Microsoft released security updates for Windows 10 and 11 last month, addressing a total of 33 Common Vulnerabilities and Exposures (CVEs). This marked a significant decrease from the previous month, which saw nearly three times that number of CVEs being addressed. However, despite the lull in CVEs, Microsoft still provided new security updates for other software such as Microsoft Exchange Server, .NET Framework, and SQL Server.
Looking ahead, there are several upcoming end-of-life events that organizations need to plan for. But before delving into forecasts, there are a couple of announcements from the government that are worth noting.
The National Institute of Standards and Technology (NIST) announced the availability of version 2.0 of its Cybersecurity Framework on August 8th. This update comes shortly after the preview of CVSS 4.0 by FIRST. While CVSS 4.0 is scheduled to be published around October 1st, NIST is inviting comments on their Cybersecurity Framework until November 4th, with the final version expected to be published in early 2024.
Originally released in 2014, the NIST Cybersecurity Framework has undergone a significant update based on user feedback. The framework, which was initially intended for critical infrastructure, now focuses on all types of environments. NIST has added a new ‘govern’ function to the existing five functions of identify, protect, detect, respond, and recover. This new function helps organizations make and execute internal decisions to support their cybersecurity strategy. Additionally, NIST has introduced the concept of profiles to customize the framework for specific use cases and has provided examples of how to effectively implement the framework. The Cybersecurity Framework also includes cross-references to other frameworks like the CIS Security Controls and ISO 27000 series.
In another government-related announcement, the Homeland Security Cyber Safety Review Board (CSRB) revealed plans for its third review this year. The review will focus on malicious targeting of cloud computing environments and will emphasize approaches to strengthen identity management and authentication in the cloud. This review was prompted by the Microsoft Exchange Online intrusion earlier this year. The CSRB, which consists of representatives from the government and industry, aims to analyze the event, identify the root cause, and make recommendations based on the lessons learned. Although the board does not possess regulatory or enforcement authority, the recommendations it provides will likely influence future actions by the government and industry.
Moving on to software updates, Windows 11 23H2 is now available for testers with access to the Microsoft Beta Channel. As the release of Windows 11 23H2 approaches, Windows 11 21H2 is nearing its end of life. The last security updates for Windows 11 21H2 will be issued next month on the October Patch Tuesday. Additionally, Microsoft Server 2012/2012 R2 will enter Extended Security Support (ESU) after October, emphasizing the need for organizations to plan their upgrades accordingly.
In a subtle announcement, Microsoft revealed that Wordpad will be deprecated and removed from future versions of the operating system. Microsoft recommends using Word for advanced editing and creative capabilities, while Notepad is suggested for plain text and simple documents.
Looking ahead to the September 2023 Patch Tuesday, Microsoft is expected to increase the number of CVEs addressed compared to the previous month. The upcoming updates for Microsoft’s operating systems will likely contain more CVEs, and the usual Microsoft Office updates can be anticipated. As the end of support for Microsoft Server 2012 approaches in October, Microsoft will likely continue to address a significant number of CVEs each month.
On the Adobe front, after a major update last month for Acrobat and Reader, it is unlikely that there will be another update for these applications soon.
In terms of Apple updates, August was relatively quiet. Apple provided two small releases for Ventura and WatchOS without any reported CVEs. However, as Apple generally releases security updates in the second half of the month, significant updates can be expected in late September. The upcoming release of macOS Sonoma is also on the horizon, with the beta version currently available.
For Chrome users, Chrome 116 is now shipping weekly Stable channel updates, with major milestone builds still occurring every 4 weeks. The latest Stable channel updates, versions 116.0.5845.179 for Mac and Linux, and 116.0.5845.179/.180 for Windows, were released on this week’s Patch Tuesday. The next update can be anticipated on the upcoming Patch Tuesday.
Mozilla released its last round of updates for Firefox, Firefox ESR, and Thunderbird on August 29th. Another round of updates can be expected next week.
In conclusion, the next Patch Tuesday is shaping up to be a busy one, with potentially CVE-laden updates from Microsoft and major releases from third-party applications like Google and Mozilla. Additionally, organizations are encouraged to take a look at the latest version of the NIST Cybersecurity Framework and provide comments to ensure that it meets their needs. Proper planning and timely upgrades will help organizations stay protected and secure in the ever-evolving world of cybersecurity.