Take Advantage of Your August Patch Tuesday Break
By Chris Goettl, Director of Product Management, Security, Ivanti
August Patch Tuesday was a pleasant relief after the massive release of updates in July. But don’t sit in your lawn chair and open that cold beverage just yet; you still have some things to do before you rest comfortably.
Microsoft provided a light set of operating system and application security updates. On the operating system side, we see 35 CVEs addressed for Server 2008 up through 78 CVEs for the latest Windows 10 updates. There are the updates for Office and SharePoint, but that’s about it. Microsoft has no Adobe Flash Player update this month either!
Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero-days OR publicly disclosed vulnerabilities! It has been a long time since I remember that happening. Glancing through the list, I do see a lot of RDP vulnerabilities this month so make sure you apply these updates soon. Microsoft calls out two CVEs, in particular, CVE-2019-1181 and -1182, in their Response Center this month which could be exploited via a worm attack. All of the operating system updates are rated priority 1 due to critical vulnerability ratings and the possibility of remote code execution.
One vulnerability of interest is (CVE-2019-9506) titled Encryption Key Negotiation of Bluetooth Vulnerability. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. It requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked. Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry. Check out the KB for more details.
Microsoft may have had a slow day, but Adobe released 8 updates. If you are a Creative Cloud or Experience Manager user be sure to review the bulletins because several are rated Critical. Adobe also released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41. This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important. There are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was also a non-security update for Flash, but it was not included with the release from Microsoft.
With a light patch load this month, it may be a good time to revisit the asset inventory of systems you are patching. We often set up our patch groups of systems and go through the motions each month of applying the latest patches, but we may be missing the bigger picture. IT organizations are often dispersed and the systems they support are constantly changing. Without ongoing communication across the organization or dynamic settings in your patch products, you may be missing many machines that need updates. The good news is the patch tools we use each month have extensive discovery features and can help identify the latest systems on the network. Likewise, there are a whole host of network and system tools you can use. Don’t forget to coordinate with your security operations team. The vulnerability scanners they use have built-in discovery as well.
Armed with a consolidated list of systems on your network from all these sources, you can confirm your patch groups are up-to-date and investigate any suspicious devices you may have discovered. Finally, with an updated asset inventory and your patches all applied, you can now relax, enjoy the sun, and open that cold beverage!
About the Author
Chris Goettl is the director of product management, security, Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media. Chris can be reached on Twitter @ChrisGoettl and at Ivanti’s website: www.ivanti.com.