School is back in session across most of the world, and here in the United States most students look forward to a school holiday called ‘fall break.’ While we never have a Patch Tuesday off, this may actually be a bit of fall break for most us because I don’t anticipate many updates this month.
Before we get into the forecast details, I’d like to provide some information around service stack updates (SSUs) and how they should be handled as part of the security patch process.
Service stack updates
The service stack is the Windows operating system component responsible for processing and deploying the OS and application patches/updates. Because this component is so critical to the ongoing maintenance and stability of the endpoint, Microsoft provides separate updates for the servicing stack itself in the form of SSUs.
Microsoft Advisory 990001 Latest Servicing Stack Updates is a running list and commentary on the SSUs. As Microsoft points out in the advisory, updates are given a severity rating of Critical even if they may not contain any CVE fixes.
This also ensures these updates receive attention during the monthly patching cycle. SSUs had been infrequently released, but in the past few months they have been occurring more often. Last month was the first time we saw SSUs released for all operating systems.
SSUs should always be applied prior to all other updates to ensure a successful outcome. In most cases SSUs should not require a reboot, but in our testing we have seen a reboot occur. And while strongly recommended, but not specifically “required,” Microsoft states, “If you don’t install the latest servicing stack update, there’s a risk that your device can’t be updated with the latest Microsoft security fixes.” I can confirm here at Ivanti that we have seen update issues when the latest SSUs have not been applied, and the various patch forums confirm this.
The bottom line is you need to make sure you include the latest SSUs as part of your regular patch cycle. SSUs ensure a smooth update experience for both you and your users.
October 2019 Patch Tuesday forecast
- Expect a smaller number of Microsoft updates. We saw updates for .NET, SharePoint and Exchange in September, so there may only be a SQL update this month.
- Keep an eye out for new SSUs. They were all updated in September but Microsoft has been releasing them more often as I mentioned.
- The next major releases of Firefox and Chrome are due later this month, so we probably won’t have anything next week.
- Adobe Flash is the wildcard this month. We’ve only seen one security update in the last three months.