Summer vacations are coming to a close and, for many, the children are finally going back to school providing some quiet time. I hope everyone is well rested because the fall is already shaping up to be a busy time. Microsoft has released Server 2022 and Windows 11 is coming in October. Apple also has the beta available for the next version of macOS. But let’s start by focusing on a new Office vulnerability before next week’s Patch Tuesday.
Microsoft announced the presence of CVE-2021-40444 on Wednesday; this vulnerability is reported both Publicly Disclosed and Known Exploited. The vulnerability allows for remote code execution via MSHTML, a component used by Internet Explorer and Office.
Microsoft included a detailed workaround to disable the installation of all ActiveX controls in Internet Explorer which will mitigate this attack. Watch for an update next week that addresses this vulnerability otherwise you will need to consider this mitigation to address the issue in the short term until a fix is released. The CVSS 3.0 score is 8.8.
Windows Server 20222
Microsoft very quietly released Windows Server 2022 to production on August 18. The release was officially confirmed on September 1. Looking at the Lifecycle support page, we see mainstream support ending on Oct. 13, 2026 and extended support in October 2031.
Per the blog, this new release provides a ‘secured-core’ allowing tighter integration with hardware, firmware, and drivers for added security. “The new release adds faster and more secure encrypted hypertext transfer protocol secure (HTTPS) and industry-standard AES-256 encryption with support for server message block (SMB) protocol.” The focus for this release appears to be on the Azure Datacenter Edition providing extensive scalability and enhanced containerization support.
The uptake of workstation operating systems may be fast or slow depending upon your company policies and the industry you support. Regardless, Windows 11 is coming October 5 so we need to be prepared one way or another. This new OS is still based on Windows 10 but will have some security features of its own.
macOS 12 Monterey
The public beta of macOS 12 Monterey was released August 31 so Apple is on track for an official release later this fall. It also has some security features added for data privacy. In addition to your standard patch routines, you need to include Microsoft Server 2022 now and plan to add Windows 11 and macOS 12 in the near future. You don’t want to be caught without patch support when they hit the shelves.
September 2021 Patch Tuesday forecast
- I expect a limited number of CVEs addressed this month across all the operating systems as Microsoft comes back from final summer vacation. We’re now past the half-way point for the Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 so anyone running these operating systems should be working on an upgrade scheme. With CVE-2021-40444 announced, we should definitely see an Internet Explorer update.
- Adobe Acrobat and Reader will be updated next week as Adobe provided a Prenotification Security Advisory APSB21-55.
- Don’t expect any Apple updates next week. iTunes, iCloud, and macOS Big Sur 11 were all updated in mid-August. If you haven’t updated your systems, you should consider these in your upcoming patching cycle.
- Google released a stable channel update for Chrome OS to 93.0.4577.69 on September 8th and several beta channel updates for other products this week so don’t expect a security release next week.
- Mozilla had a field day on September 7 releasing updates for Thunderbird 78 and 91, Firefox ESR 78 and 91, and Firefox 92. If you haven’t already distributed these security updates, factor them into your next patch cycle.
This should be a fairly easy September Patch Tuesday but enjoy the calm before the storm. Software updates typically pick up in October and November prior to the end-of-year holidays and we also need to factor in adding support for the release of all these new operating systems.