Welcome to Softcat's Security Patch Roundup, looking at the latest updates from the main vendors and dissecting a few of the key releases from Patch Tuesday. Without further ado, let's get started...
Patching Adobe and Microsoft
Adobe released their regular monthly patch for Flash containing numerous bug fixes, security patches and feature updates; including a Remote Code Execution (RCE) flaw. There's no update for Reader this month, but since these applications are commonly installed on end-user devices the advice is simple: patch them as quickly as you can. Either by using your deployment tool of choice or by configuring their auto-update controls, patch them. There's typically little to no compatibility impact, and it's a quick win in terms of reducing exposure to the most commonly exploited vulnerabilities. Our advice is to simply take Flash and Reader off anything in your server estate, unless there's an explicit compatibility reason to keep it.
Similarly, Microsoft dropped their main batch of Windows server, desktop and Office patches on the traditional Patch Tuesday. These Microsoft patches cover a whopping 61 security issues, including a 0-day that was released on Twitter late in August and fixes for PDF viewer, font library and image parsing issues that could all be exploited with no user interaction. These can be a little more complex to assess, so the approach will vary; typically, desktops and laptops should be updated soonest in order to protect end users from these new threats, whilst server updates will need testing for compatibility with critical business applications before being rolled out.
Microsoft are also expected to release Exchange Cumulative Updates later this month, which are typically released quarterly. With Exchange 2013 moving into Extended Support updates to it will become less frequent, while 2016 will continue to receive the quarterly updates. Cumulative Updates are often not deployed immediately on their release, as they can make significant changes under the hood, but admins should read the release notes and prioritise testing and deployment along the same lines as OS patches – within 30 days of their release.
Browsers and Certificates
Another major story this month is the news that Symantec certificates are being phased out by the major browser-makers, as a result of their shenanigans with irresponsible issuance coming to a head in 2017. Trust in Symantec certificates will be fully withdrawn by Google Chrome v70 and Mozilla Firefox v63, both of which are being released to Beta testers in September, with full release planned for October. It's not clear what Microsoft are doing with Edge yet, but we expect them to follow suit. If you still use a Symantec-issued certificate, get it replaced urgently to ensure visitors do not see your website in a "Not Secure" state.
News from VMware
Finally, the big news from VMware is that version 5.5 of their ESXi hypervisor goes End-of-Life on the 19th September, meaning no more support from this date. This shouldn’t be news to long-time users of the platform, but now’s the time to prioritise migrating those last few 5.5 boxes onto a newer version before support ends.
Get in Touch
If you'd like advice on patches and ensuring your network is secure, please get in touch with your Softcat Account Manager or send us a message using the button below.