What do I do on Patch Tuesday?

I wanted to write a post about what I do on Patch Tuesdays as a Security Engineer. This would have been helpful to me when I first started with zero experience in vulnerability management. Feel free to critique. I’m always open to ideas.

Patch Tuesday occurs every second Tuesday of the month. It’s when Microsoft releases software updates to plug issues identified over the past month or so. They are a mix of security and non-security updates.

Security updates are denoted by SU. Cumulative updates are denoted by CU. Self explanatory but cumulative updates mean as long as you have the latest updates applied, all previous issues will have been “patched”. No need to go back and apply anything older than the latest months updates. Security updates are packaged into Cumulative updates.

My job during this period is to evaluate if anything requires escalation in terms of patching. There are patching schedules already setup to apply updates across our Windows Laptops and Servers. I am mainly trying to assess:

• Do we need to apply any updates urgently?
• Do we need to put in place any mitigations/workarounds for any vulnerabilities identified this month?

My checks actually start before Patch Tuesday. Microsoft send out advanced notifications around a week or so before Patch Tuesday to their Premier customers. I don’t fully know what Premier Customer means but I know we are one so we receive these emails. They give an overview of the product family, severity and impact of upcoming updates. Generally, I haven’t found these to be too useful as details are scarce at this point. I think they are supposed to prep deployment teams for upcoming patches. Has anyone found these useful?

On Patch Tuesday itself, I look for information on the latest updates released:

Microsoft’s page is a good place to start: https://msrc.microsoft.com/update-guide/

We are a very small team with a lot of areas to cover so I don’t always have time to go through every single item. I use security websites, Twitter, Mastodon to see if there is anything urgent reported.

Some sites I look through:

• bleepingcomputer
• theregister

Twitter accounts (these people are legends):

• Will Dorman
• Justin Elze
• vx-underground

Blogs/LinkedIn

• Double Pulsar by Kevin Beaumont (another lej).
• Marcus Hutchins (awesome story).

There are more but I like the above mentioned people because of their writing style and human approach to cyber security. During Patch Tuesday, I find there is a lot of sensationalist reporting with click bait titles and YouTube thumbnails. They make you panic and stress which isn’t helpful to me. The guys above bring a sense of calm and just say how it is.

On the Wednesday, I attend a Microsoft Webinar about the month’s updates. Again, I think this is a Premier Customer invite but I am not sure. Contact your Microsoft rep and ask about Microsoft’s Monthly Patch Tuesday Briefing if you want to know more. I’ll update this post if I find out how to get invites. It’s over Teams and it’s usually quite useful. The speakers go into some detail about CVEs and we can download the slides. The download also contains reports on the latest threats and any product information we might be interested in. It’s a good briefing to attend. They also have SMEs on the panel so you can throw questions in the chat about anything to do with Patch Tuesday. One thing to note about their slides, when it says no mitigations or workarounds available, it actually means applying updates is what you need to do to fix the vulnerability in question.

What am I looking for?

• Are there any Zero Days? If so, any evidence of exploitation? Is there a POC available? Try to understand how the vulnerability can be exploited.
• Any CVEs with low user interaction required and/or low complexity meaning they are easier to exploit. Adversaries will most probably choose the path of least resistance.
• Outlook/Exchange related CVEs — normally exploited with phishing emails

What Next?

Set up tracking in our Vulnerability Management tool. Patch Tuesday detections normally kick in on the Wednesday or Thursday so I make sure we have a way to track them beforehand. Throughout the month, particularly at the end of patching cycles, I check to see if there are any assets with outstanding patches and report back to the team who are responsible for patching.

Communicate my assessments to my stakeholders. Who are they?

• Management
• Infrastructure team , responsible for patching servers
• Client Technologies team, responsible for laptops and desktops.

I make a judgement on whether anything needs escalating or patch as normal. More often than not, the message is keep calm and patch as normal. On a few occasions, I have asked to take some atypical actions. That could mean

• Test updates on a larger/more varied test group
• Apply patches to larger batches of assets
• Consultation or investigation into a feature I am not familiar with that is now found to be vulnerable this month
• Investigate exploit conditions e.g. reg key checks, vulnerable software versions etc

There’s probably more that I will add later when I think of them. One time we actually decided not to apply that month’s updates because we found it was bricking laptops and we were satisfied mitigations were in place for anything that needed attention.

Patch Tuesday can seem like a big minefield to navigate. I would say team work is essential, keep calm, keep stakeholders informed and just be able to back yourself with evidence. Hope this post helps someone.