With system administrators eagerly waiting for a patch to CVE-2021-40444, this month’s Patch Tuesday comes with fixes for 86 vulnerabilities, including those previously released for Microsoft Edge, out of which three are classified as Critical and 56 as Important. Two zero-days have also been patched, one of which is being actively exploited. Needless to say, IT admins are going to have their hands full with this month’s patching and update process.

After an initial discussion about the updates released, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down the Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

The most important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability. 

September Patch Tuesday product lineup

Security updates were released for the following products:

  • Azure Open Management Infrastructure

  • Microsoft Edge (Chromium-based)

  • Microsoft Office

  • Microsoft Windows Codecs Library

  • Microsoft Windows DNS

  • Visual Studio

  • Windows BitLocker

  • Windows Kernel

  • Windows MSHTML Platform

  • Windows Print Spooler Components

  • Windows Scripting

  • Windows Win32K

  • Windows WLAN Auto Config Service

Two zero-day vulnerabilities patched

Of the two zero-days patched this month, one is being actively exploited and the other is publicly disclosed but not being actively exploited. Here is the list:

  • CVE-2021-36968 – Windows DNS Elevation of Privilege Vulnerability (publicly disclosed but not actively exploited).

  • CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability (actively exploited). This vulnerability is actively used in phishing attacks. These attacks distributed malicious Word documents that exploited CVE-2021-40444 to download and execute a malicious DLL file that installed a Cobalt Strike beacon on the victim’s computer. This beacon allows a threat actor to gain remote access to the device and steal files and spread laterally throughout the network.

Critical updates 

There are three Critical updates released this Patch Tuesday: 

CVE ID

Product

Title

CVE-2021-38647

Azure Open Management Infrastructure

Open Management Infrastructure Remote Code Execution Vulnerability

CVE-2021-26435

Windows Scripting

Windows Scripting Engine Memory Corruption Vulnerability

CVE-2021-36965

Windows WLAN Auto Config Service

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability

Third-party updates released after August Patch Tuesday

Third-party vendors such as Adobe, Cisco, SAP, Apple, and Android released updates after last month’s Patch Tuesday.

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints. Here are a few pointers to ease the process of remote patching.

  • Disable automatic updates, because one faulty patch could bring down the whole system. IT admins can educate end-users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.

  • Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.

  • Establish a patching schedule and keep end-users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end-users know what needs to be done on their end for trouble-free patching.

  • Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.

  • Since many users are working from home, they all might be working different hours; in this case, you can allow end-users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.

  • Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume too much bandwidth.

  • Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.

  • Run patch reports to get a detailed view of the health status of your endpoints.

  • For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them.

  • Install the latest updates and feature packs before deeming your back-to-office machines fit for production.

  • Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current situation. For a hands-on experience with either of these products, start a free, 30-day trial and keep thousands of applications patched and secure. 

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and have them answered right away. Register for our free Patch Tuesday webinar!

 

Happy patching!

  1. Pierre-Luc Bureau

    Hi,

    Thank you for keeping the environment secure! However, ever since this morning, we are not able to access the service. We get an error message saying:

    We’ll be right back!
    Our service is temporarily unavailable. We are currently working to restore it.
    Please try again later.

    This is also happening for everyone using ManageEngine.

    Could this be caused by the update?

    Thank you!

    • Karthika Surendran

      Hi Pierre,

      May I know what product you are using and when exactly in the morning (time), it has been showing this error?

      • Pierre-Luc Bureau

        From about 9h30 AM EST to approximately 12h30 to 13h EST!

        We are using SDP On Demand !