Every Patch Tuesday, speed is your biggest advantage for ensuring the security of your infrastructure. It’s a
race to harden your endpoints before adversaries exploit these new vulnerabilities.
Automox is here for you. Our experts analyze Patch Tuesday announcements from Microsoft, Adobe, and more to give
you strategies for acting now. Turn here for intelligence alerts, recommended remediation strategies for current
vulnerabilities and exploits, and a live webinar that breaks down these new threats.
Patch Tuesday Action Plan
Microsoft addresses 89 new vulnerabilities this month, representing a 60% increase from February. Of this total, 14 are rated as “critical” with 5 that are being actively exploited in the wild, 4 of which are specific to Microsoft Exchange Server. Last week, Microsoft released security updates addressing 7 Exchange Server vulnerabilities due to the urgent nature of the vulnerabilities. There were 7 CVEs in total, including the 4 critical zero-days. Microsoft attributed the weaponization of these to a Chinese state-sponsored hacking group known as “Hafnium.”
Adobe had a modest release of five security updates addressing a handful of vulnerabilities, nine of which are critical affecting Creative Cloud Desktop Application (APSB21-18), Connect (APSB21-19), Framemaker (APSB21-14), Animate (APSB21-21), and Photoshop (APSB21-17).
In late February, Mozilla released a security advisory for vulnerabilities fixed in Firefox, Firefox ESR, and Thunderbird.
Thank you! The latest vulnerability news and insights will be delivered right to your inbox!
Previous Action Plans
Patch Tuesday Action Plan
February is often thought of as the month of love, and Microsoft certainly showed us some love this month. They released a minimal 56 patches, with 11 being Critical. While the overall number of vulnerabilities fixed this month is relatively low, there is still cause for concern. CVE-2021-1732 is a locally exploited Windows Win32K elevation of privilege bug that is actively being exploited in the wild. It's also worth noting that all 11 of the Critical rated updates fix Remote Code Execution vulnerabilities.
Adobe has released fixes for numerous vulnerabilities spanning across Dreamweaver, Illustrator, Animate, Photoshop, Magento, Acrobat, and Reader. Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.
Earlier in the month, Mozilla released a security advisory for vulnerabilities fixed in Firefox 85.0.1 and Firefox ESR 78.7.1. This advisory was deemed a Critical fix. Apple also released updates for macOS Catalina and macOS Mojave, as well as a macOS Big Sure 11.2 Security Update. You can view details of these Apple updates here.
The first Patch Tuesday of 2021 brings 83 new Microsoft vulnerabilities, including 10 critical updates. All critical CVEs are remote code execution (RCE) bugs with the only exception being a memory corruption vulnerability. Vulnerabilities of note include CVE-2021-1647, a zero-day Microsoft Defender remote code execution vulnerability with exploitation detected in the wild. Two Important-rated vulnerabilities are deemed more likely to be exploited, these are CVE-2021-1707 and -1709.
Additionally, Adobe released a multitude of updates across their products, including Adobe Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator, and Photoshop. View the patch index below for more details.
The first gift of the holiday season comes from Microsoft in the form of the second lightest Patch Tuesday release of the year. December's total of 58 new vulnerabilities pales in comparison to previous months, bringing 9 critical updates, all of which are remote code execution (RCE) bugs with the only exception being a memory corruption vulnerability.
Adobe has patched multiple critical vulnerabilities for December across Adobe Experience Manager, Adobe Lightroom, Adobe Prelude, and Acrobat. While lighter than usual, the most severe allow for arbitrary code execution including three critical severity CVEs and one less severe flaw identified.
Back to triple-digit Microsoft patches, we have 112 total vulnerabilities with 17 earning the Critical ranking. View the blog linked below for in-depth commentary from the Automox experts on the latest vulnerabilities.
November is jam-packed full of third-party vulnerabilities, so we went ahead and included some out-of-band patches that were released between the October and November Patch Tuesdays. View our Patch Index below for further details on these releases. Included in the aforementioned third-party patches are three zero-days from Apple as a part of the macOS Catalina 10.15.7 update. Google also released a patch for CVE-2020-16009, a vuln with known exploit code in the wild.
While October’s Patch Tuesday presents us with a lighter load than what we’ve grown accustomed to over the course of 2020, we still have 89 Microsoft patches and a bevy of critical RCE vulnerabilities to contend with this month.
The number of vulnerabilities patched by Microsoft is a bit lighter this month than the last few months, but the number of RCEs still stays somewhat steady. This presents a challenge to IT Ops and Sec Ops teams to patch these RCEs as soon as possible.
This month, Microsoft has released fixes for 129 vulnerabilities. Of these, 23 patches are rated as
critical and seven as important. Windows admins are going to have their hands full this month, especially given the
trend of 100-plus patching updates we’ve seen for the last several months.
For September, Adobe and Mozilla have also released a number of patches with critical and high severity
ratings. As the remote work trend continues to grow, many organizations are finding that managing endpoints
with legacy, on-premise solutions is an inefficient approach. And with such heavy patching loads coming out
every month, the need for speed and efficiency is becoming even more pronounced.
Microsoft has released 120 vulnerabilities, 17 of which are deemed Critical. There is one zero-day, CVE-2020-1380, and one publicly disclosed vulnerability, CVE-2020-1464. However, this month’s patch update showcases
that CVSS rating isn’t the end-all, be-all of patching, as one of this month’s exploited vulnerabilities is
rated important. Any vulnerability can be exploited, regardless of its rating.
For August, Adobe has also released fixes for Lightroom, Acrobat and Reader. Additionally, Adobe released a
number of out-of-band patches throughout July, highlighting the importance of keeping a close eye on your
Microsoft has released 123 new security vulnerabilities, 18 of which are deemed Critical. One vulnerability is particularly concerning. CVE-2020-1350 is a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server and is classified as a ‘wormable’ vulnerability with a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions.
Previous to Patch Tuesday, Microsoft released 2 out-of-band patches addressing two remote code execution (RCE) vulnerabilities. Adobe released multiple security vulnerabilities for a variety of products while Mozilla released a number of patches for Firefox, Firefox ESR, and Thunderbird. More updates to come throughout the day.
Microsoft continues on their trend of triple-digit vulnerabilities with 129 in June. Of these, 11 are rated critical. The June Patch Tuesday is not short of updates for the Microsoft ecosystem. From Windows OS to browsers, Sharepoint to SMBv3, the release of these patches goes to show that an organization needs to have a proactive approach to endpoint hardening as these can add up month after month if left unaddressed.
Adobe released three updates addressing a number of vulnerabilities. These updates include three critical vulnerabilities in Adobe Framemaker and one critical vulnerability in Adobe Flash Player. Mozilla also released updates earlier in the month for Firefox, Firefox ESR, and Thunderbird. View our Patch Index for further details about the latest patch updates.
Microsoft released patches to address 111 new vulnerabilities, with 16 critical vulnerabilities. Notable vulnerabilities include CVE-2020-1023, CVE-2020-1102, and CVE-2020-1135. May continues the “New Normal” of triple-digit vulnerabilities!
We've included security updates released between last Patch Tuesday and this one, including advisories for Adobe Bridge, Illustrator, Magento, Acrobat and Reader, and DNG Software Development Kit. Mozilla released three critical security advisories for Firefox 76, Firefox ESR 68.8, and Thunderbird 68.8.0 as well as one moderate advisory for Firefox for iOS 25. View our May Patch Index for more info.
Mozilla Firefox and Adobe both released security updates between last Patch Tuesday and this one, so we've included their fixes here. Firefox had 2 notable zero-days that you'll want to fix.
This month, Microsoft is rolling out security fixes for a total of 113 vulnerabilities, 15 of which are rated critical. April’s Patch Tuesday rollout also features patches for three actively exploited zero-day vulnerabilities and two publicly disclosed vulnerabilities. Earlier in the month, an out-of-band patch for a Windows 10 Internet connectivity issue was also released.
Due to current events, many organizations have seen their remote workforce expand dramatically, seemingly overnight. Patching remote devices with legacy technology can be cumbersome in the modern tech landscape, for both IT staff and remote workers. Regardless, deploying security updates quickly remains as important as ever.
With a record month for CVEs last month, we expected March to be a light release. Boy were we wrong! Microsoft dropped off 115 CVEs, 26 of which were deemed critical. To add on, Firefox released 12 vulnerabilities for Firefox 74 and Firefox ESR68.6. View our Patch Index below for full details.
View the Automox Automating Patch Tuesday Webinar: March 2020 with Patch Tuesday expert Jay Goodman. During the webinar, we highlighted key vulnerability dislcosures that may require immediate action within your environment.
Microsoft released fixes for 99 security vulnerabilities this month, 12 of which are rated critical --
nearly double the number of patches we saw in January. February’s update also includes a fix for a
zero-day vulnerability in Internet Explorer that’s being actively exploited in the wild. Microsoft
suggests patching for these vulnerabilities as soon as possible.
Adobe released patches to 35 critical security vulnerabilities, with 21 in Framemaker, 12 in Acrobat
and Reader, one in Digital Editions, and one in Flash Player. Mozilla also released updates for Firefox
73, Firefox ESR 68.5, and Thunderbird 68.5.
The first Patch Tuesday of 2020 brought 49 Microsoft vulnerabilities, 8 of which were deemed critical.
This Patch Tuesday also marks the Windows 7 and Server 2008 End-of-Lives, which explains the 23 security
fixes for those two products.
View the Automox Automating Patch Tuesday webinar below for insight around the dangerous vulnerability
discovered by the NSA, multiple new remote code execution vulnerabilities, and in-depth discussion
around the latest Microsoft and third-party patches.