It’s that time of the month again when sysadmins are kept on their toes. November’s Patch Tuesday is here, and if you are not familiar with the significance of this day, we’ll bring you up to speed with a quick introduction before we look at this month’s highlights. Keep reading to also find a well-crafted guide of patching best practices for the current work-from-home (WFH) situation.

What is Patch Tuesday?
The second Tuesday of every month is considered Patch Tuesday, and it’s on this day that Microsoft releases security and non-security updates for its operating system and other related applications.

Why is Patch Tuesday important?
Microsoft formalized Patch Tuesday in October 2003 and has followed this practice ever since. This process gives IT administrators sufficient time to plan and have all their resources ready before they set about with the patching process for that month.
Now that we have touched on its significance, let’s check out this month’s Patch Tuesday updates.

Breakdown of November’s Patch Tuesday updates
Security updates were released for the following lineup of products:

  • Microsoft Windows

  • Microsoft Office and Microsoft Office Services and Web Apps

  • Internet Explorer

  • Microsoft Edge (EdgeHTML-based)

  • Microsoft Edge (Chromium-based)

  • ChakraCore

  • Microsoft Exchange Server

  • Microsoft Dynamics

  • Microsoft Windows Codecs Library

  • Azure Sphere

  • Windows Defender

  • Microsoft Teams

  • Azure SDK

  • Azure DevOps

  • Visual Studio

Zero-day vulnerabilities and public disclosures
November’s Patch Tuesday brings a fix for the zero-day privilege escalation vulnerability in the Windows Kernel Cryptography Driver that has been exploited in the wild. Disclosed on October 30th by the Google Project Zero and TAG security teams, this vulnerability was supposedly being exploited together with a Chrome zero-day to target Windows 7 and Windows 10 users. Threat actors would run malicious code using the Chrome zero-day vulnerability and then use the Windows zero-day vulnerability to escape the Chrome security sandbox. They would then proceed to elevate the code’s privileges to attack the underlying OS.

Critical and noteworthy updates
Of the 112 vulnerabilities fixed, 17 are classified as Critical, 93 as Important, and two as Moderate. Here are the Critical security updates:

CVE-2020-16988

CVE-2020-17058

CVE-2020-17048

CVE-2020-17053

CVE-2020-17042

CVE-2020-17052

CVE-2020-17051

 CVE-2020-17106

CVE-2020-17101

CVE-2020-17105

CVE-2020-17082

CVE-2020-17079

CVE-2020-17078

CVE-2020-17107

CVE-2020-17110

CVE-2020-17108

CVE-2020-17109

It is recommended that you give priority to the patches mentioned above, followed by the other Important and Moderate patches.

This Patch Tuesday has also fixed 24 vulnerabilities that can allow remote code execution attacks in apps such as Microsoft Excel, Microsoft SharePoint, Microsoft Exchange Server, the Windows Network File System, the Windows GDI+ component, and Microsoft Teams.

Other notable mentions
Google announced that the stable channel for Chrome has been updated to 86.0.4240.193 for Windows, macOS, and Linux; this update will roll out over the coming days or weeks.

Interested in learning more? Sign up for a free webinar led by our experts, and take a closer look at this month’s Patch Tuesday updates.

Best practices guide on handling the patch management duties of your remote workforce
With COVID-19 having sent most of the workforce home, patching and securing endpoints presents various new challenges to IT admins. Here are the steps you need to follow to ensure that the pandemic doesn’t stop you from being on top of your patching game:

  • Automatic updates, though extremely convenient, can eat up end users’ bandwidth and also put them at risk for faulty patches in a WFH scenario. Disable these updates with Patch Manager Plus and Desktop Central’s dedicated patch, 105427, and prioritize only essential patches.

  • Updates can get tricky. It’s advised to create a restore point, which is a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.

  • Communication is key for a successful remote workforce. Establish a patching schedule and keep end users informed about it. Set up specific times for deploying patches and rebooting systems. Let end users know what has to be done from their end—for instance, that they need to connect to the VPN for three hours from 6pm to 9pm.

  • Don’t let patching affect productivity. Test the patches on a pilot group of systems before deploying them to the production environment to prevent any adversity.

  • Flexibility is crucial when it comes to deploying policies in remote environments. Allow users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.

  • Prioritize patches based on severity. Install the Critical security updates first. Schedule the non-security updates, as well as security updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment. Holding off on deploying feature packs and cumulative updates can help minimize bandwidth consumption, as these updates are bulky.

  • Run patch reports to get a detailed view of the health status of your endpoints.

With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patching tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.

 

 

Ameera Azeez
Content Writer