What can we expect of this March Patch Tuesday?

March is here and that means it was time for RSA Conference in San Francisco. I’ve been on the expo floor all week and I can tell you the worldwide security industry is running in high gear. With a newly remodeled and expanded Moscone conference center, RSAC managed to squeeze in an additional 170 companies this year.

Patch technology

Every security technology you can think of was represented in some form or fashion – many are mainstream but some I would consider more esoteric. As part of the Ivanti security story, and particularly security at this conference, we inevitably talked about patch technology.

It never ceases to amaze me that the majority of the people I talk to understand the importance, either admiringly or grudgingly, that this technology provides to the security of our infrastructure. (I do get a few startups that tell me doing software updates is an outdated way of securing my systems and they have a better approach. Although I wish them well, I wonder if I will see them here next year.) It is also interesting how many companies still struggle to remediate software vulnerabilities quickly.

Most companies I talk to struggle to bridge the gap between the security team and vulnerability assessments to the operations team for remediation of the vulnerabilities. The vast majority of these vulnerabilities are in software of course and the number of vulnerabilities can be quite large.

If you take February as an example, just the Microsoft and Adobe updates resolved 146 unique common vulnerabilities and exposures (CVEs). If you take just a Windows 10 system with Adobe Reader, and Office 365 running on it, there were a total of 129 unique vulnerabilities resolved in February. That does not count the other third-party updates that released around the same timeframe and should have been resolved. This means that a medium-size company with 2500 Windows 10 endpoints would have found more than 300 thousand vulnerabilities. Most companies then have to take the 300 thousand line-item report, deduplicate, map the unique CVEs back to the respective software update required to resolve them, and finally approve the updates that will remediate the vulnerabilities.

We can do that deduplication and mapping in less than a minute through an automated import process. Needless to say, we had a lot of companies anxious to start a trial of one of our patching solutions to solve a pain point that costs them about one day out of each month on average, just in research.

Speculative execution vulnerability

A new speculative execution vulnerability has been discovered this month. This is unrelated to the Spectre and Meltdown vulnerabilities and has not been addressed by any current mitigations. It is possible this vulnerability may not be fully mitigated through software. Complete architecture modification may be the only solution.

While this new vulnerability is not related to Spectre and Meltdown there has been some movement there as well recently. Google had been working on a fix called “Retpoline” that remediates these vulnerabilities while preserving performance. As you may recall there were many workloads that took as much as a 20 percent performance hit when mitigations were put in place and activated.

In response to this fix, Microsoft announced that the newest release of Windows 10 would include Retpoline, reducing the performance impact to a negligible level.

Fortunately, Windows 10 19H1 will not be the only recipient of these fixes as Microsoft has released the first Windows 10 patch, back porting Retpoline to 1809 and Server 2019. KB4482887 contains this new remediation with further details on Microsoft’s related blog post where additional configuration will be needed initially to enable this feature.

March forecast

Microsoft: We have seen a pretty steady stream of larger Patch Tuesday releases from Microsoft. Exchange and .Net Framework usually do not release every month, but we have seen them consistently for the past six months or more. Keep your fingers crossed we will see a break in this streak for March.

Adobe: Flash is all but certain. We just saw Acrobat a few weeks ago. Typically, Acrobat is a quarterly release, so it shouldn’t be due for another two months, but that’s far from certain.

Apple: The macOS beta channel has been heating up recently, so we will probably see 10.14.4 very soon. Apple is very unpredictable when it comes to exact dates though. It could be today, it could be two weeks. When they drop 10.14.4, we’ll very likely see security updates for 10.12-10.13.

Google: Google released an update resolving an actively exploited vulnerability (CVE-2019-5786). If you have not already verified all of your Google Chrome instances are updated, be certain to force updates in your patch cycle this month.

Mozilla: The next Mozilla cycle starts on March 19. We will definitely see new major versions then, but there’s always a chance of minor releases before then.