December 2021 Patch Tuesday forecast: How do you stack up?

I can’t believe that the end of 2021 is already in sight, and looking backwards, I have to say we’ve had our share of interesting events. If I had to characterize it from a security perspective, I’d say this is the year of supply chain attacks. Prior to January, most of us had rarely heard that term, but then Solarwinds, Kaseya, and others were in the news and we heard it throughout the year.

Striking a little closer to home, we’ve all had to deal with PrintNightmare, including the vulnerabilities and the string of software updates and configuration changes needed to deal with it. The news has died down, but it was a hot topic of discussion from June into September. Let’s hope for a few quiet weeks to wrap up the year through the holidays.

I mentioned last month the Cybersecurity and Infrastructure Security Agency released a list of some 200 vulnerabilities which needed to be addressed by federal civilian agencies in just two short weeks. This list, part of Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, has been expanded and now provides additional deadlines reaching out to May 2022 for the added ones to be addressed.

But this directive does much more than just require systems to be updated to fix the vulnerabilities. To paraphrase the directive, the impacted agencies must also have policies in place to a) establish a process to manage the vulnerabilities, b) assign personnel to manage that process, c) identify actions to execute the process, d) establish validation and enforcement of the process, and e) provide tracking and reporting of the process.

While there are older vulnerabilities dating back to 2014, most of these vulnerabilities are from 2020-2021 and updating an entire organization can take months of planning and execution if you don’t have an efficient patch management infrastructure in place.

Two of the best sources of information for such an infrastructure can be found in the Center for Information Security (CIS) 18 Critical Security Controls and the NIST Cybersecurity Framework. These documents can help you combine policies, procedures, and the software of your choice into a comprehensive security program tailored for your organization. You can also choose to tactically address a smaller function, such as patch and remediation, and slowly add on other aspects such as account management, data recovery, disaster recovery, and so forth.

Each organization is unique, but the infrastructures recommended by CIS and NIST provide a common set of definitions and comprehensive set of requirements to work from. Assuming we have a few quiet weeks following Patch Tuesday, take a moment to compare your program to these and see how you stack up. There may be room for improvement you haven’t considered before.

I anticipate a very light Patch Tuesday as we are already halfway through December and many vendors have already released their updates for the month.

December 2021 Patch Tuesday forecast

• Can you believe there were only 22 CVEs associated with Windows 11 and 29 in Windows 10 updates last month? Expect a similar light set of CVEs addressed this month in the set of Windows 10/11, legacy, and ESU-supported operating systems. There were two zero-day and four publicly disclosed vulnerabilities last month, so be on the lookout for any new ones coming out this month and give them priority.
• We’re due for an Adobe Acrobat and Reader update. I haven’t seen a pre-notification on their Security Updates page but be on the lookout for security releases for these two products next week. There were only three product updates, including Creative Cloud, released in early November so we may see a lot of product updates soon.
• Apple released security updates for watchOS and iOS in late November. We may see some security updates for macOS ahead of the holidays.
• Google released a stable channel update for Chrome OS 96.0.4664.93 which addressed 22 vulnerabilities. Betas were released this week for both Chrome iOS and Desktop 97 and 98, so expect a stable channel release in the next week or two.
• Mozilla had their usual pre-Patch Tuesday week of security updates for Firefox 95, Firefox ESR 91.4, and Thunderbird 91.4 this week. Firefox included 13 reported vulnerability fixes of which five were rated High. Nothing new anticipated next week.

I want to wish everyone a happy holiday season and hope you get to finally spend some quality time with relatives and friends. Be safe!