May 2022 Patch Tuesday forecast: Look beyond just application and OS updates

April Patch Tuesday provided an extensive set of operating system and application updates after a few quiet months. Microsoft addressed 97 vulnerabilities in Windows 10, and 67 in Windows 11. Adobe updated Reader and Acrobat to fix 62 vulnerabilities.

Many of the vulnerabilities from both vendors were rated critical which resulted in a busy deployment schedule last month. This increase in identified and remediated vulnerabilities is expected to continue as we move into summer, driven primarily by heightened security awareness caused by the cyberwar between Ukraine and Russia.

Looking ahead one month in the forecast, I need to remind everyone that our old friend Internet Explorer is officially coming to an end (almost) on June 15th. Internet Explorer 11 (IE 11) is the last of the line and will no longer be supported in Teams, Office 365, and most versions of the Windows operating system. If you still need IE 11 for critical business functionality, Microsoft recommends using IE mode in the Edge browser. This functionality is scheduled to be supported in Edge until 2029.

The IE 11 desktop application will continue to get security updates in Windows 8.1, Windows 7 (ESU), and Windows Server LTSC until they reach their respective EOL dates. This Microsoft FAQ provides the best details on the end of this longtime favorite application.

A big push continues for more multi-factor authentication. Microsoft announced they will start disabling Basic Authentication in Exchange Online on customer tenants starting in October this year. They will randomly start taking this action for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols. This article also provides detailed instruction on how to prepare for the change so if you are still using Basic Auth you need to plan accordingly.

On a similar note, GitHub announced they will require all contributing developers to use two-factor authentication by the end of 2023. GitHub provides detailed setup instructions and many two-factor options when configuring your system. Two-factor authentication provides a 99+% improvement to the security of a simple username and password.

And finally, don’t forget to include regular review and updates of the drivers and BIOS used by your critical systems. We talk about the regular cadence of application and operating systems updates that are released every month, but drivers and BIOS software have their own set of updates (and vulnerabilities) as well. This software interacts directly with the firmware and the startup information stored there, so compromise this deep in the system could remain undetected for an extended period.

As part of its latest security advisory, Lenovo provided an extensive set of BIOS updates for its notebooks this month to address CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. Be sure to consider these, and updates from other hardware vendors this month as part of your Patch Tuesday distribution process.

May 2022 Patch Tuesday forecast

• Expect the standard set of Microsoft operating system and Office application updates. I anticipate another large set of CVEs addressed in the OS updates. We had a .NET framework update last month, so it may be a while before another drops.
• Although there was a major update last month, Adobe is still likely to stay on top of critical vulnerabilities for Acrobat and Reader and may provide a minor release this month.
• No security updates or announcements in April from Apple; be on the lookout for new releases in the upcoming weeks.
• Google released the 101.0.4951.54 update for the desktop stable channel on Windows, Mac and Linux on Monday. The beta channel for ChromeOS was updated back in late April, so expect a new update next week.
• On Wednesday, Mozilla released updates to Firefox 100, Firefox ESR 91.9, and Thunderbird 91.9. These were all rated High, so ensure they are included in your round of updates this month. I wouldn’t expect more updates next week for these applications.
• Oracle released its Critical Product Update (CPU) last month with Java containing fixes for 7 CVEs – two with CVSS scores of 9.8. If you haven’t updated yet, make sure you do soon.

If you have the opportunity this month, look beyond just basic operating system and application patching; review the status of your BIOS and driver versions and update as needed.

May 2022 Patch Tuesday is here.