The January 2020 Patch Tuesday was a light one as predicted; everyone was still catching up from the end-of-year holidays. As we gain momentum into February and move towards Valentine’s Day, I anticipate Microsoft, and at least Mozilla, will give plenty of love and attention to their applications and operating systems.
Microsoft had announced back in August with Advisory 190023 that they were planning several updates to their implementation of the Lightweight Directory Access Protocol (LDAP). That advisory explained the need for LDAP channel binding and LDAP signing to increase security. Originally planned for Q4 2019, Microsoft has pushed the first part of this update out to March 2020.
The company is planning a two-part rollout, with the March release paving the way for major change and enforcement later in the year. As explained in the advisory, the “Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.”
Microsoft delayed this until March so administrators can properly test the LDAP configuration changes. There’s been a lot of discussion on the various security forums concerning this, so factor in some extra test time next month.
Windows 7 and Server 2008/2008 R2 patches
Getting back to February Patch Tuesday, the big change will be the lack of Windows 7 and Server 2008/2008 R2 patches this month. I say that tongue-in-cheek because they will still be publicly available but require a special key to install on the endpoint; this key is issued as part of the Microsoft Extended Security Update (ESU) program.
Microsoft has made this as painless as possible to accommodate the large, remaining installed base of these systems. However, with the end of any operating system there is always some confusion and panic as reality sets in.
If you have systems you just can’t migrate/upgrade yet to Windows 10 and you don’t have a planned ESU program in place, you should consider some additional options to mitigate their security risk. Consider virtualizing some of the workload and locking down the system to run only the specific applications you need. Application control can help with this lockdown and often provides some privilege management protection as well.
You can also consider a segmentation approach, i.e. remove them from direct internet connectivity or move them to more protected parts of your network.
Finally, add on some next-gen anti-virus (AV) or endpoint detection and response (EDR) solutions for added protection. You know these systems will become targets, so due diligence is important to their protection until you can migrate them.
February 2020 Patch Tuesday forecast
- Microsoft is overdue to release some major updates, so expect them this month. We should see updates across the board with a large number of CVEs addressed in all of them. In addition to the usual OS and Office updates, we should see server updates for SharePoint, Exchange, and SQL. I don’t expect another .NET update since one was released in January, but you never know.
- Mozilla is also overdue for a set of major updates across their product lines.
- Google released major updates for Chrome this week, so we should only see a minor update, if any, on patch Tuesday.
- Apple released their first major updates of the year last week, so similar to Google, we expect only minor updates, if any at all.
- Adobe is a bit unpredictable this month. Their last major security update for Acrobat and Reader was back in early December, so the pressure is mounting for another one. Keep an eye for their pre-announcement bulletins and plan accordingly.
Even if we have a heavy patch release next Tuesday, make sure you set some time aside to spend with your significant other or a close friend the following Friday – Happy Valentine’s Day!