August 2021 Patch Tuesday forecast: Dealing with emergency patching
The PrintNightmare print spooler vulnerability, CVE-2021-34527, caused a lot of excitement last month. If you’re still in an active patch cycle, ensure you install the latest cumulative (or monthly rollup) to address this vulnerability.
If you use Microsoft’s security only updates each month, be sure to include the security only out-of-band updates for your operating systems, because they must be installed for the PrintNightmare fix; they were not included in the Patch Tuesday set of security only updates. Extended Security Updates were provided for Windows 7 and Server 2008/2008 R2, but only if you purchased this service.
The release of zero-day updates, particularly one of this magnitude, provides an excellent opportunity to validate your emergency patching policies and procedures. If last month you were ‘running around with your hair on fire’ as the saying goes, now is the time to plan for the next issue because it is sure to come.
First, you must have a company policy in place which must be negotiated with and agreed upon by your security and legal teams. Some of the factors to consider include your company timeline to install the fixes throughout your network, a risk-based approach to protect the most critical systems, required coordination of activity, and so forth.
The first inclination of the security team is often to roll the updates out immediately, but that can often have a devastating impact on the overall business if the patches don’t perform as anticipated. You must have a trusted and validated process or procedure in place. From a best practices approach, many companies treat emergency patching as an accelerated version of the monthly patch cycle.
The updates are rolled out into a test environment consisting of systems configured to mirror the most critical or the most ‘patch sensitive’ to see how they perform. Once the known issues, if any, are identified you can roll the critical patch out to similar systems in your production environment.
In parallel or series depending upon your company’s capabilities, you repeat the process for a ‘phase 2’ set of less critical systems and so forth. While your normal monthly patch cycle may take 2 weeks of testing, you are usually only testing a single update here, so an accepted observation period may be just 2 days before the live rollout.
The important elements are that you know what to expect when the critical updates are installed, and you know how to respond if something doesn’t go as planned. Again, your company policy and procedure should support each other as the IT operations and security teams work together to secure your environment. There will always be exceptions but working from established procedures is much more comfortable than panicking when an emergency situation like the PrintNightmare vulnerability arises.
The July 2021 Patch Tuesday was an active one with 84 CVEs addressed in Windows 10 including 3 zero-days and 5 publicly disclosed vulnerabilities. I expect a smaller set of updates with fewer CVEs addressed this month as we are in the family vacation season and this year people are taking advantage of it.
One thing to make note of this month is Microsoft is going to enable an application control feature that will block potentially unwanted applications (PUAs). They quietly introduced this feature back in May and made this announcement concerning its enablement in the upcoming August updates. Just a ‘heads up’ in case you start to get calls from your users their personal applications are not working properly. The settings for this feature can be found in the Windows Security setting screen. Selecting Reputation-based protection settings under App & browser control, provides your configuration options.
Don’t forget, Windows 11 was officially announced on June 24. Although the announcement mentioned it would be released around the holidays, early indications are that it will come as early as October which is in line with the new versions of Windows 10 released in the past.
August 2021 Patch Tuesday forecast
- Nothing out of the ordinary on operating system and application support this month, although I predict the number CVEs addressed this month will drop well below last month. In addition to the regular supported operating systems, the Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 will be released as usual. Internet Explorer updates are now a regular occurrence so expect another set this month.
- I don’t know what to say about a SQL server or .NET framework update any more. It’s been a while so be on the lookout just in case they show up.
- Adobe provided updates on July 20th for many of its applications and have not listed a pre-announcement for Acrobat and Reader. It should be a quiet week for them.
- Apple released security updates for the Big Sur, Mojave, and Catalina operating systems at the end of July so install those as soon as possible. We may see an iTunes or an iCloud security update sometime soon.
- Google released a stable channel update for Chrome OS to 92.0.4515.130 on August 2nd and several beta channel updates for other products this week so don’t expect a security release next week.
- Mozilla last provided security updates for Firefox and Thunderbird on July Patch Tuesday, so I think we will get a new set next week.
Take some time to do a retrospective on your handling of the PrintNightmare updates. Did your emergency patch procedures work as planned? Did you meet all your company’s security policy expectations? If not, now is the time to make some adjustments as needed. The next emergency patch situation could be just around the corner.