Every day you look in the security news, there are reports of new ransomware attacks. Just after May Patch Tuesday we heard about the Colonial Pipeline attack, and this week JBS USA, a major beef producer, was attacked as well.
These are just two of the major incidents to make the news, but there are many, many more. Threat actors are opportunists, and there are some interesting statistics to show that there have been shifts in attack vectors — making patch management more important than ever.
Everyone was looking for information about the virus and the development of a vaccine when the COVID-19 pandemic began in early 2020. You may recall that email phishing attacks were so rampant that the US Department of Homeland Security and similar organizations worldwide were releasing warning statements to carefully review or delete any email that was suspicious or had suspicious attachments.
The use of BlueKeep and other remote desktop protocol (RDP) vulnerabilities continue to be a major source of intrusion into many systems despite Microsoft continuing to release ongoing updates. But, there has been an interesting shift in attack vectors used by threat actors against small to medium sized companies.
As I mentioned, threat actors are opportunists, and the attack vector of choice has switched from phishing and RDP compromise to general vulnerability exploitation. This information can be seen in a chart by Coveware. Patch management continues to be a critical security process to protect against vulnerabilities exploited by phishing, RDP access, and general attack tools.
May Patch Tuesday was a definite lull for Microsoft after the many vulnerabilities that were addressed in April. There were only 26 CVEs addressed in all the Windows 10 component updates. Windows 10 1803 and 1809, as well as Windows Server 1909, reached end of support with the May release. You should update to newer versions as soon as possible.
Speaking of newer versions, Windows 10 21H1 was released on May 18 without a lot of fanfare. This release now bundles the servicing stack updates (SSU) and the latest cumulative updates (LCU) into a single package. This release is primarily a security and minor feature update for Windows 10 20H2; the next major feature update will be released this fall in Windows 10 21H2. I am forecasting a typical set of Microsoft releases this month.
June 2021 Patch Tuesday forecast
- We should see an uptick in the number of CVEs addressed this month in all the supported operating systems; after all, there are now fewer versions of Windows 10 to update. The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 will be released as usual. We had an Internet Explorer update last month, but those have been occurring less frequently.
- The SSUs releases have slowed down recently and appear to have stabilized for the legacy operating systems. We will see one or two this month.
- Sharepoint Server and Microsoft Office will get their usual set of updates. We are overdue for a SQL server update.
- Adobe has a pre-announcement for APSB21-37 for Adobe Acrobat and Reader which will be released next Tuesday.
- Apple released security updates for Mojave, Catalina, and Big Sur on May 24 that addressed a zero-day vulnerability allowing screenshots of your desktop. Ensure you have installed those updates; otherwise I don’t expect any new updates next week from Apple.
- Google released a stable channel update for Chrome 91.0.4472.81 on June 2. It is unlikely we’ll see a security release next week.
- Mozilla released security updates Firefox 89, Firefox ESR 78.11, and Thunderbird 78.11 this week; no updates next week.
It should be a simple Patch Tuesday with just Microsoft and Adobe releasing their standard updates next week, so use this break to update all your operating systems and applications with the latest security releases. With ransomware on the rise, patch management is back in the spotlight this month and critical to keeping your systems protected.