August 2020 Patch Tuesday forecast: Planning for the end?

There doesn’t seem to be an end in sight to the COVID-19 crisis, but there are some important end-of-life/end-of-support dates we should be aware of when it comes to software.

Before we dig into this month’s forecast of updates, I want to spend a little time on the importance of planning ahead to avoid the high costs associated with extended support contracts, or sometimes worse, modifying your network environment to mitigate risks.

Remember when Windows XP end-of-life was a ‘date on the horizon’ that you would deal with when it got closer? Suddenly Windows 7 has reached the same point. In fact, we’ve just gone over the six-month point in the first year of Extended Support Updates for Windows 7 and Server 2008.

The operational lifespan of an operating system version is shrinking, and the model has changed as Microsoft moved to the software-as-a-service model for Windows 10. It is imperative we keep track of critical dates associated with both operating systems and applications in order to maintain a functional work environment.

Microsoft has extended the support dates on a few operating systems, but those dates are rapidly approaching. The Enterprise and Education editions of Windows 10 versions 1709 and 1803 reach end of service in October and November respectively this year. The Home and Professional editions of Windows 10 version 1809 reach end-of-service in November as well. Double check your applications to ensure compatibility as you make the operating system upgrades on these systems – you only have 2-3 months left!

We have a little breathing room for the remaining non-Windows 10 operating systems. Both Windows 8.1 and the Server 2012 variations reach their end-of-extended-support in October 2023. Once we reach that point in time, we’ll only have Windows 10 left (or the latest new operating system from Microsoft).

There will be situations where you’ll reach the end of support and there won’t be new patches for the system, but you need to maintain the operating systems and their legacy applications to meet business needs. You’ll need to look at other options to mitigate the security risks introduced by these increasingly vulnerable systems.

Consider virtualization or locking down the system to run only the specific applications you need. Electronic separation is another option—moving them from direct internet connectivity or into more protected parts of your network. Heightened monitoring through next-gen antivirus or endpoint detection and response solutions can also provide added protection. Choose what works best for you but have a plan and timeline in place for their replacement.

My forecast last month was accurate with regards to record numbers of CVEs addressed. I don’t believe we’ll see this sustained growth but expect a higher than average number to be addressed again this month.

August 2020 Patch Tuesday forecast

• Expect a normal set of operating system and application updates, including ESUs, from Microsoft. I’ve been anticipating a SQL server or Exchange server update, so maybe it will happen this month?
• Every operating system received a service stack update (SSU) last month. We may get a break here next week.
• In keeping with the ‘planning for the end’ theme this month, Adobe Flash reaches end-of-life at the end of the year. Plan accordingly because a lot of applications still rely on Flash. Adobe may be giving Flash extra attention as we near the end of its life, so be on the lookout.
• We have a pre-notification from Adobe that APSB20-48 for Acrobat and Reader should release on patch Tuesday.
• Apple released security update 12.10.8 for Windows iTunes at the end of July. We could see a similar update for iCloud this week.
• Google Chrome 85 is in the beta channel and may be released next week.
• Mozilla provided security updates for Firefox 79, Firefox 68 ESR and 78 ESR, as well as Thunderbird 68 and 78 the last week of July. There is a small possibility of a minor security update for some of these applications next week.

The days of sitting on an operating system for 5-10 years with just patching are gone. Patching remains critical for the tactical protection of your systems, but strategic planning for the ongoing upgrades of operating systems and applications is the key to their long-term stability and security.