June Patch Tuesday forecast: Apply updates before BlueKeep hits the streets

Can you believe it is June already? Summer is rapidly approaching, but it’s been slow to warm up our temperatures here in the US. I can’t say the same thing about the temperature in our security community – things have been hot!

The first months of 2019 have seen a record number of vulnerabilities reported and the latest, BlueKeep associated with CVE-2019-0708, has set the forums and security advisory lists on fire.

The May updates from Microsoft included the remediation for this vulnerability found on Windows 7, Windows XP, Server 2003, 2008 and 2008 R2. And yes, you read that correctly. Concern was so huge that Microsoft released public updates for XP and Server 2003. Even the NSA issued an advisory and news article warning to fix this immediately.

BlueKeep is considered a ‘wormable’ vulnerability because it does not require authentication or user interaction to exploit. As such, a worm can spread from system to system taking advantage of the vulnerability. It’s only a matter of time before the first attacks occur, as private MetaSploit modules have already been developed for demonstration.

Make sure you apply the latest updates to your legacy systems before BlueKeep hits the streets and you get an ‘I told you so!’ from your incident response and security team. For continuing updates on the BlueKeep situation as it unfolds check out our blog post.

A quick reminder that Microsoft is continuing its SHA1 to SHA2 update signing process and there are two changes planned for June 18 after Patch Tuesday. Windows 10 updates are automatic but for those customers using WSUS 3.0 SP2, KB4484071 must be manually installed to support SHA2 updates.

Looking ahead to releases for next week:

  • Google released their latest Chrome update this Wednesday, so don’t anticipate anything new.
  • Microsoft should release the usual set of updates for the legacy and Windows 10 operating systems, and of course, Office and Office 365. We saw updates for .NET, SQL and SharePoint servers last month, so we may not have many additional updates.
  • Adobe has not made any pre-announcements around Acrobat and Reader, but they have been doing some major or minor releases each month so be on the lookout.