October 2024 Patch Tuesday forecast: Recall can be recalled

October 2024 Patch Tuesday is now live:
Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)

October arrived, and Microsoft started the month by announcing the release of Windows 11 24H2. The preview versions of this release have been in the news due to many innovations and one controversial feature.

October 2024 Patch Tuesday forecast

Windows 11 24H2 and Microsoft Recall

This OS was released in May for Microsoft’s new Copilot+ PCs, powered by a neural processing unit (NPU); several features are unique to that platform. Now available for systems that meet the hardware requirements, it includes many new security features, including SMB protocol and firewall rule changes, personal data encryption for folders, and support for the SHA-3 family of algorithms from the National Institute of Standards and Technology (NIST), to name a few.

The controversial Recall feature, which uses AI technology to retrieve previous activity on the machine, has updated security and privacy controls, and there is also an option to remove it entirely. This update is a complete OS replacement, so there is no enablement package option from previous versions of Windows 11.

This release also introduces Windows 11 Enterprise LTSC 2024, which follows the last LTSC release, Windows 10 Enterprise LTSC 2021. Windows Server 2025 has yet to debut, but it is expected to be released in conjunction with Ignite 2024, which is coming in November.

Checkpoint cumulative updates

Microsoft introduced ‘checkpoint cumulative updates’ in this version of Windows 11. These consist of more minor monthly cumulative updates followed by a periodic checkpoint update consisting of the previous monthly updates. The monthly cumulative updates, or ‘differentials’ from the checkpoint update, as Microsoft calls them, will begin anew in the form of much smaller files.

The important takeaway is that the Windows update process will handle all these files for us and use less bandwidth and storage space. Over the years, we’ve seen several changes in update strategy, so we’ll have to see how this one plays out.

Passwords

The second public draft of NIST Special Publication 800-63B Authentication and Authenticator Management drops mandatory reset rules and password complexity.

This brings to light practical guidance that longer, simpler passwords are more secure and easier to remember for most users and that password churn in the form of frequent resets only results in users choosing weaker passwords so they can remember them. Resets should be tied to security events that warrant them. This is the second public draft, and if you would like to comment on this, you only have until October 7.

Last month’s updates

September 2024 Patch Tuesday provided updates addressing 31 CVEs in Windows 11 and 45 CVEs in Windows 10. Four known exploited zero-day vulnerabilities were reported in the group; three were in the operating systems, and one was in Microsoft Publisher in the Office suite.

The usual Microsoft Office and Sharepoint Server updates and a Microsoft SQL Server release were there. Unfortunately, they introduced an issue with the dual-boot setup, which prevented almost all operating systems from booting into Linux. The final updates for Windows 11, 21H2 Enterprise and Education versions, and Windows 11 22H2 Home and Professional are coming next week. Yes, the first versions of Windows 11 are already reaching their EOL!

October 2024 Patch Tuesday forecast

  • The usual updates are expected from Microsoft, including one for the new Windows 11 24H2. Keep in mind the first release for the Copilot PCs was released back in May, so the new update may not apply to the new RTM – we’ll see.
  • Adobe released a minor security update for Acrobat and Reader last patch Tuesday, so I don’t expect any updates this month.
  • Apple released major OS and application security updates on September 16th. Barring any major issues, the next security releases should come in November.
  • The next stable channel updates for Google Chrome are expected next Tuesday, as usual.
  • Mozilla released their regular security updates for all their products on October 1. Don’t expect any major updates next week.

This should be a pretty easy October 2024 Patch Tuesday with only Microsoft and Google in the forecast. It may be a good time to get familiar with the new Windows 11 24H2, as your users will ask for it soon enough.

Don't miss