November 2021 Patch Tuesday forecast: More mandates in the United States

The global holiday season is upon us with Diwali happening now, Thanksgiving the end of the month, and then on to Christmas and New Years! But before we all start celebrating, we have November 2021 Patch Tuesday coming this week, which is an important one for many industries particularly retail.

These updates are often the last ones installed before going into the holiday shopping season when many companies lock down their systems to prevent disruptive changes. This industry is not the only one under pressure to get systems patched, because the US federal government is also being given a mandate to update their systems in the next two weeks.

The President signed an Executive Order back in May to provide more focus on protecting federal government networks. Highlights included sharing threat information between government and private sectors, improving detection and response to security incidents, and improving remediation capabilities to known vulnerabilities.

The Wall Street Journal reported CISA was releasing a directive that would require most government agencies to address “200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers” in the next two weeks. Two weeks is a quick turnaround, but hopefully most of these vulnerabilities have been remediated already via regular patching or other mitigations.

In light of the recent supply chain attacks, ongoing ransomware incidents, and continual phishing activity, this mandate should raise the bar on system security.

Knowing vendor-supplied severity ratings and CVSS scores are often not enough to ensure you are focusing on the right vulnerabilities first. The fact that there is a list of nearly 300 security vulnerabilities in the CISA priority list and 200 are two to four years old emphasizes a need to improve how vulnerabilities are identified and prioritized.

Risk based vulnerability management focuses on classifying assets and weighting prioritization on real world risk indicators. This can be a challenging process, but with the proper tools in place you can quickly identify the highest risk vulnerabilities on the more critical systems to patch first and work down the list from there.

Most companies are focused on getting all their updates out before the holidays, so expect multiple releases over the next 2-3 weeks. Here’s what’s ‘on tap’ for this Tuesday.

November 2021 Patch Tuesday forecast

• Microsoft addressed 79 unique CVEs last month and I expect that number to remain high. We had our first Windows 11 update last month and it will be interesting to see how closely the Windows 11 update reflects what is being addressed in Windows 10. With the last big push before the holidays expect major updates for all the operating systems and applications, including the ESUs. We’ve not seen any legacy .NET framework updates in a while, nor SQL server, so carefully review all Microsoft has to offer next Tuesday.
• Adobe released security updates for almost all their products on October 26 except for Acrobat and Reader. I’ve not seen a prenotification on their Security Updates page but be on the lookout for security releases for these two products next week.
• Apple has been very busy releasing security updates for all its operating systems and Safari as well. They were all updated the end of October. In last month’s forecast article, I discussed their ever-increasing number of zero days so make sure you keep up with these latest macOS and iOS updates. I don’t expect anything new next week.
• Google released a stable channel update on Monday for Chrome OS 94.0.4606.114. Betas were released last week for both Chrome iOS and Desktop 96, so expect a stable channel release next week.
• Mozilla released security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3 last week. It should be quiet from them next week, but make sure you pick up these latest updates.