December 2020 Patch Tuesday forecast: Always consider the risk

The final Patch Tuesday of the year is upon us and what a year it has been. Forcing many changes this year, the pandemic has impacted the way we conduct both security and IT operations. But even with the need to support remote operations and new applications that enable coordinated communication, one important aspect has not changed – the need to focus on security risk.

It’s easy to get consumed with troubleshooting performance issues, updating applications to provide the latest features, and other similar day-to-day activities, which can result in losing track of maintaining security of our systems.

In this monthly column, I focus on Microsoft updates and some of the more commonly used applications that require frequent security releases such as Adobe Reader, Google Chrome, Mozilla Firefox, etc. But we need to keep in mind that periodic updates are being released for all the applications we use and many of those updates include critical security fixes for vulnerabilities that are being exploited.

Very few (if any) of us are in a position to instantly update all the systems in our organizations, so we need to prioritize what needs to be updated first, and that should be driven by risk.

Risk is an interesting concept, because determining if one system is at a higher security risk than another can depend on many factors, which vary not only from company to company, but may change across departments within the same company.

We think about risk in general terms with regards to the importance of the system to the company’s business, the vulnerability state of the system, and the threat to the system. Each of these can be further broken down into factors of importance for the company. For example, we think of vulnerability state in relationship to factors such as patch state, configuration state, password compliance, user privileges, etc. These are just a few of the factors in one small area that can be used for risk determination.

Many companies and tools are available to help you, or maybe you have your own process already in place to determine risk and prioritize system updates.

Coming back to vulnerabilities in software and the need to patch, I’d like to point out a recent report from the NSA which itemizes a series of vulnerabilities being actively exploited. You’ll notice a wide range of vulnerabilities. Several like the Netlogon, have been in the news.

A wide range of impacted software, operating systems, VPNs and other security products are included as well. Please review and carefully consider this information as part of your next risk assessment as you prioritize your December updates.

December 2020 Patch Tuesday forecast

• Expect a smaller but standard set of Microsoft operating system updates this month. We should see the usual monthly rollup and security-only patches for the older operating systems, including the extended security updates (ESU) for Windows 7 and Server 2008. Windows 10 will include the latest 20H2 update. These updates should be smaller, in terms of CVEs, because we had the Thanksgiving holiday here in the US limiting development time. Office, Microsoft 365, and the associated SharePoint server updates will be included as well.
• Adobe released updates for Acrobat and Reader as part of APSB20-67 this week, so there shouldn’t be anything new next week. We may see a final update to Adobe Flash Player as it reaches end-of-life. Be on the lookout if you require Flash in your environment.
• Nothing is expected from Apple next week. A security update for iTunes was released mid-November and an iCloud update was issued this week. We could see a security update for macOS Big Sur later this month in advance of the holidays, the last update was in mid-November.
• Google Chrome was updated to 87.0.4280.88 for Windows, Mac and Linux this week, but we should always expect new updates each week.
• Mozilla Thunderbird was updated this week, so a Firefox and Firefox ESR update will be coming soon.

It looks like a light December Patch Tuesday to wrap up the year. If you’ve been struggling to keep up, you may want to reassess your prioritization and make sure you have characterized your risk properly.