Patch management is kind of like fireworks around the fourth of July. Momentary excitement with lulls that repeat several times until the culminate in a finale! Well there are a number of patches that come out a little at a time with a few days between and then a whole bunch all in one day.
Let’s ooo and ahh at some of the patches leading up to Patch Tuesday and guess at the finale:
- We saw some browser releases for Chrome and Firefox in the last week of June so there a chance that we will not see either this week.
- Adobe released updates for Acrobat and Reader in May, so there is an outside chance for those, but likely another month until we see the next round of updates there.
- Flash Player is a near guarantee this Tuesday.
- For Microsoft you can expect OS updates, Office, IE, and probably one or two other updates for SharePoint, .Net, SQL or Exchange. I don’t know about the fireworks display near you, but in my home town they always save a couple and launch them 5 minutes after the finally just to make you all look one last time.
- Oracle will be playing that last short burst here on July 17th with their Quarterly CPU, so wait for them because there are usually a few good ones. Expect a Java update along with many others.
Another set of updates that are lingering out there are the are the firmware updates that you need to be sure have been applied to all of your systems after June’s round of updates adding mitigation for Spectre Variant 4 (CVE-2018-3639) vulnerabilities. This was the series of 8 additional Spectre vulnerabilities discovered a few weeks ago that allow for Speculative Store Bypass.
Similar to the last round of Meltdown and Spectre fixes the updated guidance from Microsoft is to apply the OS updates, apply latest microcode\firmware updates, evaluate if the new variant is a concern for your environment and if so turn on mitigation for Variant 4. They do warn about the possibility of performance impact once again, so be sure to test for impacts after enabling the new mitigation.