December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates

Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.

The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was the result of servers not properly configured, allowing open public access. This was reported in April and additional accounts were exposed in September. Proper security configuration is definitely a challenge across thousands of servers, but it is THE fundamental security requirement before dealing with software vulnerabilities.

Next up in public view was the compromise of Epic Games’ servers that hosted the wildly popular Fortnite game. This security incident back in January was the result of several software vulnerabilities being exploited, resulting in another situation where personal account information was stolen. It is estimated that the security compromise impacted over 200 million gamers worldwide.

Breaches and data loss were not limited to these two social or consumer sites. Reported breaches included Capital One and First American from the financial industry, LabCorp and Quest Diagnostics from the medical field, and the Federal Emergency Management Agency (FEMA) from the government sector. From the report estimates I’ve seen, there will be an unprecedented 5+ billion records stolen this year.

Getting back to the Patch Tuesday forecast, the big news (maybe the elephant in the room to use an old phrase) is that next month, January Patch Tuesday, we’ll see the last free update of Windows 7 and Server 2008/2008 R2. Windows 7 continues to be a popular operating system only being overtaken by Window 10 in January 2019.

Despite the approaching end-of-life, Windows 7 slowly dropped from 36% to 28% in worldwide Microsoft market share throughout the year. After that final update, a lot of consumer desktops and laptops will go unpatched until they finally stop working and are replaced. Many will be compromised, resulting in stolen personal data, but even worse they will be used for additional attacks against our corporate systems.

It will be interesting to see how this possible threat plays out in 2020. In the meantime, be aware that Microsoft has released additional guidance on preparing your Windows 7 machines for extended security updates if you continue to subscribe.

This looks like a busy Patch Tuesday coming up, so I am going to trust all of you to configure and update your systems. It’s time to buy those last presents online. Now where did I put that credit card again?

December 2019 Patch Tuesday Forecast

  • Microsoft will provide the usual round of updates including the monthly rollups and security-only patches for all the operating systems, along with Office, SharePoint server, and Internet Explorer. Based on their current track record, expect another round of service stack updates as well. We may also see a .NET update this month.
  • An update is coming for Acrobat and Reader; Adobe provided a pre-notification they will release APSB19-55 next week. The most recent security Flash release was September Patch Tuesday, so we may see a final one to close out the year, but no promises.
  • Chrome 79 is scheduled for release from Google.
  • We may see an ‘Apple Patch Tuesday,’ although they don’t always release on Tuesday, with security updates for macOS, iTunes and/or iCloud for Windows. Keep an eye on these because I suspect Apple wants to wrap up the year with up-to-date, secure software.
  • Mozilla released security updates for Firefox 71, Thunderbird 68.3 and Firefox ESR 68.3 on Monday this week. Anything released next week would be minor bugfixes, but definitely make sure you install these security fixes.

Don't miss