September 2021 Patch Tuesday: end of service for Windows 10 2004 on the horizon

This Patch Tuesday brings a slightly higher number of vulnerability fixes than last month, but still not up to the levels of earlier in the year. Security patches for 60 vulnerabilities—along with fixes for Microsoft Edge—are a key part of this month’s round of fixes from Microsoft. There are also some notable ones being addressed by Apple and Adobe worth covering.

We may have called it a little early in last month’s Patch Tuesday, but it looks like PrintNightmare vulnerabilities have all been addressed. So for the moment, no more workarounds are needed for these—just ensuring appropriate updates are in place should be enough.

Before we get into the details, let’s take a moment to reflect on the scale of the patch management challenge MSPs face. WSUS, patch management from N‑able, and other tools have made it much easier to handle patching endpoints. This ease sometimes belies the complexity of matching specific updates to specific builds of OS, and then validating and reporting on those. This month, Microsoft has released fixes for 60 vulnerabilities, which represents a possibility of 1248 different combinations of patches for specific OS and software versions. A good patch management solution will make that manageable in your day-to-day operations. This also helps illustrates why the let-auto-update-handle-it approach can’t keep up with an MSP’s obligation to validate systems are properly updated and protected from known vulnerabilities. Trying to validate without a centralized solution is unachievable.

Microsoft vulnerabilities

A total of 86 vulnerabilities were addressed this month by Microsoft. Within that we have two zero days, CVE-2021-40444 and CVE-2021-36968, that received fixes. Both these vulnerabilities should be on your prioritization list, but CVE-2021-40444 should be on top because it is seeing active exploitation.

CVE-2021-40444 was an MSHTML vulnerability exploited by Microsoft Office documents with malicious ActiveX controls embedded. If you can’t apply the appropriate Monthly Rollup or the security-only update, we have Microsoft’s recommended workaround mitigation available in the Automation Cookbook as a service monitor for N‑central^® or a 24/7/DSC for RMM.

We may also be able to entertain the thought that PrintNightmare is over. CVE-2021-36958 received security updates that should fix any remaining PrintNightmare vulnerabilities not addressed in the previous security fixes provided by Microsoft. Since this is another actively exploited vulnerability, CVE-2021-36958 should also be on top of your prioritization list.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

En savoir plus

Vulnerability prioritization

If you ask a room full of system admins how they prioritize which vulnerabilities should be patched first, you’re likely to get more than one answer. However, most of those answers will include applying patches based on the severity rating given to it by the vendor. So almost everyone will agree that anything marked Critical should be patched ASAP, but Important and High may see days—or even weeks—of delay before they are applied. This unfortunately misses something many don’t consider when prioritizing patches, which is the likelihood a vulnerability will be leveraged in attacks or if it’s already part of current attacks. The table below shows not only Critical vulnerabilities, but also their current exploit status. The vulnerability marked as Important with Exploitation Detected is more likely to cause complications in an environment than one marked as Critical, but Exploitation Less Likely.

Cumulative updates

KB5005565 and KB5005566 cumulative updates were released with the typical previous security fixes included. Also included are some notable bug fixes—one where Bluetooth headsets would only work for voice calls and another where external monitors connected to docking stations may not work after hibernation.

End of service for Windows 10 2004

Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have arrangements in place, then today is the day to start.

Apple

Apple released security updates for iOS to fix zero-day vulnerabilities that are currently seeing attacks in the wild. If you are managing iOS devices, getting these in place should be a top priority since the vulnerabilities are being leveraged by nation-state backed actors. Check Apple’s recent security advisories for more information.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. With the new, available Servicing Stack Updates, it’s a good time to audit your environments to ensure compliance with your security controls, and that patching will continue to work with as few issues as possible.

If you have traditionally only dealt with patches by applying them based on their severity, now is the time to start including prioritization of patches for Zero-Day, Exploitation Detected, and Exploitation More Likely vulnerabilities in your patch management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© 2021 N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

The N‑able trademarks, service marks, and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd.  All other trademarks are the property of their respective owners.

This document is provided for informational purposes only. Information and views expressed in this document may change and/or may not be applicable to you.  N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.