December Patch Tuesday forecast: Let it snow, let it snow, let it snow

Get a copy of the upcoming book "Secure Operations Technology"

Grab your shovels, dust off the snow blower, and bundle up. The way patches are accumulating this month is making me think of winter in Minnesota. I’m talking about the kind where the snow flurries start and stop so many times over the course of a few weeks, you suddenly realize there is a lot of snow out there! So the question is, do you shovel in small amounts when there are breaks in the flurries or wait for it to accumulate and do it all at once? If some sleet is mixed in, you have a risky layer that could cause issues when a few light layers of powdery snow fall on top of it. Unsuspecting pedestrians and drivers may find a slippery patch.

Ooooh I like this analogy! Sadly it’s a little close to reality for us up in Minnesota. OK let’s take this theme into our forecast for December Patch Tuesday. We have a lot of accumulation leading up to Patch Tuesday that you will want to be aware of before the big storm hits.

Accumulation

Our first nasty icy\sleet layer came on November 20. We had a Google Chrome release that resolved a high severity vulnerability and a Flash zero-day (CVE-2018-15981), resolved in APSB18-44, that has been seen in live exploits by crafting a Flash .swf file to take advantage of the vulnerability and install malware.

On November 21 Microsoft heaped a re-released Windows 10 1809 and Server 2019, hiding that first icy layer.

The week of November 26 saw a flurry of VMware releases and a few more inches of Microsoft non-security accumulation.

December 5 had another icy layer from Flash with an additional zero-day vulnerability (CVE-2018-15982), resolved in APSB18-42, that has been observed in a widespread campaign that was exploited through ActiveX embedded in a Microsoft Office document.

December Patch Tuesday forecast

Let’s look ahead to our forecast for Patch Tuesday week:

  • Adobe has pre-announced APSB18-41, which is an Adobe Acrobat and Reader update for Patch Tuesday. So you can expect at least one update from Adobe, but possibly not a Flash update since we just had two in the span of a week and a half.
  • From Microsoft you can expect the normal OS updates, browser updates, and very likely Office, which typically means SharePoint as well.
  • There is a possible chance of some other Microsoft updates like .Net Framework, as we have not seen .Net on Patch Tuesday since August.
  • Another possibility from Microsoft would be Exchange. We have seen an Exchange update for the past three months. Will the trend continue?