August Patch Tuesday forecast: Looking ahead after a frustrating July

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

Approaching August Patch Tuesday, we are supposed to be in the ‘dog days’ of summer where everything slows down. Unfortunately, July was full of CVEs and stability fixes with no time to just lie around.

Microsoft itself caused a lot of the activity. July’s Patch Tuesday updates caused stability problems for Windows operating systems and applications alike. So many problems were reported that patching veteran Susan Bradley wrote an open letter to Microsoft. As Susan explains in the letter, the new update model is not working for most companies. The Insider program is not catching the problems before the patches are released.

In July, the .NET release caused many of the stability issues, so this was clearly a self-inflicted wound. Feature releases are coming rapidly, and with no control over updates and reboots, customers are growing increasingly frustrated. This was clearly captured in the survey results that Susan shared.

To top it all off, the complexity of the Spectre and Meltdown patches, coupled with the lack of clear directions on how to implement them, have pushed many customers over the edge. We’ve heard the same comments here at Ivanti from our own customers; they are not going to implement the latest channel releases until the situation improves. To quote Susan directly, “The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don’t install updates and leave machines subject to attack.” Thank you, Susan, for capturing and presenting this information.

We’ve also had a lot of security releases for our third-party applications in July. Oracle provided the quarterly Critical Patch Update (CPU) for all their applications on July 17. This included a Java SE update for the latest supported versions of 6 through 10. Eight CVEs were addressed; all these vulnerabilities may be remotely exploited without authentication, so get this in your monthly cycle if you haven’t already. Wireshark also released new builds on their three branches, fixing a total of 10 CVEs.

Foxit released version 9.2 of their Reader and Phantom PDF software, addressing a whopping 85 CVEs! The heavily anticipated Chrome 68 was released near the end of July with new notifications around non-https sites and we’ve already seen a second minor update. No, we’ve not had a break in the action for July, but here’s hoping we may in August.

August forecast

Let’s look ahead to our forecast for Patch Tuesday week:

  • Expect to see the usual Office and Windows operating system updates. Despite the stability issues we saw last month, there has been a steady decline in the number of CVEs addressed month after month. Maybe we will have a light update this month as well?
  • With the .NET stability issues, we might see another .NET update. I suspect they want to put these issues behind them and will be providing us with a well-tested release.
  • Adobe is joining the party with a priority 2 prenotification for Acrobat and Reader. As always, expect a Flash release with a mirrored release from Microsoft.
  • With all the third-party application updates last month, who’s left? This might be a light patch Tuesday for other vendors.

Once we get through Patch Tuesday we may actually experience a week or two of the ‘dog days.’ Let’s hope we get some time to just laze around the pool and enjoy a few weeks of the summer!