Microsoft Patch Tuesday Strategy for 2020

Do you have a plan in place for Patch Tuesdays? Does it rely on severity as the only measure of assessing vulnerability risk? If so, it may be time to rethink your strategy. In this article, seasoned experts discuss a few myth-busting facts about Patch Tuesdays after closely observing last year’s trend.

Microsoft Patch Tuesday Strategy for 2020
Microsoft Patch Tuesday Strategy for 2020

From which Microsoft component has been the low hanging fruit for hackers to what severity most of the zero-days fall under, we’ve got all you need to craft the perfect Patch Tuesday strategy for 2020.

Patching isn’t as straightforward as you might think. If you rely only on CVSS scores and severity ratings to decide on what to patch, you might overlook imminently exploitable threats that require little to no user intervention. Did you know that last year nine out of the twelve wildly exploited vulnerabilities were not identified as Critical, but Important? It’s time for us to rethink the way we’ve been patching vulnerabilities.

Read on this article, where our seasoned experts discuss a few myth-busting facts about Patch Tuesdays after closely observing last year’s trends.

Now’s your chance to learn and implement the key takeaways from 2019 to stay on top of the patching game in 2020. Happy patching!

Content Summary

Nine out of 12 Zero-Day
Browsers remain the most
2019 kept us busy with updating
Adobe patched 442 CVEs
23 Vulnerabilities were publicly
Wannacry-level BlueKeep
Out-of-band updates
Unpatched vulnerabilities

When it comes to Patch Tuesdays, you might think everything is laid out clearly—the same ritual of security releases on the second Tuesday of each month, followed by a week or so of testing and pushing patches to your environment. But unless you watch closely, you might miss a few anomalies that could put you at risk. As philosopher George Santayana put it, “Those who do not remember the past are condemned to repeat it.” Our security experts looked back at last year’s Patch Tuesdays and discovered some overlooked facts that could help you revamp your conventional patching approach.

Nine out of 12 Zero-Day

Vulnerabilities resolved by Microsoft were not rated critical. To everyone’s surprise, three-fourths of the total discovered vulnerabilities that were actively exploited in 2019 was only rated Important. This drives home the important fact that you shouldn’t rely on severity or CVSS score as the only triggers for what should be deployed to your environment. Instead, opt for a solution that offers a dedicated view to help you pinpoint zero-days and actively exploited vulnerabilities so they don’t slip past your radar.

Browsers remain the most

Actively exploited applications. Last year, we saw a string of browser exploits. A zero-day in Internet Explorer’s (IE) scripting engine (CVE-2018-8653) was baked into the January 2019 cumulative update. Following that, another zero-day in IE (CVE-2019-0676) was resolved in February, and a zero-day in Chrome (CVE-2019-5786) was resolved outside of Patch Tuesday in March.

Browsers remain the most actively exploited applications.
Browsers remain the most actively exploited applications.

There was yet another zero-day in IE(CVE-2019-1367) in September. November then brought two zero-days, one in Chrome(CVE-2019-13720) and one in IE (CVE-2019-1429).

These vulnerabilities reinforce that browsers not only serve as a bridge between customers and businesses but also as gateways for attackers. Keeping this in mind, stay vigilant of browser exploits and pay close attention to browsers when devising your vulnerability management strategy for 2020.

2019 kept us busy with updating

The update component of Windows. In 2019, updates to fix the operating system (OS) component that installs Windows updates were issued at an unprecedented frequency by Microsoft. These updates are termed servicing stack updates (SSUs). Although SSUs don’t resolve vulnerabilities and aren’t part of the normal cumulative or security-only bundle, you may need to install them on your endpoints to push further security updates. Considering Microsoft released a full set of SSUs for all Windows OSs in 2019, we can expect some sweeping changes coming down the road. All you need to do is keep your systems updated with the latest SSUs to push security updates to them seamlessly.

Adobe patched 442 CVEs

That’s more than half of all the Microsoft CVEs combined. Third-party vendors, especially Adobe, are becoming the most hunted targets for threat actors. To streamline the heap of patches and make the update process more predictable, Adobe joined Microsoft in scheduling its security patches to go out on Patch Tuesday. To get the most out of Patch Tuesday in 2020 and keep your Adobe vulnerabilities in check, make sure you include third-party updates in your automated patch deployments that are scheduled around the Patch Tuesday cycle.

Adobe patched 442 CVEs that's more than half of all the Microsoft CVEs combined.
Adobe patched 442 CVEs that are more than half of all the Microsoft CVEs combined.

23 Vulnerabilities were publicly

Disclosed before patches were released by Microsoft. Look out for public disclosures in 2020. Publicly disclosed vulnerabilities leave your network exposed without a fix from the vendor, giving threat actors a head start on engineering an exploit. Equip yourself with a vulnerability management tool that helps you stay vigilant of public disclosures while providing a work-around before the patch arrives.

Wannacry-level BlueKeep

GoldBrute affected Windows RDP. Last year’s May Patch Tuesday was unlike any other Patch Tuesday, as Microsoft patched a highly critical vulnerability. How critical? WannaCry-level critical. Yes, we’re talking about the wormable BlueKeep (CVE-2019-0708), which affects Remote Desktop Services (RDS) in almost all versions of Windows. This has the potential to cause a global WannaCry-level event, which may be why Microsoft even released updates for the long-unsupported Windows XP and Windows Server 2003. Glancing through the list of last year’s CVEs, we found a few more vulnerabilities affecting RDS: CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. And they’re wormable, too.

Wannacry-level BlueKeep GoldBrute affected Windows RDP.
Wannacry-level BlueKeep GoldBrute affected Windows RDP.

Though BlueKeep remains the talk of the town, IT admins need to step back and evaluate Remote Desktop Protocol (RDP) use in general. GoldBrute, a botnet leveraging weak passwords, affected around 1.6 million public-facing RDP servers in 2019.

Here are a few things you can do to minimize RDP-related attacks in the future:

  • Restrict access to VPNs to limit the exposure of RDP.
  • Enable network-level authentication to mitigate BlueKeep.
  • Ensure any credentials available over RDP have strong
  • passwords that are changed regularly.

Out-of-band updates

Introduced unprecedented issues. On September 23, 2019, Microsoft patched an IE zero-day (CVE-2019-1367) in the out-of-band security updates from version 1903 to 1703, and also in Windows Server 2019 and Windows Server 2016. An IE rollup for pre-Windows 10 systems was also released to fix the issue. Additionally, on September 24, optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-Windows 10 systems were released. While Microsoft didn’t bother to mention it, the IE zero-day fix was silently pushed in those non-security updates as well. On October 3, new security updates, IE cumulative updates, and monthly rollup updates were released to resolve printing issues that were being widely reported as a result of the fix. Reports of printing issues persisted after this round of updates, but with the October 8 Patch Tuesday release, the IE CVE was fixed without any bugs.

Out-of-band updates introduced unprecedented issues.
Out-of-band updates introduced unprecedented issues.

Bad patching is never a better option than leaving vulnerabilities unpatched. To that end, you should thoroughly test patches (especially out-of-band updates) for stability before rolling them out to your production machines.

Unpatched vulnerabilities

Might put you at risk! December, but no patch came out as the OS has become obsolete. Furthermore, Adobe released details on seven critical vulnerabilities for Shockwave in April, but they haven’t been resolved since the product reached its end-of-life that same month. Its seven vulnerabilities leave the majority of Shockwave deployments exposed, and these vulnerabilities likely have exploited in the wild. There’s never been a better time to revisit the asset inventory of your systems and remove unsupported software that doesn’t serve any business-critical purpose.

Source: ManageEngine

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.