By Karthika Surendran
This month’s Patch Tuesday is here and the hustle is on. With most organizations embracing a distributed workforce these days, system administrators are bound to be up to their ears in work for the next two weeks, testing and figuring out how to deploy updates to secure all of their machines. It is important to prioritize and patch to stay on top of your game.
Microsoft has released security fixes to address 55 vulnerabilities, out of which four are classified as Critical, 50 as Important, and one as Moderate. The three zero-days patched today were publicly disclosed but not actively exploited.
After an initial discussion about the updates released, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins are well-informed and have time to gear up for the new updates.
Why is Patch Tuesday important?
The most important security updates and the patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
Highlights of May Patch Tuesday
Security updates were released for the following lineup of products:
- NET Core & Visual Studio
- Microsoft Windows
- Microsoft Office
- Internet Explorer
- Visual Studio
- Microsoft Exchange Server
Publicly disclosed zero-day vulnerabilities patched
Three publicly disclosed zero-day vulnerabilities were patched this month. Fortunately, none of them have been exploited. Here is the list:
- CVE-2021-31204: NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-31200: Common Utilities Remote Code Execution Vulnerability
Luckily, there are no reports of active exploitation of these vulnerabilities.
Critical updates
There are four Critical updates released this Patch Tuesday, and the details are as follows:
Product | CVE Title | CVE ID |
|---|---|---|
| HTTP.sys | HTTP Protocol Stack Remote Code Execution Vulnerability | CVE-2021-31166 |
| Internet Explorer | Scripting Engine Memory Corruption Vulnerability | CVE-2021-26419 |
| Role: Hyper-V | Hyper-V Remote Code Execution Vulnerability | CVE-2021-28476 |
| Windows OLE | OLE Automation Remote Code Execution Vulnerability | CVE-2021-31194 |
Third-party updates released this Patch Tuesday
Additionally, there are also updates from third-party vendors such as Adobe, Apple, Cisco, SAP, and VMware coinciding with this Patch Tuesday.
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints. Here are a few pointers to ease the process of remote patching.
- Disable automatic updates because one faulty patch might bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point, a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what has to be done from their end—for instance, that they need to connect to the VPN for three hours from 6pm to 9pm.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since most users are working from home, they might not adhere to strict timings; therefore, allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume too much bandwidth.
- Schedule the non-security updates, as well as security updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
- For back-to-office machines, check if they are compliant with your security policies. If not, quarantine them.
- Install the latest updates and feature packs before deeming your back-to-office machines fit for production.
- Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.
** Optrics Inc. is a ManageEngine partner
The original article can be found here: