August Patch Tuesday was a pleasant relief after the massive release of updates in July. But don’t sit in the lawn chair and open that cold beverage just yet; there are some things to do before you should rest comfortably.
Microsoft provided a light set of operating system and application security updates. On the operating system side, we see 35 CVEs addressed for Server 2008 up through 78 CVEs for the latest Windows 10 updates. There are the updates for Office and Sharepoint, but that’s about it. No Adobe Flash in the update this month either!
Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities! It has been a long time since I remember that happening. Glancing through the list, I do see a lot of RDP vulnerabilities this month so make sure you apply these updates soon. All of the operating system updates are rated priority 1 due to critical vulnerability ratings and the possibility of remote code execution.
One vulnerability of interest is (CVE-2019-9506) titled Encryption Key Negotiation of Bluetooth Vulnerability. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. It requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked. Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry. Check out the KB for more details.
Microsoft may have had a slow day, but Adobe released 8 updates. If you are a Creative Cloud or Experience Manager user, be sure to review the bulletins because several are rated Critical. Adobe also released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41. This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important. There are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was also a non-security update for Flash, but it was not included with the release from Microsoft.
The temperatures may be high this late in the summer, but I mentioned earlier not to kick back in that lawn chair and relax just yet. With a light patch load this month, it may be a good time to revisit the asset inventory of systems you are patching.
We often set up our patch groups of systems and go through the motions each month of applying the latest patches, but we may be missing the bigger picture. IT organizations are often dispersed, and the systems they support are constantly changing. Without ongoing communication across the organization or dynamic settings in your patch products, you may be missing many machines that need updates. The good news is the patch tools we use each month have extensive discovery features and can help identify the latest systems on the network. Likewise, there are a whole host of network and system tools you can use.
And don’t forget to coordinate with your security operations team as well. The vulnerability scanners they use have built-in discovery as well. Armed with a consolidated list of systems on your network from all these sources, you can confirm your patch groups are up-to-date and investigate any suspicious devices you may have discovered.