October Patch Tuesday: Changes, urgent updates and what’s coming next
The leaves aren’t the only things changing this October. Patch Tuesday is here and with it comes some interesting updates from big names in the software space. This month, Microsoft implemented Servicing Model changes, Adobe changed distribution of Adobe Flash and announced this will be the last month of updates for the ESR branch of Flash Player, and in the next week or so, Oracle will reveal its Quarterly Critical Patch Update.
What changed this Patch Tuesday
Microsoft has officially released its first delivery under the new servicing model, and there’s still some uncertainty about how the changes will affect organizations.
Together with LANDESK CSO Phil Richards, we made a few predictions about what the new model will bring about. First, while well intentioned, Microsoft’s change will likely impact many companies, and in some cases, push them to make difficult decisions. At first glance, it appears application compatibility is going to be the most significant change. That said, because most companies are already aware of which products are sensitive to updates, it would be especially proactive to reach out to those vendors in advance and confirm they understand the changes and potential ramifications. It’s also important to note, while the changes will likely spur organizations to make some challenging decisions, with planning and other security measures, companies can overcome the issues.
Microsoft isn’t the only one making modifications; Adobe has changed availability of Flash Player for distribution. This adjustment has been looming for some time now. We first heard rumors of the change in late 2015; since then, Adobe has pushed the date multiple times, finally landing on September 29, 2016. Upon visiting the distribution page, users now see two options: one for consumers, the other for enterprise customers looking for a redistribution license. I personally tested the enterprise option and found the process to be quick and painless. In no time, I was approved to receive additional details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.
On top of Microsoft and Adobe’s news, Oracle will be releasing its Quarterly Critical Patch Update (CPU) this month. Unlike the other two software titans, Oracle eschews Patch Tuesday and instead opts to release on the following Tuesday. This October, that means they will release on Tuesday, October 18, 2016. The Oracle CPU’s importance can’t be overstated, as it brings fixes for some seriously damaging vulnerabilities. As an example, look at July’s JRE release.
The July JRE update included 13 security fixes, nine of which were remotely exploitable without authentication. In fact, four of the updates were rated CVSSv2 9.6, were exploitable remotely without authentication, and ranked as low complexity, meaning they were easier to exploit, and high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities that are likely to be exploited within two weeks of release from the vendor.
How to handle the new Microsoft servicing model
With so much coming down the pipeline, it’s valuable to consider different scenarios and figure out a plan of action to proceed with this month, and beyond. While there’s not a one-size-fits-all solution, here are some tips on how to best manage the latest updates:
For systems currently in operation: Be sure to test and rollout the October Security Bundle, which will include updates for IE and the OS in a single package. This package should only include security updates and shouldn’t be cumulative. In other words, if you need to exclude this bundle for some reason, you should be able to implement November’s Security Bundle without it forcing application of October’s Bundle. Still, you should expect to take the Security Bundle each month until you hit a point where non-security updates (bug fixes) would force the need to apply the Cumulative Rollup.
For new systems implemented after the Servicing Model change: It’s a good idea to start with the cumulative rollup until it hits an exception. In that case, it would be best to switch to the Security Bundle for those systems until the event that caused the exception was resolved, allowing application of the cumulative rollup to resume.
A good rule of thumb: Finally, I want to re-emphasize a tip I shared last month, which was to expand your pilot group for application compatibility testing. Wrangling power users from different parts of your organization who rely on business critical apps will help you to validate these larger bundles of updates and ensure they don’t cause impacts early on in the test process.
Many organizations have test systems, but only use them to validate high-level functionalities like logging into the system and basic data rendering. The reality is, issues can happen deeper in legacy apps, whether its through rendering of PDFs or printing documents. This year alone, we’ve seen both PDF and GDI updates nearly every month from Microsoft. These are regularly updated components, as they are high profile targets for user centric attacks like phishing scams. It’s worth repeating: a vulnerability exploiting a user is often the first point of entry into a company’s network.
What needs urgent attention
MS16-118 is a critical update for Internet Explorer. This bulletin resolves 11 vulnerabilities, including one exploit in the wild (CVE-2016-3298). There are multiple vulnerabilities in this bulletin that are user targeted, meaning the attacker can convince a user to open specially crafted web content to exploit the vulnerabilities. Several of the vulnerabilities can also be mitigated if the user is running as less than a full administrator. In that case, the attacker would only gain equal rights to the user, reducing the impact if exploited.
MS16-119 is a critical update for Edge browser. This bulletin resolves 13 vulnerabilities, including one exploit in the wild (CVE-2016-7189). Many of the vulnerabilities resolved in this bulletin are user targeted. As explained above, an attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with elevated administrative rights.
MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight. The bulletin resolves seven vulnerabilities, including one exploit in the wild (CVE-2016-3393). This bulletin includes vulnerabilities that are user targeted, enabling an attacker to host specially crafted web content or document files designed to exploit the vulnerabilities. One of the vulnerabilities (CVE-2016-3396) can also be exploited through the Outlook Preview Pane. Users running with reduced privileges could reduce the impact if exploited.
MS16-121 is an important update for Office. The bulletin resolves one vulnerability, which has been exploited in the wild (CVE-2016-7193). As a result, an attacker could craft a file to send through email or by specially crafting web content designed to exploit the vulnerability. Users running with reduced privileges could help reduce the impact if exploited.
MS16-122 is a critical update for Windows. The bulletin resolves one vulnerability. An attacker could exploit this vulnerability by convincing a user to open a specially crafted file from a webpage or an email message. The Outlook Preview Pane is an attack vector for this vulnerability. Again, users running with reduced privileges could reduce the impact if exploited.
MS16-126 is a moderate update for Windows. The bulletin resolves one vulnerability, which has been exploited in the wild (CVE-2016-3298). This is the same CVE ID as the exploit in MS16-118 for Internet Explorer. To fully resolve the vulnerability, both MS16-118 and MS16-126 must be installed. For Windows Vista and Server 2008, this means installing two separate packages. For newer Oss, both will be included in the security only or security rollup package.
MS16-127 is a critical update for Flash Player for Internet Explorer. This update resolves 12 vulnerabilities in Adobe Flash Player Plug-In for Internet Explorer. To fully resolve Flash Player vulnerabilities, you must install updates for Flash Player, Flash for IE, Flash for Chrome and Flash for Firefox, which could require multiple installable updates on a single system.
APSB16-32 is a priority one update for Adobe Flash Player. This update resolves 12 vulnerabilities. Many of the vulnerabilities are user targeted and, if exploited, could allow an attacker to take control of the affected system.
As a reminder, Oracle will release on October 18, 2016, so expect a critical update for Java, as well as many other Oracle solutions.
It has been nearly a month since the last Google Chrome release on September 15, 2016. Google did a re-release late in the month, but it only included a minor change. The Beta Channel for Desktop was updated last week so an update is imminent.