On Patch Tuesday, August 10, 2021, Microsoft will release security updates for Windows 10 and enable PUP protection by default.
Last month, a lot of attention was paid to the PrintNightmare print service vulnerability (CVE-2021-34527). As a system administrator using the active patch deployment model, ensure that the machines being serviced have the latest rollup packages for this vulnerability.
If you usually only install security updates that are released monthly on Patch Tuesday, then it is better to install out-of-order emergency updates to quickly fix PrintNightmare vulnerabilities, because these fixes were not shipped with the security updates released last Patch Tuesday. Extended Security Updates (ESUs) have been released by Microsoft for Windows 7 and Server 2008/2008 R2, but only for organizations that participate in a paid Extended Servicing Program.
The release of out-of-order fixes for zero-day vulnerabilities provides an excellent opportunity to test your policies and procedures for applying emergency fixes. Now is the best time to prepare for other potential problems that are bound to appear.
First, you need to have a valid company policy that your security and lawyers need to agree on. Factors to consider include the schedule for patching the entire corporate network, securing critical systems based on risk assessments, required coordination, and more.
It is often a priority for security teams to deploy updates immediately, which in some cases can have devastating consequences for the business as a whole if the patches are not working properly. You should have a well-functioning and tested process or procedure. Based on best practices, many companies view a hotfix as an accelerated version of a monthly patch cycle.
Updates are initially deployed to a test environment that includes the "most patch sensitive" systems to ensure they are stable and functional. After identifying known issues, if any, you can deploy a critical fix to similar systems in your primary production environment.
In parallel or sequential mode, depending on the capabilities of your company, you repeat the process for "phase 2" of a set of less important systems, and so on. While in a typical monthly patch cycle, the testing phase can last two weeks, in this case you usually only test one update, so the observation period before immediate deployment can be as little as 2 days.
It is important that you are clear about what to expect after installing critical updates and how to react if something goes wrong. Your company's policies and procedures must support each other as IT security teams work together to protect the corporate environment. There will always be exceptions, but following established procedures is much more convenient than panicking again when an emergency such as the PrintNightmare vulnerability occurs.
July 2021 Patch Tuesday was rich in fixes: 84 vulnerabilities were fixed in Windows 10, including 3 zero-day vulnerabilities and 3 publicly disclosed vulnerabilities. Fewer fixes are expected this month as family vacation season arrives.
This month Microsoft is going to enable a protection feature that will block potentially unwanted applications (PUPs). The feature was covertly introduced back in May, and recently Redmond announced it will be included in the upcoming August updates. The options for this feature can be found in the Windows Security settings screen by going to Application / Browser Management> Reputation Protection Settings.
Don't forget about Windows 11, which was announced on June 24th. According to Microsoft, the new operating system will be released in the "holiday season" of 2021. Indirect signs found, including in Microsoft documentation, confirm that the release will take place in October. It was this month that most of the fall feature updates for Windows 10 were released.
Prediction for Tuesday Patches, August 2021:
There shouldn't be any surprises this time - the number of vulnerabilities patched will decrease compared to last month. In addition to servicing supported operating systems, including Windows 10, Microsoft will release Extended Security Updates (ESU) for Windows 7 and Server 2008/2008 R2. Internet Explorer updates are regular, so we expect more updates this month.
It has been a long time since the last updates for SQL server and .NET Framework were released, so there is a high probability of their next release.
On July 20, 2021, Adobe released updates for many of its products, but did not announce further updates for Acrobat and Reader, so everything should be quiet this week.
Apple released security updates for macOS Big Sur, Mojave, and Catalina at the end of July, so install them as soon as possible. Updates for iTunes or iCloud are coming soon.
On August 2, Google released the stable update for Chrome OS to version 92.0.4515.130. There were several beta updates for other products of the company released in the past week, so no security updates are expected this week.
Mozilla released the latest security updates for Firefox and Thunderbird on Patch Tuesday in July, and we should receive a new set this week.