September 2023 Patch Tuesday forecast: Important Federal government news

Microsoft addressed 33 CVEs in Windows 10 and 11 last month after nearly 3x that number in July. But despite the lull in CVEs, they did provide new security updates for Microsoft Exchange Server, .NET Framework, and even SQL Server, so there were plenty of patches to distribute.

Looking ahead, there are several upcoming end-of-life events you need to plan for, but before we talk about forecasts there are a few announcements from the government which are of interest.

NIST

On August 8th, NIST announced version 2.0 of its Cybersecurity Framework is available and open for comments. This follows rapidly in the footsteps of the CVSS 4.0 preview from FIRST. While the CVSS 4.0 will be published around October 1st, NIST is collecting comments until November 4th and will publish the final version of their document in early 2024.

Originally released in 2014, the CSF has stood the test of time, but based on a recent request for information, it was time for a significant update. The announcement called out three major updates based on user comments. When originally released, the CSF was meant to cover only critical infrastructure but is now focused on all types of environments.

Second, NIST added a new ‘govern’ function to the existing five – identify, protect, detect, respond, and recover. Per NIST, this “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy.” This helps organizations consider the risk of their business and prioritize their actions.

Finally, based on requests for more guidance on implementing the CSF, NIST added the concept of profiles to adjust the framework for specific use cases. They included examples of how to use the framework effectively. The CSF also continues to do a nice job of cross-referencing other frameworks such as the CIS Security Controls, ISO 27000 series, and others. If you are a user of the CSF, this is the time to provide comments and ensure it continues to meet your needs.

Homeland Security Cyber Safety Review Board

The Homeland Security Cyber Safety Review Board (CSRB) announced they are planning their third review this year concerning malicious targeting of cloud computing environments. Specifically, they will “focus on approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud.” This was generated in response to the Microsoft Exchange Online intrusion earlier this year. This is a collaborative event between government and industry to review the event, determine the root cause, and provide recommendations based on the lessons learned. The CSRB does not have regulatory or enforcement authority, but it will be interesting to see what recommendations they provide and the downstream actions taken by the government and industry.

Windows 11 23H2

Windows 11 23H2 is available to testers with access to the Microsoft Beta Channel. And with that release coming soon, the end of Windows 11 21H2 is also about to happen. The last security updates will be issued next month on the October Patch Tuesday. And don’t forget, Microsoft Server 2012/2012 R2 go into Extended Security Support (ESU) after October as well – just one month away!

Plan accordingly so you aren’t caught in a time crunch to upgrade. In another interesting but subtle announcement from Microsoft, Wordpad is being deprecated and removed from future versions of the OS. Microsoft is recommending Word when robust editing and creative capabilities are needed, and Notepad for plain text, simple documents.

September 2023 Patch Tuesday forecast

• Microsoft will probably up their game on CVEs addressed this month, but don’t expect the breadth of updates we saw last month. All the OS updates will include more CVEs, and we will see the usual Microsoft Office updates. We’re slowly approaching the EOS in October for Microsoft Server 2012, so expect a continued push to maximize the CVEs addressed each month.
• We finally had a major update for Acrobat and Reader last month, so I doubt we will have another update on these applications soon.
• August was a quiet month for Apple. They provided two small releases for Ventura and WatchOS with no reported CVEs. They generally provide security updates in the second half of the month, so be on the lookout for some major updates in late September. And don’t forget macOS Sonoma is coming later this year. The beta version is available.
• Starting with Chrome 116, Chrome is now shipping weekly Stable channel updates, with major milestone builds still coming every 4 weeks. Stable channel updates 116.0.5845.179 for Mac and Linux and 116.0.5845.179/.180 for Windows shipped this Tuesday, so expect the next one to ship on Patch Tuesday next week.
• Mozilla released their last round of updates for Firefox, Firefox ESR, and Thunderbird on August 29, so expect another round of updates next week.

Next week will be a busy Patch Tuesday with some potentially CVE-laden updates from Microsoft and some popular third-party application releases from Google and Mozilla. And don’t forget to take a look at the latest CSF 2.0 from NIST. Even if you don’t have any comments for them, it may provide insight into your program’s improvements.