, this is the Foreshadow vulnerability. This is separate from Spectre and Meltdown. So the big thing here is it's about Intel Software Guard Extensions. And actually, this sandboxing feature of Intel allowed hackers to not really get very deep into the processor through Spectre and Meltdown, but researchers in January managed to find a way to hijack that and actually spoof, effectively, small sandboxes within your processor where instruction sets will be dumped and a lot more information could be spoofed. So there's three variants of this. The first variant is on the processor itself. And that's hitting SGX directly. So that can only be remediated through firmware updates and microcode updates. So through Windows 10 on Microsoft has offered a few updates to take care of that. However, still would heavily recommend going through the vendor of your hardware to get the latest BIOS updates, etc. around that. 
The two that we can take care of on Patch Tuesday, at least partly, is the first one, which is the CVE-2018-2620. That affects every operating system. The latest patches today, today's roll-ups, bundles, we'll take care of that. And we'll be going over that later. But also, you will still need a microcode update, that will be a new one on top of the ones you've already applied from the first half of the year. The second is on machines that are running virtualization. These can be, in this case, Hyper-V. Here, if you have access to the host, you can use the hyper-threading feature of the processor to effectively grab the other virtualized core, grab instruction sets from the other virtualized core and snoop. So Microsoft is actually suggesting the workaround here is to disable hyper-threading, which unfortunately can be a pretty big issue around performance. On the right side, if you are running Server 2016, Microsoft just said you are covered there. But on 2012 R2 or earlier, if you wanna be fully remediated against this, you may need to look into that. 
So if you could go to the next one for me. So I did wanna bring up the Intel microcode updates that I mentioned. Intel and Microsoft have been working together to release some of these microcode updates in a little bit easier to distribute package. S one of our links will go over all the latest microcode updates. These are just for Windows 10. For SCCM users out there, these are available in the catalog and will need to be imported, but you'll also be...if you are using our product, we have created those as well. We have to do an additional link that we just put in the chat from Intel, listing all the different processors that are vulnerable. Frankly, it's pretty much all of the Intel Core processors. So it's gonna be a decent portion of your environment that will be vulnerable to this. For better insight, "Wired" wrote definitely the best article of the month around this. So they work directly with the researchers to cover a lot of the issues around it. It goes a little bit in depth about SGX, I didn't touch base so much given the fact that we can't quite patch against it with just Microsoft patches, but I would heavily recommend looking into this if you want a little bit more insight. 
On top of that, Microsoft software isn't the only vulnerable software. So VMware released ESXi, VMware Workstation, and VMware Player updates to this level one terminal fault update. So please look into that and we will be releasing the workstation and player updates for your Windows OSs later today. But for ESXi, you definitely wanna make sure to bring that into your patching. For notable out-of-bands, as we know, that July patches, it wasn't exactly smooth. Customers had a lot of issues running from blue screens to the inability to stop web services, the list goes on. But for the first time in a very long time, Microsoft released standalone non-security update for Server 2008 up to Server 2012 and the respective desktop OSs. So I just want to put them here. These are all of the KBs. So those that do run just a security-only hacking cycle, this will allow you to patch those specific bugs without having to do a full rollup where all the previous non-securities will be applied as well. In your minimal patching scenario, I would heavily recommend them. 
Next slide. So going on to the two zero days. So for the first zero a day, which is CVE-2018-8373, this vulnerability affects the scripting engine Internet Explorer. And this can be exploited either be a specially crafted website, specially crafted contents or ads on websites, or an embedded ActiveX control that is incorrectly marked as safe for initialization. So this can affect IE, Edge, pretty much all of your base Internet Explorer. So of course, this is being actively exploited. So please, make sure to patch it as soon as possible. For the next CVE, CVE-2018-8414, this vulnerability is in the Windows shell. And a hacker can create a specially crafted file. And then if that is run in the context of the current user, it can cause some serious issues where you can install programs, delete data, create new accounts, elevate privileges. Currently, this is being exploited in the wild through PDF files, but any file type should do the trick. It's one of those examples where a hacker could distribute just a lot of misleading files through email and making sure that you have coverage on that is definitely important. 
For Windows 10 lifecycle, just a reminder, Windows 10 1703 is scheduled for end of service for October 9th. Of course, if you are running Education Enterprise that will be extended for six more months, but Windows 10 Home and Pro will no longer you patched after that date. They suspect that is when 1809 will come out, we'll see, but that did see a pretty substantial delay on the first half of the year. Currently, Windows 10 1607 is still in the extended support, but that will end October 9th. So that does not include Server 2016 or your long-term servicing branch release. But if you are running 1607 just of Education, Enterprise, Home, and Pro, you will no longer see updates around that. So make sure to schedule that. Other information prerequisites, for Windows 10 1607 and Server 2016, you will still need the main servicing stack update to apply the latest cumulative update as well as the Adobe Flash update. You will not see those updates, especially if you're running a SCCM, until at servicing stack is installed. With our product, we have created a detection-only patch that can't be deployed that will give you a heads up if you're still vulnerable to the latest CVs and latest cumulative. But you can't patch that to the servicing stack update. 
Other prerequisites, Exchange 2010 also got patched. This will require C++ 2013 Redistributable. If you don't have that, C++ Redistributable, you will not be offered this patch. So just heads up around that. And then on top of the current bulletins that have been released for the day, just heads up that a Visual Studio 2015 was announced with the update portal, but there was no installer yet. So we'll be keeping an eye on that. And then Visual Studio 2017 also saw a major release. We should be releasing that within our content shortly. It was a major change to their installer. So we're just making sure that it runs smoothly. Other announcements, every week, I create a weekly patch blog. I go over what was released in the week, go over some security articles.
Todd: Back here? Yup. 
Brain: Sorry, it was week 29 I think. Oh, yeah, perfect. 
Todd: Where did I go here? There it is. 
Brian: There it is. Oh, yeah, for a week 30. So in week 30, I went over the Google Chrome release. I know this was asked quite a bit in the Q&A of when this was coming. This was where HTTP sites, not HTTPS, would be marked as non-secure, giving customers a little bit better information, as well as quite a few security releases were pushed with this a major update. So aside from this, I will go over the third-party updates that were also released for the week. Even though these are non-security, still have a CVE associated with them. A lot of the lower profile third-parties, they might have quite a bit of security updates. However, they're just not being disclosed and they're not super high profile. So just because something doesn't have CVE associated with, it doesn't mean it's not vulnerable. It's just not currently being disclosed. So always make sure to keep those up-to-date. 
Finally, we do have a new patch content announcement system to those that haven't seen this yet. We do have a page where we will now aggregate all of our updates running from endpoint manager, patch for Windows, our SCCM plugin, etc. You can subscribe to these, and I heavily recommend that. We will be stopping our Listserv. Our Listserv, currently it's a little old. We're seeing a lot of blocking from spam filters, etc. We were looking through them a little bit more up-to-date where we can kind of ensure customers get their updates. So please make sure you include this in your subscription info. And whenever my team releases our content, we'll make sure we give you heads up. Now, we're off to bulletins. 
Todd: Okay. Thanks, Brian. 
Brian: Thank you, Todd. 
Todd: Moving in to the bulletins for this month, we'll start off here with our critical releases. First one is a security update for Adobe Acrobat and Reader. After the massive release that they did last month, we weren't really expecting another update for Acrobat and Reader, however, they did. And I guess they felt that these two vulnerabilities were important enough. They are rated as critical CVE-2018-12799 and 12808. So be aware that this release came out and update those applications accordingly. As usual, of course, they did an Adobe Flash Player update as well. Again, this one rated critical as usual. This time, they addressed five different vulnerabilities in this particular release including things that have a security featured bypass, allowed elevation of privilege, and the information disclosure as well. 
So also, as usual, you know, Microsoft rolls this into their updates for the month. So they had their security update for Adobe Flash Player as well. Same vulnerabilities of course applies against all the operating systems that I've listed here, so be aware that this flash update is available. This one is covered in a separate advisory bulletin. In this case, it's 180020. So you can read about all the details there on this particular update. And as Brian had mentioned earlier, for some of the operating systems, you do need that service stack update before this will show up as applicable. So be aware of that. Moving on to our favorite operating system, Windows 10, Microsoft did of course release their usual update this month for Windows 10, covering basically all versions that are currently still supported from 1607 through 1803, server updates as well. 
And in addition to the Server 2016 long-term service branch and things like that, they also had the Core Server 1709 and 1803 updates, IE 11, and of course, it includes Microsoft Edge updates as well. Nine different KB articles that were listed associated with all these updates. They did address 44 vulnerabilities. Brian has already talked about the most important of those, which were the zero days, 8373 and 8414. So be aware of those. Don't forget to go back and review those and make sure that these updates are in your patching schedule. As far as known issues go for Windows 10, this one has been now carried over for three or four months. It's a known issue in 1709 around devise guard. They have a workaround so they give you some...I mean, they don't have a workaround but they do provide a description, sorry. And they say that they are still working on a resolution for this one. I guess this is pretty low priority for them since they've been carrying it along for so long there. 
There were of course the usual updates for Internet Explorer including versions 9, 10, and 11. They do have individual updates as well as a cumulative update available for Internet Explorer. And these updates are also rolled into a lot of the monthly rollups for the operating systems that we'll talk about here in just a second as well. They did fix 11 vulnerabilities in IE. And of course, as Brian explained earlier with CVE-8373 and the memory problem there, and that zero day. So just be aware of that. Now, it does require a browser restart, so, you know, obviously, you know, once you've done the update, make sure that things are closed and open for it to take effect. There are no reported issues with that update so far. 
Going back to the legacy operating systems, they are still supporting Server 2008. There were a number of vulnerabilities that were fixed this month. I've listed them here, Microsoft COM for Windows, font files, .LNK files, they did make some update to the Windows kernel and some device interface portions as well. You'll notice also that they did start releasing an update for some of the previous Spectre variants. This is the one that we talked about in a little bit of detail last month, an update for this Lazy Floating Point State Restore vulnerability came out and they have now rolled that into this month's update on Server 2008. There are 10 vulnerabilities fixed that I've listed here. So just kind of be aware that this update is available for Server 2008. No known issues for this one, which is good. 
Continuing, Microsoft does two types of updates, as I've said in the past, for their legacy operating systems. They do a monthly rollup whereby they continue to build up a large patch of all updates for the last 18 months, basically, at this point. And in this case, the monthly rollup for Windows 7 is covered under KB 4343900 as I show here. This does roll in some of the software updates that Brian talked about for the L1 Terminal Fault, a problem that we talked about. And also it does include that same Spectre vulnerability Lazy Floating Point State Restore that I just mentioned earlier. In this particular case, they've rolled in the 32-bit fix for this one. There were a total of 25 vulnerabilities fixed, the 14 shown here plus the IE vulnerabilities listed earlier. And the reason that we lump those together is because it is a monthly rollup, and it does include the IE updates in one big package. So be aware of that. 

There is a known issue for this. This one's been carried along for quite a while as well. Interestingly enough, they give a workaround but they do not say that they're working on an update for this. So I suspect this thing is not going to be addressed by Microsoft, this particular vulnerability, this particular problem I should say. So be aware of this. Has to do with .INF file being messed up and they give you a workaround. So I think they will probably see this one carried forward probably until the end of Windows 7. We'll see though. This is the security-only update. As I said, they have a monthly rollup. So if you do apply the monthly rollup, you're getting a whole host of updates over those from the last 18 months in one big package. They also do a security-only rollup, which are just the fixes for this particular month. If you are using the security-only updates for Windows 7 or Server 2008 R2, you have to apply them month after month. So as each one comes out, it has to be applied to get the latest patches. Same vulnerabilities, same 14 as on the previous slide, but once again, it's a much smaller package and it only includes the updates addressing those particular vulnerabilities. Interestingly, the security-only update does not have that issue with the .INF file that was identified for the monthly rollup. So be aware of that. 
Of course, they're continuing to support Server 2012. The monthly rollup this month included 10 vulnerability fixes, which are listed here. This one does include the L1 Terminal Fault as well as the Lazy Floating Point State Restore fix as well, very similar to what they did basically for Windows 7 monthly rollup. So they've included all those updates here. Security-only update for Server 2012, very similar. Same vulnerabilities. Be aware that these are rated critical. Everything that I've talked about so far is rated critical. Mostly because of the remote code execution possibility if these vulnerabilities are exploited. 8.1 and Server 2012 R2 updates, again, a monthly rollup. Similar set of vulnerabilities that were addressed. They do role in the latest fix for, once again, the L1 Terminal Fault. This one is covered under 4343898 as far as the KB goes. No known issues reported with this one as well. And finally, same security-only update for the same operating systems will be relisted here. 
Moving on, there was an update for Exchange Server this month. It is rated critical. Covers several versions of Exchange Server between 2010 and 2016, so check in and take a look at that. A couple of bulletins that were released on this, 4340731 and 733. There is a remote code execution possibility for this. As I said, they did address two vulnerabilities, 8302 and 8374. And they did report a known issue with this. You have to make sure that when you're applying this update that you run in elevated mode, which is basically the equivalent as administrator. If you try to apply this using their normal mode or basically basic user, the installation will fail. So make sure that this would be installed properly using the proper privilege management. 
Also critical this month, they released a update for SQL Server. This is for versions 2016 and 2017. Only one vulnerability in this case, but it does allow for remote code execution. So kind of be aware of this one as well and make sure that your SQL servers are updated. No known issues with that particular problem, with that particular update rather. They did release also a SharePoint Server update this month. Again, addressing just one vulnerability, but it does allow for information disclosure. Interestingly enough, the vulnerability is not directly in the SharePoint software itself but it's in Microsoft Office running on top of SharePoint. So be aware of that when you go through and apply this update. This was only rated as important because it's only an information disclosure-type vulnerability. 
Then, of course, our usual updates for Office this month. They addressed a handful of vulnerabilities, just six of them this month. There are a number of, obviously, KB articles. They released updates for Excel independently, of course, the Office Suite as a whole. Office 2016 for Mac was updated as well. Outlook, all versions here. Interestingly enough, only PowerPoint 2010 was updated this month. So much older version, they didn't talk about any of the newer ones. And the web apps associated with Office were updated as well. In addition to the six vulnerabilities here, they did a general Defense in Depth update, which they rollup under an advisory. So you can take a look at that and see the updates that they included in there. I think it's just a whole series of kind of a broad-brush of updates they've done across Office where they don't itemize individual CVEs, but they do address a lot of known issues in Office. So kind of be aware of that as well. No known reported issues with these updates at this point. 
Of course, regular updates for Office 365. This month, they released separate updates for Excel 2016, Office 2016, and Outlook 2016. Again, similar vulnerabilities carried over from the previous general Office update suite. Information impact here is a remote code execution and information disclosure. Again, just these four vulnerabilities were addressed and no known issues at this point. Included a link here, if you go in and look actually at the TechNet site, they provide a good update, a good set of information about the updates that were released. This month, we had updates for .NET once again just like we did last month. This time, they only released or identified one vulnerability that was fixed. This is an interesting one. This has to do with information being shared back and forth across tenant environments. So be aware of that. If you are running application supporting a multi-tenant environment, there is the possibility of information being shared through this vulnerability between customers, between the information that's being stored for customers. So be aware of this one. 
I'm wondering too, this month, if they included any of the stability fixes that were released throughout the month because, as Brian mentioned, there were a lot of problems with last month's release and a lot of them were attributed to this to the .NET updates that were released. So may be a good thing to think about applying this one. You may get some additional stability enhancement as well with this particular update. Of course, these are reported or released as monthly rollups as well as security-only. In this case, once again, it's essentially the same thing. I mean, this particular case, there's just this one vulnerability update, 8360. 
Of course, a lot of this information is covered in Brian's blog where he covers information on what's happening between the Patch Tuesdays. This is updates that are released and supported by Avanti. We did add a box edit as a new application that we're now supporting in our patch products. There were security updates issued for the list of applications shown here. You can see in some cases, like FileZilla and Oracle JRE, there were two different updates available. Of course, we do release non-security updates as well, those are listed here for the month. And as Brian said, you know, although they don't specifically call out CVEs or vulnerabilities in these particular updates, there may be some embedded in there that either the vendor is not willing to share or, you know, they didn't feel that was important enough to report them. So we do recommend that you do apply these non-security updates. 
Here's kind of a breakout for the month. Excuse me, kind of summarizing the information Brian includes in the blog. We put them all in the slides here, the bulleted information, then the vulnerabilities that are identified for these. So in this case, Thunderbird 60 came out, SeaMonkey 2.49.4. Foxit Reader and Phantom PDF had a huge update this month. They fixed 85 different vulnerabilities in this. So if you are using that particular application, very important that, you know, you make sure you get that updated to address all these particular vulnerabilities. Other updates that occurred, Wireshark got a few updates fixing nine vulnerabilities. VMware Horizon Client fixed up vulnerability. And Oracle VirtualBox fixed nine different vulnerabilities. So with that, I will turn it back over to Brian. Brian, you there? And talk about Q&A. 
Brian: Yes, I'm here. Thank you everyone that's been writing. I'm trying to catch up on all of them as fast as I can. Let me finish one answer real quick, or actually just answer it live. So just to give you guys a heads up on all of your questions that you guys are asking, even if I don't get to one of them, we're gonna try to bring all of that together and bring it into a blog post. So if, by chance, you don't feel like one was answered and you had more questions, we're gonna bring those together. So just add that. So I'm gonna start at the top of the Q&A section and I'll go down. 
First question was, "Do you know if the August patch fix the issue with July patch for web servers, specifically ActiveX components?" So kind of a two-prong answer to that one. If you do run a monthly rollup cycle, yes, this will include that. However, if you're trying to do kind of a minimal patching security-only, you will not get that fixed. In my previous slide where I mentioned the out-of-band non-securities, those I would recommend running on your systems to make sure that stability fix gets taken care off. The other question is, "How soon should we be installing CVE-2018-8373?" That is one of our zero days. It is being actually exploited. I really can't stress how much you should get that into your patching cycle, this weekend if not sooner. 
Let's see. What about VMware ESXi? VMware ESXi under the VMware Bolton that I touched base on, yes, VMware ESXi is also getting patched with this, that VMSA Bolton that we did above will include the versions that you should have to make sure you remediate it. "Is s creator update and a feature update one in the same?" Not quite. The feature update is just the category of all the major updates. For example, if you go from 1607 to 1703, the creators update was just the name for build 1703, 1709 was all creators. And then, now, they start going by the month and the season. So April 2018 was the last one. We'll see what they name the most recent one, who knows. 
"With the four out-of-band patches that Microsoft released, what's the recommended install method? We exclude many of the patches from July Patch Tuesday that have had known issues. Can we just install these to resolve the vulnerabilities?" That's a great question. You should be able to install the non-security first to resolve the issues and then install the security-only. Of course, I haven't tested that out. I don't wanna say that I can guarantee that would work but it should reduce your chances of having stability problems. So that would be a great recommendation if you have not applied the July patches yet. For the detect-only patch that we did for 1607, it will be the exact same bulletin. In our case, for our products, we did MS-1808, the Windows 10, and then 4343887. And then under the RQ number, or KD, it'll just end in a D to let you know that's just detect. 
For SCCM about microcode updates, I might have been a little quick on that one. The Intel microcode updates from Microsoft, they aren't included by default on your Windows Update patches. So you can still go and import these patches from the catalog and you should have no problems doing so. But just giving you a heads up, if you're just going with whatever synchronizing through Windows Update, you won't have those initially. Travis was asking about the zero-day upgrade, disabling of the NIC [SP]. So this is specifically for Windows 6.1, so Windows 7 in 2008 R2. There is a known issue where the NIC can stop working with certain third-party software. The issue has been around for quite a few updates right now. So if you haven't hit it yet, hopefully you won't run into it now. But you still might run into it. It's one of the things that will happen with any of the Windows 7 or 2008 R2 updates. And if not, you need to get that. 
Todd: Yeah, this month, zero days did not specifically address any problems with the NIC. 
Brian: No, no. You definitely won't see a fix. Serkar [SP] was asking, "Hey, Brian, my company runs about a month behind on the patching so we have not done any July patches yet. Would you recommend skipping July and then just go to August?" Kind of depends on which patching method you're doing. In the first hand, you have your security-only where each month is isolated to that package and you're just remediating those CVEs. And then there's the monthly rollup, which goes how almost...what is it, Todd, almost two years back now? 
Todd: Yeah. 
Brian: With all of the CVEs there as well as the stability fixes. So if you do go with the rollup, yeah, if you do go with the August one, you should fix all the July issues, knock on wood. And if, by chance, you do only do a security-only kind of minimal patching method, you will still need to get those out-of-band non-securities applied. Question above, "I'm wondering if any of the pre-release updates will need to be installed?" Oh, yes, I already kind of answered that. "Updates for Office 365, is that the monthly channel or semiannual channel for being security?" So were the three channels, the most current channel, the monthly channel including new features and the semiannual channel of just being security fixes, all three as well as the target, all three branches remediate those CVEs for the month. And those are the Office 365 specific ones, as well as some of the CVEs mentioned just throughout the Office bulletin. So kind of every channel is kind of the answer there. 
All right. So now, I haven't answered any of these so give me just one moment. Is anyone here having issues...I'll kind of ask the community on this one. Does anyone here have issues or is aware of the current month or the past five months...will not appear in search. Sorry, I can't quite parse what you're trying to say there. My apologies. We'll move to the one. "Where do we stand with up-to-date driver patches, for example, HP driver BIOS?" That's a great question. I did not have the opportunity to look for the Foreshadow bulletin, the Foreshadow advisory perhaps for the other vendors. I know when Spectre and Meltdown came up each vendor had a dedicated site with every single model and respected BIOS update. I don't have their currently available. I'll make sure to include that in our Q&A blog post. 
Wanda was asking if it's best to deploy the monthly rollup rather than security-only, but is it possible to uninstall single update from the monthly rollup? Wanda, no, it is not possible to uninstall single up from monthly rollup. It's one big one there. You can't quite go piecemeal on that. So that that is one nice way to go around the security-only. If you're only remediating those CVEs, gives you a little bit more control, lets you make sure that you're at least remediating as many of the CVEs as possible. 
Next question from Steve is about all the known issues. "We exclude many of those patches that had no issues. Can we now remove those exclusions with the latest patches to address these issues?" Just to repeat myself on that one, if you, right now, are doing, again, that security-only patching and you're only deploying security-only patches, and you approve the July ones now deployed, I don't suspect stability will be any better. That is where I'd heavily recommend bringing in those out-of-band not-securities. Todd, would you mind going back to that slide real quick? 
Todd: I'm sorry, which one was that, Brian? 
Brian: The out-of-band patches, just... 
Todd: All right. Yeah, hang on a second. 
Brian: I don't feel like I stayed on it long enough so I wanna make sure we can go over that one real quick. One more. No, one more. One more. Keep going. 
Todd: We're almost there. There we go. 
Brian: There we go. So here's the list of those piecemeal non-securities where it's only gonna fix the respective problems from July, nothing else. So if you're trying to keep it as simple as possible, that's where I'd go with that. "What are the KBs for the microcode updates that need to be imported?" We do have a link on there for the...we've shared a link for the microcode updates from Microsoft. It should be the summary of Intel microcode updates. It's a different KB for every version of Windows 10. If you're not running Windows 10, earlier OSs, you will need to look to the vendor specifically for that. Microsoft has not released any for Windows 2012 R2 or 8.1 and below. Alex, asking about is it safe to apply the July. I kinda covered that. Oh, sorry, Joe. The question's about if there are any known issues reported on that. I hadn't seen any known issues around the latest monthly release. I don't know if you saw any, Todd? 
Todd: No, I haven't. 
Brian: Okay. We haven't seen any but that doesn't mean they're not out there, to be honest. Just reaching near the end, but I'm gonna hit a few more. "We only applied security-only and saw the July fixes were non-security category. Advice on this, we should apply these non-security, are those critical and important?" We did classify those updates as Microsoft did. So I believe they're just classified as a non-security with no severity given the fact they don't have any CVEs. It's definitely a good suggestion that we could make those critical. I'll discuss that with the team, and perhaps we will do that. That's a great suggestion. Let's see. Now, I'm going to the chat. Oh, and then last question, sorry, in the Q&A. "If I deploy both the monthly rollup and security-only patches, the SCCM, which one takes effect?" That's a great question. Actually both will deploy at the same time. It's just an extra deployment. I have run through those scenarios in installing one first, the rollup first, and security-only next or vice versa. And I really haven't seen any stability problems. However, that is something you do risk by right to any deployments. 
So I'm going to the chat now. One question was, "Do you know if the bug riddled in July .NET security patches has been fixed?" Earlier in July, Microsoft did release a quality preview rollup for the .NET issues. They did not release just a piecemeal fix like they did for the OSs. So if you do apply the monthly rollup, you should ideally have that, the July .NET issues fixed. However, just like the OS, if you we do go security-only, you may not take care of that. Next question, "Windows Update offers me a OneNote patch even if I don't have it installed. Can I ignore it?" That's a really good question. So a lot of the Office updates, even though they say Word, Outlook, OneNote, etc. in the title that doesn't necessarily mean that its all they're patching. So I would highly recommend still deploying it. A lot of times, the OneNote patch doesn't just target OneNote. It can sometimes target the suite as a whole. It can target certain components within that, etc. 
Todd: And a lot of times, you'll see share DLL updates where, you know, it would affect other applications, right, Brian? 
Brian: Absolutely. One question from Delano, give me one second, "Taking into consideration..." So the question is about running a lot of different versions of OSs and kind of how long you should do testing, etc. It's a really long answer and I could ramble about that for ages. But at the least, please have a test group and make sure to patch those as soon as you can so you can get the most stability knowledge you can on it. So with multiple OS versions, yeah, every single one can behave differently, but make sure within that test cycle that you at least have one of each OS, if not more. One really nice recommendation would be within your different departments, choose one machine of your tech savvy employee that you can put that on and everything will be great. Not everything will be great, but if something does fail, that end user can let you know. So with the drivers and patches, definitely check that vendor, of course. 
I need to look at those KBs that Paul asked about so give me one moment. Brian, any additional info on needing Visuals C++ 2013 before installing Exchange 2010, the 23rd rollup? Just to kind of reiterate, all you need is just a...honestly Google Visual C++ 2013, just make sure you get the most recent version of that. And it should just be the VC Redis 32 and 64-bit. I'm not 100% sure which one is necessary, whether it's both or just the 64-bit. But once you do have that installed then you should have no issues deploying that update. There's a lot of issues about RDS with CredSSP. I haven't read of any other RDS issues. I mean, just to reiterate the CredSSP issue is if you are on a patch system and you're RDPing into an unpatched system from...just scrape my memory for a second. Was it February or March, Todd? 
Todd: Yeah, it was quite a while ago now. 
Brian: Yeah, it was earlier this year. 
Todd: It was the beginning...well, it was first quarter. I just don't remember which month exactly. 
Brian: Yeah, it first quarter. If that endpoint that you're trying to hit it doesn't have one of those updates, it will flag it as not being accessible because of a CredSSP vulnerability. There are some ways to work around that. You can ignore the CredSSP vulnerability through registry settings. I would need to find that real quick. I think I can actually find it real quick. There we go. I'm gonna copy that right into the chat. There were questions, "I have not notice the new August updates in my console yet," which you should expect them to start showing up. You should start seeing them as soon as possible. When I'm done with this, I'll make sure that all that stuff is live. But it should be all live. But if, by chance, you're not seeing it, hold tight, I will make sure it's up there. I think we're about five minutes over. 
Todd: I think we're pretty good, Brian. If we have any additional questions or questions we didn't answer here live, we typically roll those together. And Erica will post an update on the Q&A along with the slides and stuff like that on our website.  
Brian: Perfect. Well, thank you, everyone. 
Todd: Yes, thank you very much. And Chris will be joining us again next month. So those of you who missed them, he will be back. Thanks everybody. Have a good day.