We spend lots of time every month talking about the technical issues surrounding software updates, vulnerabilities, and the tools we use for patch management in our organization. However, the success of patch management depends on the coordination of everyone.
This article will focus on what Patch Tuesday means for your organization and some of the major players who are involved in the patch management process. Don’t get hung up on the job titles. Rather, consider the motivations and roles associated with each job. Bear in mind that big corporations often have the luxury of large IT experts with well-defined roles. However, small organizations may compress these roles into teams of one or two people.
The central position within an organization is the security analyst. This analyst is charged with the responsibility of collecting vulnerability results and evaluating them in terms of applications and groups of systems. The analyst is responsible for prioritizing the remediation of these vulnerabilities to lower risk to the organization and ensure both internal and external service agreements are met.
The security analyst works very closely with the traditional IT administrator. This administrator is responsible for taking the recommendations from the analyst and putting them into action. This individual conducts the actual patch operations and confirms the service level agreements are met.
Most times, business units are organized around a particular function and depend on a set of special applications. These business units often have an assigned application administrator and application owner. Their main duty is to ensure the performance and stability of these applications. This includes detailed knowledge about Patch Tuesday and understanding things associated with vulnerabilities for these applications and ensuring they are remediated to prevent negative business impact.
It’s essential that organizations have a direct and continuous channel of communication with the security analysts and IT administrators to ensure they are moving in the right direction as they recognize critical vulnerabilities, prioritize the patches, and execute the Patch Tuesday updates to protect their infrastructure.
The end-users in the organization normally want little or no involvement with any of this procedure. They want their desktops and laptops to be available when they need them. This will help them to focus on their jobs and productivity. But it’s important for them to have security awareness to recognize any threats or vulnerabilities during Patch Tuesday installation.
Are There Any Non-Essential Security Updates Concerning Patch Tuesday?
Yes, many non-essential security updates are made available for all supported versions of Windows, which include an update to the Windows Malicious Software Removal Tool.
Microsoft’s Surface tablets normally get driver or firmware updates on Patch Tuesday. You can get all the details about these security updates from the Microsoft Surface Update History page. Individual update histories are available for Microsoft’s Surface devices.
There may also be non-security updates that are included for Microsoft software other than Windows.
Download Patch Tuesday Updates
In most cases, the most ideal way to download patches on Patch Tuesday is through Windows update. Only the updates you need will be listed, and they will be downloaded and installed automatically except if you have configured Windows updates.
Patch Tuesday and Windows 10
Microsoft has publicly commented that starting with Windows 10, they will no longer push updates based on Patch Tuesday, instead pushing them more often. This may basically end the idea of Patch Tuesday completely.
While this change is useful for both non-security and security updates, Microsoft is clearly updating Windows 10 outside Patch Tuesday. But they still seem to be pushing a majority of the updates to their latest operating system on Patch Tuesday.
February 2021 Patch Tuesday
We start our second year of extended security updates (ESU) for Windows 7 and Server 2008. Expect the security-only and monthly rollup patches as usual.
- Microsoft should be ramping up for the year and we will see more vulnerabilities addressed than in January. In addition to the Windows 10 and legacy operating systems, updates for Office, Microsoft 365, and the associated SharePoint server will be released.
- Apple released security updates for iCloud, Big Sur and Safari at the beginning of February. We may see an iTunes security release for Windows.
- Adobe made a pre-notification announcement for an Acrobat and Reader security update under APSB21-09.
- Mozilla released a security update for Firefox 85, Firefox ESR 78, and Thunderbird 78 at the end of January. They may release a new security update.
- Google Chrome was updated to 88.0.4324.146 for Windows, Linux and Mac, which included 6 security fixes. There may be a minor update.
Security communication across your organization is an essential part of the patch management process. You can take your communication into consideration as we keep moving from one Patch Tuesday to another. Consequently, check if there’s any improvement and make an adjustment where necessary.
How Do I Know If I Need These Security Updates?
You need these updates if you are running any supported version of Microsoft’s operating systems. This includes Windows 8.1, Windows 8, Windows 10, and supported Server versions of Windows. Many other products are getting patches. You can see the full list on Microsoft’s Security Update Guide page along with security vulnerability details.
Do you want to learn more about the importance of Patch Tuesday for your organization? Or do you need help managing Patch Tuesday? If yes, Vicarius is your go-to cybersecurity company.
Topia is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. If you would like to implement a patch management tool, we are here for you.