Almost four months into the COVID-19 pandemic, all of us have started embracing the “new normal.” In terms of IT security, this means a huge spike in cybercrime and newfound challenges in securing devices that are now being used for remote work. With IT service giants like Cognizant succumbing to cyberattacks, regular patching is even more of a necessity these days. There is no better way to stay on top of patching than closely following the Patch Tuesday updates.
This month’s Patch Tuesday addresses 129 vulnerabilities and is by far the largest Patch Tuesday ever. Here is the breakdown of updates based on their severity:
- Critical: 11 (including one Adobe security advisory)
- Important: 109
- Moderate: Seven
- Low: Two
Microsoft also released one security advisory for an Adobe Flash Player update.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins are well-prepared and have time to gear up for the new updates.
Why is Patch Tuesday important?
The most important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
Highlights of June Patch Tuesday
Security updates were released for the following lineup of products:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based) in IE Mode
- Microsoft ChakraCore
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Microsoft Dynamics
- Visual Studio
- Adobe Flash Player
- Microsoft Apps for Android
- Windows App Store
- System Center
Zero-day vulnerabilities and public disclosures
Even though this is the largest Patch Tuesday yet, there are no zero-day vulnerabilities or known unpatched vulnerabilities this month.
Critical and noteworthy updates
There are 11 vulnerabilities termed Critical this month (10 Critical updates and 1 Adobe Flash Player security advisory, ADV200010), out of which three (CVE-2020-1219, CVE-2020-1216, and CVE-2020-1213) exist in Microsoft Edge and VBScript Engine. If exploited, they can lead to remote code execution by an attacker. Other Critical vulnerabilities include ones that could be used in phishing or web attacks, like CVE-2020-1248, CVE-2020-1281, and CVE-2020-1299. The remaining Critical vulnerabilities are as follows:
- CVE-2020-1181 – Microsoft Office SharePoint
- CVE-2020-1073 – Microsoft Scripting Engine
- CVE-2020-1300 – Windows Print Spooler component
- CVE-2020-1286 – Windows Shell
Windows cumulative updates
The cumulative updates for Windows 10, KB4557957 (Windows 10 version 2004) and KB4560960 (Windows 10 version 1903/1909), were also released this Patch Tuesday. These updates include security fixes and general bug fixes.
Best practices to handle patch management in the current work-from-home scenario
Since most of the workforce is still working from home, patching and securing endpoints pose various challenges to IT admins. Here are a few pointers to ease the process of remote patching.
- Disable automatic updates, as one faulty patch might bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point, a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what has to be done from their end—for instance, that they need to connect to the VPN for three hours from 6pm to 9pm.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since most users are working from home, they might not adhere to strict timings; therefore, allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical and security updates first. You might want to hold off on deploying feature packs and cumulative updates, as they are bulky updates and consume too much bandwidth.
- Schedule the non-security updates, as well as security updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
- With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.
** Optrics Inc. is a ManageEngine partner
The original article can be found here: