Automox Patch Tuesday Rapid Response Center.

So you can eliminate your emerging endpoint vulnerabilities before they’re exploited.

Every Patch Tuesday, speed is your biggest advantage for ensuring the security of your infrastructure. It’s a race to harden your endpoints before adversaries exploit these new vulnerabilities.

Automox is here for you. Our experts analyze Patch Tuesday announcements from Microsoft, Adobe, and more to give you strategies for acting now. Turn here for intelligence alerts, recommended remediation strategies for current vulnerabilities and exploits, and short videos that break down these new threats.

HAPPENING NOW
date

March 2023

Patch Tuesday Action Plan

9
critical
75
high
1
medium
0
low
85
Vulnerabilities
9
Critical
2
Zero-days
details

March’s Patch Tuesday release continues a streak of zero-days fixed by Microsoft that has lasted since June 2022. Two actively-exploited zero-day vulnerabilities were fixed this month, one in the near-ubiquitous Outlook application that allows attackers to spoof after stealing a user’s Net-NTLMv2 hash. The other is yet another security feature bypass in Windows SmartScreen.

On the whole, this month’s Patch Tuesday sees a total of 85 vulnerabilities patched, 9 of which are critical, and the two zero-days listed above. Of the critical vulnerabilities yet to be exploited, administrators should prioritize a critical, CVSSv3.1 9.8/10 remote code execution vulnerability affecting most Windows operating systems in the Internet Control Message Protocol (ICMP).

There’s also a critical vulnerability in Windows Cryptographic Services affecting Windows 10, 11, and Server 2012 forward that allows for arbitrary code execution if an attacker can install or coerce the victim to install a malicious certificate on their device.

Get Industry Updates

Subscribe to receive patching, configuration, and automation news and best practices.

Thank you! The latest vulnerability news and insights will be delivered right to your inbox!

Previous Action Plans
date

February 2023

Patch Tuesday Action Plan

7
critical
66
high
1
medium
2
low
76
Vulnerabilities
7
Critical
3
Zero-days
details

February’s Patch Tuesday is undoubtedly headlined by four important vulnerabilities in Microsoft Exchange Server that allow remote code execution for authenticated attackers. Nothing has been exploited yet, but it’s a fairly safe bet that will be.

Apart from the Exchange Server vulnerabilities, February sees 76 vulnerabilities fixed by Microsoft, 7 of which are critical and 3 actively exploited zero days, which you’ll want to patch within 24 hours of release, ideally. One of the zero days is CVE-2023-23376, an important vulnerability in Windows Common Log File System driver that affects most versions of Windows 10 and 11, as well as Server 2008-2022. The vulnerability allows attackers to elevate to SYSTEM privileges on unpatched endpoints.

Read the Automox blog below for further details and recommendations to tackle this month's Patch Tueday release.

date

January 2023

Patch Tuesday Action Plan

11
critical
87
high
0
medium
0
low
98
Vulnerabilities
11
Critical
1
Zero-days
details

After a light December, IT and security teams have their work cut out for them as we enter 2023 with over 100 vulnerabilities patched by Microsoft in the first Patch Tuesday of the new year. Of the 98 vulnerabilities, 11 are critical, and 1 is being actively exploited.

IT and security teams should prioritize CVE-2023-21674, an important and actively exploited zero-day vulnerability in Windows Advanced Local Procedure Call (ALPC) that allows for elevation to full system privileges when exploited. SharePoint Server admins will also want to quickly fix a critical security feature bypass that allows an unauthenticated attacker to connect to vulnerable SharePoint servers anonymously. Though there’s no evidence of exploitation yet, Microsoft notes this vulnerability is likely to be targeted.

CVE-2023-21552 and CVE-2023-21532 are also vulnerabilities that administrators should remediate quickly, both of which are important and more likely to be exploited. The vulnerabilities allow for elevation to SYSTEM privileges due to a weakness in Windows GDI. Most versions of Windows 10, 11, and Server 2008-2022 are vulnerable so we expect nearly all organizations using Windows to be impacted.

date

December 2022

Patch Tuesday Action Plan

7
critical
47
high
2
medium
0
low
56
Vulnerabilities
7
Critical
1
Zero-days
details

To close out 2022, December’s Patch Tuesday brings the fewest vulnerabilities fixed by Microsoft since June. Microsoft fixed a total of 56 vulnerabilities, 7 of which are critical and one of which is an actively exploited zero-day.

Hopefully, a lighter month will allow administrators to get some rest heading into the holiday season, though there are still a few vulnerabilities that are important to take care of before the end of December. Perhaps the most critical and wide-reaching vulnerability this month is a critical remote code execution flaw in PowerShell 7.2 and 7.3. Attackers are likely to target this weakness, though it does require additional preparation for the target environment prior to exploitation.

There’s also an actively exploited zero day in Windows SmartScreen that allows for security feature bypass. Even though the vulnerability is only moderately severe according to Microsoft, you’ll want to patch it since threat actors are already targeting the vulnerability with social engineering attacks.

date

November 2022

Patch Tuesday Action Plan

10
critical
56
high
0
medium
0
low
66
Vulnerabilities
10
Critical
6
Zero-days
details

November's release will keep administrators busy. Microsoft fixed six actively exploited vulnerabilities, the most included in a Patch Tuesday release in over a year. This month includes a total of 66 vulnerabilities patched, ten of which are critical including the six actively exploited vulnerabilities.

Included in the release is a patch for the Microsoft Exchange zero-day “ProxyNotShell.” Additionally, Microsoft fixed a new, critical elevation of privilege vulnerability in the Exchange Server.

One of the zero-days patched is an elevation of privilege vulnerability that affects the much-maligned Windows Print Spooler. Most versions of Windows and Server are affected, so we recommend patching within 24 hours.

A final actively-exploited zero-day is an important flaw that allows threat actors to bypass the Windows Mark of the Web security feature, which is meant to protect and warn end users when they download and/or open a file from an untrusted source. This will likely be an attractive target for social engineering campaigns, so we recommend patching within 24 hours.

Learn more about the other zero-day releases and how you should be reacting in our blog below.

date

October 2022

Patch Tuesday Action Plan

14
critical
67
high
0
medium
0
low
64
Vulnerabilities
5
Critical
1
Zero-days
details

October Patch Tuesday has come and gone with the recent Microsoft Exchange zero-days “ProxyNotShell” still unpatched, leaving some administrators in a scary situation heading into Halloween. If you’re running an on-prem Exchange Server, even if it’s part of a hybrid deployment – you need to apply Microsoft’s recommended mitigation ASAP.

Outside of Exchange, the world still spins. Microsoft patched 14 critical and one actively exploited vulnerability (out of 81 total this month) across multiple widely-adopted products that you’ll want to patch right away.

Nearly everyone running Windows desktops/laptops and Server needs to patch CVE-2022-41033, an actively exploited vulnerability in the COM+ Event System Service that allows elevation of privilege to SYSTEM with a simple attack when a threat actor has access to vulnerable endpoints.

date

September 2022

Patch Tuesday Action Plan

5
critical
58
high
0
medium
1
low
64
Vulnerabilities
5
Critical
1
Zero-days
details

September’s Patch Tuesday release from Microsoft sees a nearly 50% drop in vulnerabilities from last month to just 64 vulnerabilities from Microsoft – only five of which are critical. However, those five critical vulnerabilities pack a punch as they impact most versions of Windows 7-11 and Server 2008-2022.

Administrators with the IPSec protocols active in their environments, a suite commonly used in VPN products, should prioritize patching critical remote code execution vulnerabilities in Windows TCP/IP and Internet Key Exchange Protocol (IKE) within 72 hours, as they can be exploited over the network with simple packages.

Threat actors are also leveraging existing system access to actively exploit a zero day vulnerability in the Windows Common Log File System Driver that allows elevation of privilege to SYSTEM on most builds of Windows 7-11 and Server 2008-2022.

There’s also an important privilege elevation vulnerability in the Windows Kernel that threat actors are likely to target on Windows 10 and 11 machines as well as Server 2016-2022.

date

August 2022

Patch Tuesday Action Plan

17
critical
104
high
0
medium
0
low
121
Vulnerabilities
17
Critical
0
Zero-days
details

August’s Patch Tuesday release from Microsoft brings the highest overall vulnerability count from Microsoft since April and the most critical vulnerabilities in over a year. Luckily, none have been publicly exploited – yet.

Administrators can expect to be busy, with high severity vulnerabilities in historically popular targets like Active Directory and Microsoft Exchange – famously targeted by the HAFNIUM threat group with 0-day exploits in 2021, which are still being exploited today.

Administrators should prioritize patching critical vulnerabilities on affected systems within 72 hours, with a special focus on the Windows Point-to-Point Protocol (PPP) vulnerabilities that score 9.8/10 CVSSv3.1 and allow for remote code execution (RCE), as well as a critical elevation of privilege vulnerability in Microsoft Exchange Server that is likely to garner attention from attackers.

There are additional critical vulnerabilities in Active Directory Domain Services, Windows Secure Socket Tunneling Protocol (SSTP), and Server Message Block (SMBv3) that administrators should focus on fixing within 72 hours due to their severity and impact if exploited successfully by an attacker.

date

July 2022

Patch Tuesday Action Plan

4
critical
76
high
0
medium
0
low
80
Vulnerabilities
4
Critical
1
Zero-days
details

After seeing overall numbers dip for the last couple of months, July’s Patch Tuesday cranks up the heat with 80 new vulnerabilities. Four of these are critical and one has already been exploited in the wild. While this represents an uptick from May and June, it’s a fairly light load compared to July of last year, which saw a massive spike in vulnerabilities, especially those of critical severity.

This month, we see four critical vulnerabilities addressed across three Microsoft services, including Remote Procedure Call (RPC), Network File System (NFS), and Windows Graphics Component. All four critical vulnerabilities allow for remote code execution, if exploited, and require immediate attention from system administrators to patch within the recommended 72-hour window.

Even though the four critical vulnerabilities in this month’s batch of CVEs have not yet been exploited, we do have a non-critical elevation of privilege vulnerability within the Windows Client Server Runtime Process that’s already been weaponized. It goes without saying that zero-day exploits such as this should be patched within 24 hours of disclosure.

date

June 2022

Patch Tuesday Action Plan

3
critical
52
high
0
medium
0
low
40
critical
4
high
2
medium
0
low
0
critical
8
high
4
medium
1
low
121
Vulnerabilities
43
Critical
0
Zero-days
details

June’s Patch Tuesday sees vulnerabilities fall even lower than May with just 55 Microsoft vulnerabilities patched. That’s the lowest number we’ve seen since February 2022, and a similar volume to June of last year. If that’s any indication, administrators should be taking advantage of a relatively light month to prepare for what could be a heavy July.

This month, just three critical vulnerabilities were patched by Microsoft, heavy-hitting and widely used products and services like Hyper-V, Lightweight Directory Access Protocol (LDAP), and Network File System (NFS) were all impacted by vulnerabilities that allow for remote code execution when exploited. These vulnerabilities all require immediate action from administrators to patch. CVE-2022-30136 is particularly dangerous, netting a CVSSv3.1 9.8/10 for an RCE vulnerability in NFS that Microsoft notes is more likely to be a target for exploitation.

We also saw actively exploited and publicly-disclosed vulnerabilities return to zero, a three-month trend that was broken by last month’s Patch Tuesday.

Stay on top of the releases and eliminate the risks with Automox. Join our slack community for fast information on the top CVEs to remediate now. We’ll do the hard work so you can focus on keeping your environment secure.

date

May 2022

Patch Tuesday Action Plan

7
critical
66
high
0
medium
1
low
16
critical
2
high
0
medium
0
low
0
critical
6
high
3
medium
2
low
0
critical
6
high
14
medium
9
low
132
Vulnerabilities
23
Critical
1
Zero-days
details

Unlike April, May's Patch Tuesday lands with only 74 vulnerabilities from Microsoft. The vulnerability breakdown features 7 Critical vulnerabilities spread across 6 different services and application. Although only rated as High, CVE-2022-26925 has been noted as exploited and therefore ranks as the only zero-day of this month's release.

In May, Adobe released security updates for 5 of their products including: Character Animator, ColdFusion, InDesign, Framemaker, and InCopy. All five of these bulletins were given Adobe Priority 3.

Mozilla released updaters for a trio of their products, including Firefox, Firefox ESR, ad Thunderbird. All three advisories were rated High, and you can find more details here.

On April 26th, Google announced the rollout of Chrome 101 to the stable channel for Windows, Mac, and Linux. Chrome 101 fixed 29 vulnerabilities, none of which had seen active exploitation.

Stay on top of the releases and eliminate the risks with Automox. Join our slack community for fast information on the top CVEs to remediate now. We’ll do the hard work so you can focus on keeping your environment secure.

date

April 2022

Patch Tuesday Action Plan

10
critical
117
high
2
medium
0
low
51
critical
24
high
3
medium
0
low
0
critical
3
high
6
medium
3
low
219
Vulnerabilities
61
Critical
3
Zero-days
details

April Patch Tuesday has rolled in to deliver us 129 total Microsoft vulnerabilities, an amount not seen since September of 2020. That’s far more than in any month in 2021 or so far in 2022. SecOps and ITOps teams will have their hands full this month with 10 critical vulnerabilities, including one exploited vulnerability (CVE-2022-24521) from Microsoft.

Adobe’s Patch Tuesday saw updates for Acrobat and Reader, Commerce, After Effects, and Photoshop. Without a doubt, Adobe’s updates are led by a massive update for Acrobat and Reader. The update fixes 62 vulnerabilities, including 35 critical arbitrary code execution vulnerabilities.

On April 5, Mozilla released security advisories for Thunderbird 91.8, Firefox ESR 91.8, and Firefox 99. These advisories all earned a High rating and comprised of 13 unique CVEs in total.

Not included in this month's vulnerability counts, but still important, is Google's security update for an actively-exploited vulnerability in the Chrome V8 Javascript engine, identified as CVE-2022-1096.

On Thursday, March 31, Apple released patches to fix two zero-day vulnerabilities in macOS, iOS, and iPadOS. These include a vulnerability in AppleAVD (CVE-2022-22675) and a vulnerability in the Intel Graphics Driver (CVE-2022-22674).

On the morning of March 31, two critical remote code execution vulnerabilities were reported in the Spring Framework, a widely used open-source framework for Java. The vulnerabilities consists of CVE-2022-22963 and CVE-2022-22965, the latter being dubbed Spring4Shell. Additional information can be found in our blog here.

date

March 2022

Patch Tuesday Action Plan

3
critical
68
high
0
medium
0
low
5
critical
1
high
0
medium
0
low
2
critical
4
high
3
medium
1
low
1
critical
0
high
0
medium
0
low
2
critical
4
high
3
medium
1
low
116
Vulnerabilities
11
Critical
3
Zero-days
details

Microsoft released 71 total vulnerabilities this month, with only 3 being rated Critical. And as we remind you every month, Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those zero-day, and Microsoft codec vulnerabilities highlighted this month.

Similarly, Adobe released security bulletins for 3 of their products: Illustrator, Photoshop, and After Effects. Each bulletin was given Adobe Priority 3 meaning the updates resolve vulnerabilities in products that have historically not been a target for attackers. Adobe recommends administrators install the updates at their discretion.

A CVSS 7.8 vulnerability disclosed in Linux Kernel, dubbed “Dirty Pipe”, was disclosed Monday morning. Dirty Pipe, or CVE-2022-0847, allows overwriting data in arbitrary read-only files. This can lead to privilege escalation and code injection into root processes. Given the prevalence of Linux in highly sensitive infrastructure, it is highly recommended that admins prioritize remediation of this vulnerability in the next 24 hours to reduce organizational risk.

The Chrome team announced the promotion of Chrome 99 to the stable channel for Windows, Mac and Linux on March 1, 2022. This will roll out over the coming days/weeks. In the desktop version, a total of 28 vulnerabilities were closed. Of these, 11 were classified as high, 15 as medium and 2 as low.

Mozilla released an out-of-band patch for Firefox that addresses two critical vulnerabilities. Both are actively exploited in the wild as zero-days. Given these are actively exploited zero-days, it’s recommended that IT admins prioritize patching these within 24 hours to reduce exposure to malicious actors. Mozilla also released two other High-rated security advisories for Firefox 98 and Firefox ESR 91.7.

date

February 2022

Patch Tuesday Action Plan

0
critical
48
high
0
medium
0
low
5
critical
7
high
5
medium
0
low
0
critical
4
high
8
medium
1
low
61
Vulnerabilities
5
Critical
1
Zero-days
details

Microsoft released their lowest amount vulnerability fixes in recent memory this month, with a total of only 48. All are rated "High" with a lone fix being publicly disclosed, CVE-2022-21989.

Adobe released security bulletins for 5 of their products: Premier Rush, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop Application. All were given Adobe Priority 3 and in total there were 17 CVEs.

Apple recently pushed out updates for a number of their products including fixes for 16 documented CVEs. Among these is an urgent iOS update in which Apple warned that one of the vulnerabilities, CVE-2022-22587, “may have been actively exploited.”

Google has released Chrome version 97.0.4692.99 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Mozilla released 2 security advisories for Firefox 97 and Firefox ESR 91.6, both advisories were given the "High" rating. Between these 2 advisories, there are 13 CVEs addressed.

date

January 2022

Patch Tuesday Action Plan

9
critical
88
high
0
medium
0
low
22
critical
6
high
13
medium
0
low
0
critical
9
high
6
medium
3
low
2
critical
18
high
11
medium
6
low
193
Vulnerabilities
33
Critical
0
Zero-days
details

Microsoft is starting this year with a bang with 97 vulnerabilities, more than all but two months in 2021. The number of reported critical vulnerabilities is also causing ITOps and SecOps teams to start the year off with extra work. January’s 9 critical vulnerabilities is slightly higher than last year's monthly average of 8.4 and it represents the highest monthly total since July 2021. Fortunately, Microsoft did not have any exploited vulnerabilities to report for this month.

Adobe released updates for 5 of their products including Adobe Acrobat & Reader, Illustrator, Bridge, InCopy, and InDesign. All 5 bulletins were given Adobe Priority 3 except for Acrobat & Reader which earned a Priority 2. In total, there were 41 CVEs from Adobe, including 22 Critical, 6 High, and 13 Medium.

Last week, Google announced the release of Chrome 97 in the stable channel with a total of 37 security fixes. Of these, 24 vulnerabilities were uncovered by external researchers while the other 13 were uncovered by Google as part of its ongoing internal security work. There were 2 Critical vulnerabilities in the batch, with the only Critical external vulnerability being CVE-2022-0096.

Mozilla also released their first 3 security bulletins of 2022. All 3 bulletins were rated High and included a total of 18 vulnerabilities spanning across Firefox, Firefox ESR, and Thunderbird.

date

December 2021

Patch Tuesday Action Plan

7
critical
60
high
0
medium
0
low
28
critical
19
high
13
medium
0
low
1
critical
6
high
5
medium
3
low
2
critical
2
high
0
medium
0
low
148
Vulnerabilities
38
Critical
3
Zero-days
details

Microsoft released fixes for a total of 67 vulnerabilities, including 7 Critical CVEs. CVE-2021-43890 was rated High, but is noted to have been exploited in the wild, making this the lone zero-day released from Microsoft today.

Log4Shell is a zero-day unauthenticated Remote Code Execution (RCE) vulnerability in Log4j versions 2.0-beta9 up to 2.14.1 identified as CVE-2021-44228. Log4Shell is a CVSS 10.0 vulnerability. Organizations using the Log4j library are advised to upgrade to the latest release immediately, seeing that attackers are already searching for exploitable targets. A mitigation Worklet and more information around this vulnerability can be found in our blog here.

Adobe released updates for 11 of their products including Adobe Premiere Rush Pro, Photoshop, Media Encoder, amongst others. All 11 bulletins were given Adobe Priority 3. In total, there were 60 CVEs from Adobe, including 28 Critical, 18 High, and 13 Medium.

Google has rolled out fixes for five security vulnerabilities in its Chrome web browser. These include one which Google says is being exploited in the wild (CVE-2021-4102), so we recommend upgrading to Chrome version 96.0.4664.110 immediately.

At the beginning of December, Mozilla patched a Critical vulnerability in their Network Security Services (NSS) that could exploited to execute arbitrary code. About a week later, Mozilla rolled out fixes for Thunderbird, Firefox, and Firefox ESR. All three of these respective bulletins were rated High by the software company.

date

November 2021

Patch Tuesday Action Plan

6
critical
49
high
0
medium
0
low
2
critical
2
high
0
medium
0
low
0
critical
8
high
4
medium
2
low
73
Vulnerabilities
8
Critical
2
Zero-days
details

While each of us may have individual reasons to be thankful this month, from a security perspective, the 55 vulnerabilities reported by Microsoft are another good reason. November's total vulnerabilities represent a 27% reduction from the monthly average so far this year. There were 6 critical vulnerabilities reported, and while this is double October’s total of 3, it nonetheless represents a 30% reduction off the monthly average of critical vulnerabilities for 2021. There were two vulnerabilities publicly exploited. Those are CVE-2021-42292 and CVE-2021-42321, both rated "Important" by Microsoft.

Adobe’s Patch Tuesday looks quite a bit smaller, after a significant out of band release that covered 14 products on October 26. Adobe patched just three products today: Creative Cloud, InCopy, and RoboHelp Server. All of the patches issued by Adobe today are Priority 3, indicating that the vulnerabilities are for a product that has not historically been targeted by attackers.

At the beginning of November, Mozilla released security vulnerability fixes for 14 total CVEs across Firefox, Firefox ESR, and Thunderbird. There were a lot of third-party releases at the end of October in addition to aforementioned Adobe updates. Google released an emergency update to patch eight vulnerabilities, two of which are high severity zero-days, for Windows, macOS, and Linux. In late October Apple released MacOS Monterey, along with iOS and iPadOS 15.1. Due to the dates of these releases, these figures are not included in the graphic to the left.

date

October 2021

Patch Tuesday Action Plan

3
critical
70
high
0
medium
1
low
2
critical
0
high
2
medium
0
low
0
critical
5
high
3
medium
0
low
2
critical
2
high
0
medium
0
low
1
critical
0
high
0
medium
0
low
91
Vulnerabilities
8
Critical
4
Zero-days
details

While October brings us Halloween and all types of spookiness, fortunately, our worst nightmares did not come true with this month’s Patch Tuesday. With a relatively light number of critical and total vulnerabilities, your environment shouldn't turn into a house of horrors. There were 74 vulnerabilities reported by Microsoft, three of which are rated as critical. There was one exploited vulnerability, and while this was only rated “High”, it is nonetheless important as it involved the Microsoft Windows Operating System. In addition, there were three vulnerabilities rated “High” that were publicly disclosed.

Adobe has posted a security update for Adobe Acrobat and Reader addressing 2 critical and 2 moderate vulnerabilities. Earlier in the month, Mozilla released five security advisories, all marked as high impact, for Thunderbird, Firefox ESR, and Firefox 93. Also earlier in the month, Google released a new Chrome version to fix four vulnerabilities, including two zero-days being actively exploited in the wild.

Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting Phones and iPads. While Apple has not provided any details on how this vulnerability was used in attacks, they state that there are reports of it being actively used in attacks.

Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those highlighted this month. With a lighter load than average this month, hopefully SecOps and IT teams will not see their patching activities turned into “fright night.”

date

September 2021

Patch Tuesday Action Plan

3
critical
62
high
1
medium
20
low
38
critical
18
high
5
medium
0
low
0
critical
4
high
2
medium
0
low
0
critical
11
high
0
medium
0
low
2
critical
0
high
0
medium
0
low
166
Vulnerabilities
43
Critical
5
Zero-days
details

Microsoft reported 86 vulnerabilities, three of which are rated as critical. In addition, there were two vulnerabilities that while only rated as “High Severity,” nonetheless are classified as zero-days. CVE-2021-40444 is the only actively exploited vulnerability while CVE-2021-36968 is publicly disclosed with no active exploitation known.

Microsoft also posted 25 vulnerabilities affecting the Chromium-based Microsoft Edge. Similarly, Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix 11 security vulnerabilities, 2 of them being zero-days exploited in the wild.

Adobe has released a large number of security updates, spanning across 15 products. The security update addresses many different vulnerability types ranging from “important” to “critical” in severity. Additionally, Mozilla released 5 separate security advisories spanning across multiple versions of Firefox, Firefox ESR, and Thunderbird.

Finally, Apple released security updates in multiple products to address a duo of vulnerabilities that “may have been actively exploited in the wild.” CISA has also posted a notification relating to these Apple updates.

date

August 2021

Patch Tuesday Action Plan

7
critical
38
high
0
medium
0
low
20
critical
9
high
0
medium
0
low
0
critical
8
high
2
medium
1
low
63
Vulnerabilities
27
Critical
1
Zero-days
details

Fortunately, it was a lighter month than usual with only 51 vulnerabilities addressed from Microsoft, 7 of which are rated as critical, and only 1 being actively exploited in the wild. There are also 7 Chromium vulnerabilities with Unknown severity ratings. We reported on 7/23/2021 about the Windows HiveNightmare (SeriousSAM) Vulnerability that is easily exploitable and impacts Windows 10 build 1809 and up and has no current patch. Until a fix is released, Microsoft has advised administrators to employ two workarounds for risk mitigation that is outlined in our blog.

Microsoft announced a late addition to the #PatchTuesday workload on Wednesday with CVE-2021-36958, an important vulnerability discovered in the Windows Printer Spooler that could allow remote code execution. More details in the blog linked below.

Adobe released security updates for two products. Adobe products affected include Magento and Connect, given priorities of 2 and 3 respectively. Mozilla has released three high-rated security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. Both Adobe's and Mozilla's released CVEs are broken down in the action plan diagram to the left.

date

July 2021

Patch Tuesday Action Plan

12
critical
103
high
1
medium
0
low
22
critical
6
high
1
medium
0
low
0
critical
6
high
4
medium
2
low
155
Vulnerabilities
34
Critical
2
Zero-days
details

Microsoft ushers in the 2nd half of 2021 with a massive Patch Tuesday, releasing fixes for a total of 116 vulnerabilities, 12 of which are critical severity, and 2 that have already been exploited in the wild.

Microsoft released an out-of-band update, CVE-2021-34527, detailing a remote code execution zero-day vulnerability existing in the Windows Printer Spooler service allowing attackers to execute code remotely when the service improperly performs privileged file operation. The vulnerability, dubbed "PrintNightmare", follows the earlier CVE-2021-1675 in June that also fixed a remote code execution vulnerability in the same service. This newer vulnerability is rated as critical and scores a CVSS base score of 8.8.

Adobe issued multiple security bulletins this month for Acrobat & Reader, Dimension, Illustrator, Framemaker, and Bridge. In highlight, we note specifically the Acrobat and Reader vulnerabilities affecting both Windows and macOS operating systems.

date

June 2021

Patch Tuesday Action Plan

5
critical
44
high
0
medium
0
low
21
critical
17
high
3
medium
0
low
0
critical
2
high
6
medium
2
low
100
Vulnerabilities
21
Critical
6
Zero-days
details

Microsoft addressed 49 vulnerabilities in this month’s Patch Tuesday update. While the number of vulnerabilities in June was only 5 fewer than May, it represents 33% fewer vulnerabilities on average for each month so far this year. Of those vulnerabilities, 5 were rated as critical, the same as last month, and 52% lower on average. Unfortunately, 6 vulnerabilities are being actively exploited in the wild, equaling the highest number seen so far this year. Therefore, we have 6 zero-days from Microsoft this month.

Adobe released security updates for 10 products. Each bulletin received Adobe Priority Rating 3, except for the bulletins for Acrobat & Reader and Experience Manager which were raised to Priority Rating 2.

At the beginning of June, Mozilla released four security updates covering Firefox 89, Firefox ESR 78.11, Firefox for iOS 34, and Thunderbird 78.11. You can view the latest Mozilla advisories here.

date

May 2021

Patch Tuesday Action Plan

4
critical
50
high
1
medium
0
low
25
critical
13
high
6
medium
0
low
2
critical
1
high
1
medium
0
low
103
Vulnerabilities
31
Critical
0
Zero-days
details

Microsoft's May Patch Tuesday saw 55 security fixes compared to 108 tallied in the month of April. We are currently tracking 4 critical vulnerabilities, none of which are being exploited in the wild to the best of our knowledge and vendor communications.

Earlier in May, Mozilla released updates for a number of products including Firefox, Firefox ESR, and Thunderbird. You can view their latest security bulletins here.

Adobe has also released a large number fixes for with a total of 25 critical CVEs.

date

April 2021

Patch Tuesday Action Plan

19
critical
88
high
1
medium
0
low
7
critical
3
high
0
medium
0
low
1
critical
0
high
0
medium
0
low
119
Vulnerabilities
27
Critical
2
Zero-days
details

April’s Patch Tuesday yields 108 new Microsoft security fixes, delivering the highest monthly total for 2021 (so far) and showing a return to the 100+ totals we consistently saw in 2020. This month’s haul includes 19 critical vulnerabilities and a high-severity zero-day that is actively being exploited in the wild. Along with Microsoft’s release, we’re also seeing multiple browser related vulnerabilities this month that should be addressed immediately.

On Twitter, a security researcher has disclosed a zero-day remote code execution vulnerability that works on the current version of Google Chrome and Microsoft Edge. Finally, Adobe has released fixes for 10 total vulnerabilities spanning across Adobe Photoshop, Bridge, Digital Editions, and RoboHelp.

date

March 2021

Patch Tuesday Action Plan

14
critical
75
high
0
medium
0
low
9
critical
8
high
0
medium
0
low
0
critical
5
high
4
medium
3
low
118
Vulnerabilities
23
Critical
5
Zero-days
details

Microsoft addresses 89 new vulnerabilities this month, representing a 60% increase from February. Of this total, 14 are rated as “critical” with 5 that are being actively exploited in the wild, 4 of which are specific to Microsoft Exchange Server. Last week, Microsoft released security updates addressing 7 Exchange Server vulnerabilities due to the urgent nature of the vulnerabilities. There were 7 CVEs in total, including the 4 critical zero-days. Microsoft attributed the weaponization of these to a Chinese state-sponsored hacking group known as “Hafnium.”

Adobe had a modest release of five security updates addressing a handful of vulnerabilities, nine of which are critical affecting Creative Cloud Desktop Application (APSB21-18), Connect (APSB21-19), Framemaker (APSB21-14), Animate (APSB21-21), and Photoshop (APSB21-17).

In late February, Mozilla released a security advisory for vulnerabilities fixed in Firefox, Firefox ESR, and Thunderbird.

date

February 2021

Patch Tuesday Action Plan

11
critical
43
high
2
medium
0
low
32
critical
17
high
1
medium
0
low
1
critical
0
high
0
medium
0
low
107
Vulnerabilities
44
Critical
2
Zero-days
details

February is often thought of as the month of love, and Microsoft certainly showed us some love this month. They released a minimal 56 patches, with 11 being Critical. While the overall number of vulnerabilities fixed this month is relatively low, there is still cause for concern. CVE-2021-1732 is a locally exploited Windows Win32K elevation of privilege bug that is actively being exploited in the wild. It's also worth noting that all 11 of the Critical rated updates fix Remote Code Execution vulnerabilities.

Adobe has released fixes for numerous vulnerabilities spanning across Dreamweaver, Illustrator, Animate, Photoshop, Magento, Acrobat, and Reader. Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

Earlier in the month, Mozilla released a security advisory for vulnerabilities fixed in Firefox 85.0.1 and Firefox ESR 78.7.1. This advisory was deemed a Critical fix. Apple also released updates for macOS Catalina and macOS Mojave, as well as a macOS Big Sure 11.2 Security Update. You can view details of these Apple updates here.

date

January 2021

Patch Tuesday Action Plan

10
critical
73
high
0
medium
0
low
7
critical
1
high
0
medium
0
low
2
critical
0
high
0
medium
0
low
93
Vulnerabilities
19
Critical
1
Zero-days
details

The first Patch Tuesday of 2021 brings 83 new Microsoft vulnerabilities, including 10 critical updates. All critical CVEs are remote code execution (RCE) bugs with the only exception being a memory corruption vulnerability. Vulnerabilities of note include CVE-2021-1647, a zero-day Microsoft Defender remote code execution vulnerability with exploitation detected in the wild. Two Important-rated vulnerabilities are deemed more likely to be exploited, these are CVE-2021-1707 and -1709.

In January, Mozilla released a fix for one critical security vulnerability found in Firefox, Firefox ESR, and Firefox for Android. They also have released an update for one critical security vulnerability in Thunderbird 78.6.1.

Additionally, Adobe released a multitude of updates across their products, including Adobe Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator, and Photoshop. View the patch index below for more details.