The final Patch Tuesday of the year is here. Just a week or two of wrestling around with updates, and then all you sysadmins out there can enjoy the holiday season assured of a job well done. For those of you who aren’t familiar with Patch Tuesday, here’s a quick summary.
What is Patch Tuesday?
Microsoft regularly releases security and non-security patches and updates to address vulnerabilities in its software or to upgrade its applications or operating systems (OSs). Patch Tuesday is the day Microsoft releases these updates.
When is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. Microsoft released the first Patch Tuesday updates in October 2003.
Highlights of Patch Tuesday December 2019
This Patch Tuesday comes with fixes for 36 vulnerabilities and two advisories. Of these vulnerabilities, seven are classified as Critical, 27 as Important, one as Moderate, and one as Low.
Patch Tuesday updates for Microsoft products
Microsoft Patch Tuesday December 2019 includes updates for the following software:
-
Microsoft Windows
-
Internet Explorer
-
Microsoft Office
-
Microsoft Office Services and Web Apps
-
SQL Server
-
Visual Studio
-
Skype for Business
The third-party updates that have been released are:
-
NVS (1.5.4)
-
Mnemosyne (2.7)
-
QuiteRSS (0.19.2)
-
Skype (8.55.0.123)
-
Pale Moon (28.8.0)
-
CPUID CPU-Z (1.91)
-
GoodSync (10.10.14)
-
EditPad Lite (7.6.7)
-
EditPad Lite (7.6.6)
-
Snagit 2020 (20.0.3)
-
KakaoTalk (3.0.8.2360)
-
Glary Utilities (5.133)
-
RingCentral Phone (19.3.4)
-
Auslogics DiskDefrag (9.2.0.4)
-
Auslogics Registry Cleaner (8.2.0.4)
-
Auslogics Duplicate File Finder (8.2.0.4)
-
Adobe Flash Player PPAPI (32.0.0.303)
-
Adobe Flash Player Plugin (32.0.0.303)
-
Adobe Flash Player ActiveX (32.0.0.303)
-
Adobe Acrobat Reader MUI DC (Classic Track) update – All languages (15.006.30508) (APSB19-55)
-
Adobe Acrobat Reader MUI DC (Continuous Track) update – All languages (19.021.20058) (APSB19-55)
-
Adobe Acrobat Reader DC (Continuous Track) update – All languages (19.021.20058) (APSB19-55)
-
Adobe Acrobat DC Pro and Standard (Continuous Track) update – All languages (19.021.20058) (APSB19-55)
-
Adobe Acrobat DC Pro and Standard (Classic Track) update – All languages (15.006.30508) (APSB19-55)
-
Adobe Acrobat 2017 Pro and Standard (Acrobat 2017 Track) update – All languages (17.011.30156) (APSB19-55)
-
Adobe Acrobat Reader 2017 MUI (Classic Track) (17.011.30156) (APSB19-55)
Zero-day vulnerability patched
A zero-day privilege elevation vulnerability in the Win32k component was patched this Patch Tuesday. Already being exploited in the wild, this vulnerability is titled CVE-2019-1458 and allows an attacker to execute commands in kernel mode and gain full access to the OS. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Notable announcements
This might be the last Patch Tuesday wherein free security updates will be released for Windows 7, Windows Server 2008, and Windows Server 2008 R2, as these products are nearing their end of life. Microsoft is planning to end support for the above mentioned software on January 14, 2020. Beyond this cutoff date, security updates for these OSs will be available for a paid subscription. Users who are still on these older OSs are advised to quickly migrate to newer versions or purchase the Extended Security Updates (ESU).
Best practices to handle Microsoft Patch Tuesday updates for December 2019
Patching and updating all your endpoints might seem like an impossible task, but there are best practices you can follow to streamline the patching process:
-
Prioritize patching for Critical vulnerabilities first. The seven Critical vulnerabilities this Patch Tuesday are CVE-2019-1468, CVE-2019-1350, CVE-2019-1349, CVE-2019-1387, CVE-2019-1354, CVE-2019-1352, andCVE-2019-1471.
-
Automate all other Important and Moderate updates after that.
-
Schedule updates to go out during non-business hours to prevent downtime.
-
Create a test group to verify the stability of Patch Tuesday updates before rolling them out to production machines.
-
Decline less critical patches and roll them out after the important issues have been addressed.
-
Postpone or schedule reboots for critical machines and servers.
-
Run patch reports to ensure network endpoints are up-to-date with the latest patches.
Still think patching is an extensive process? Don’t worry, we’ve got it sorted out for you.
ManageEngine offers two solutions—Desktop Central and Patch Manager Plus—that help you automate all the best practices mentioned above from one central console. You can try both solutions free for 30 days and keep more than 750 applications, including over 300 third-party applications, up-to-date.
Want to learn more? Join our Patch Tuesday December 2019 webinar, where we’ll take a closer look at this month’s updates, analyze the Critical vulnerabilities, and discuss the impact of ignoring them. Register now!