October 2021 Patch Tuesday forecast: Halloween came early this year

Halloween is not until the end of the month, but there has already been a lot of scary activity leading up to this patch Tuesday. PrintNightmare and Apple zero-days are just a few that have made the news.

It’s been over three months since the vulnerabilities were announced, but PrintNightmare continues to be a scary topic of conversation. Microsoft changed the Point and Print feature functionality with their recent updates to require administrator privileges; however, while this protects against exploitation of vulnerabilities, it creates a management nightmare for the rest of us.

Discussions continue around v3 versus v4 printer drivers and how they play into the situation. Not all manufacturers have the v4 drivers so other options to install printers include special group policy preferences, use of Point and Print Restrictions to specify good/trusted print servers, or use of least privilege management tools for just-in-time installs. Regardless of the approach taken, printer management continues to be a challenge for many.

Several zero-day vulnerabilities in macOS and iOS were announced late last month. First, a vulnerability in the macOS Finder allows attackers to run remote commands which impacts all Macs including those running the latest versions of Big Sur. Second, Apple released security patches for macOS Catalina and iOS 12.5.5 last month. These patches address CVE-2021-30869 which is a vulnerability in the operating system kernel. We’ll need to watch closely to see which updates are released for the Finder vulnerability and if CVE-2021-30869 surfaces in any other versions of the operating system.

Updating iOS on mobile devices doesn’t always get the attention of macOS on laptops but needs to be addressed. These vulnerabilities are known to be exploited and offer another entry point into your infrastructure. It’s very important to have policies in place to require an update when your employee has a personal device used for work.

Windows 11 officially hit the street on Tuesday. Early indications show users having a smooth update from Windows 10. We’ll have to wait and see if Microsoft already has an update ready for next week.

October 2021 Patch Tuesday forecast

• It will be interesting to see how many CVEs Microsoft addresses in this month’s update. The count was down in September. We should see the standard operating system and ESU updates. We may be surprised with a Windows 11 update if Microsoft has been keeping up with feedback from the beta versions.
• Adobe released security updates for almost all their products last month. There have been no pre-notifications but be on the lookout for some minor security releases next week.
• I strongly expect another macOS update to address this latest Finder vulnerability. Apple released a series of updates on September 20th for iTunes, Safari and other applications. If you haven’t updated already, you should consider these in this patching cycle.
• Google released a stable channel update for Chrome OS to 94.0.4606.81 today which addresses four critical vulnerabilities. Don’t expect a security release next week.
• Mozilla released security updates for Firefox 93, Firefox ESR 78.15. And Firefox ESR 91.2 on Tuesday. I suspect we may see a Thunderbird update next week.

Don’t be scared if you see a lot of updates next week from Microsoft. It was a quiet September, so they may have some excitement in store for us. Happy Halloween!