The holiday season is here; Thanksgiving is the end of the month, Christmas, and New Years! But before we all start celebrating and spending time with family and friends, we have November 2021 Patch Tuesday, which is critical for many industries, particularly retail. These updates are often installed before going into lockdown to prevent disruptive changes for many companies. The retail industry is not the only one under pressure to get systems patched because the federal government has also been given the mandate to update its systems in the next few weeks. The President signed an Executive Order this past May to provide more focus on protecting federal government networks. Highlights included sharing threat information between government and private sectors, improving detection and response to security incidents, and improving remediation capabilities to known vulnerabilities. In light of the recent supply chain attacks, ongoing ransomware incidents, and continual phishing activity, this mandate should increase the standard system security. Additionally, the Wall Street Journal reported CISA was releasing an order that would require most government agencies to address “200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers” in the next two weeks.
Knowing your vendor severity ratings and CVSS scores is usually insufficient to ensure you focus on the right vulnerabilities first. There is a list of nearly 300 security vulnerabilities in the CISA priority list, and 200 are two to four years old shows a need to improve how vulnerabilities are identified and prioritized. Risk-based vulnerability management focuses on classifying assets and weighting prioritization on real-world risk indicators. This can be a challenging process, but with the proper tools in place, you can quickly identify the highest risk vulnerabilities on the more critical systems to patch first and work down the list from there.
Most software vendors are focused on getting all their updates out before the holidays, so expect multiple releases over the next two to three weeks. Here is what is expected for this Tuesday.
November 2021 Patch Tuesday forecast
- Microsoft addressed 79 unique CVEs last month, and we expect that number to remain high. With the final big push before the holidays, expect significant updates for all the operating systems and applications, including the ESUs. We’ve not seen any legacy .NET framework updates in a while or SQL server.
- Apple has been busy releasing security updates for all its operating systems and Safari as well. They were all updated at the end of October. Apple faces an ever-increasing number of zero-days threats, so make sure you keep up with these latest macOS and iOS updates.
- Google released a stable channel update on Monday for Chrome OS 94.0.4606.114.
- Mozilla released security updates for Thunderbird 91.3, Firefox 94, and Firefox ESR 91.3 recently. Make sure you pick up these latest updates to ensure you are adequately protected.
What you need to do
If you are not a customer of ours or you have home devices that need updates, manually check the updates for each device and software application. Getting in the habit of doing this twice a month will ensure that your systems and software stay up to date.
If you are a customer of ours and you have an MSP or maintenance contract, simply leave your system on in the evening, and the updates will be installed with the nightly maintenance scheduled routine.
Thank you for taking the time to read this article, and as always, if you have any questions, feel free to leave them below, or you can click here to contact us.