July Patch Tuesday Frequently Asked Questions
Although July Patch Tuesday included no zero days, it was still a doozy. There were 20 new bulletins, eight being critical. You can hear all about it on Ivanti’s Patch Tuesday Analysis webinar and in our analysis blog post.
Make sure you join our monthly analysis webinar for a breakdown of everything Patch Tuesday. In our July webinar, we had a ton of great questions. Here are some of the most frequently asked questions and answers from July Patch Tuesday.
Q: What are your recommendations to patch Spectre and Meltdown and all of its variants?
-
A: Panic and give up. Just kidding. Here are some helpful links for the variants:
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016
Q: In the news section, you mentioned that over 800 e-commerce sites worldwide were affected. Do you have a list of these sits?
- A: At this time, it appears the issue is still under investigation. You can get some insight here, but there does not seem to be anything available beyond that.
Q. What are the product lifecycle differences between Windows Server 2016 and Windows 10?
- A: There are 2 branches for windows 10 (semi-annual and LTSB) and one branch for Server 2016. The semi-annual branch support ends October 9th, 2018 while LTSB and server 2016 end support in 2026
Q: Is everyone experiencing ridiculous post-patching reboot times in Server 2016... like 20-40+ minutes just for the reboot?
- A: Yes, this is consistent in our testing. These reboots are getting notoriously long as each month increases the size of the cumulative update.
Q: We deploy our patches via IBM BigFix to Srv2008, Srv2012 and 2016. 2008 only requires one reboot to apply patches, but 2012 & 2016 require multiple reboots. Why is this?
- A: If you're referring to a single deployment rebooting multiple times after patching, we've noticed this in our testing since Microsoft adopted the cumulative patch model for server 2012, 2012 R2 and 2016. 2008 still releases separate, traditional patches and one reboot is expected.
Q: Is KB4099950 still relevant in regards to the ongoing NIC issue with Windows 7/2008 R2?
- A: We haven’t read about the VMware NIC issue recently, but our security expert attempted to reproduce the issue with the May content on their ESX vms. They fortunately did not lose their IP settings after reboot, but we can't say 100 percent if it's fixed.
Q: How do we apply the service stack update? Does that come with the normal patches?
- A: The servicing stack updates are listed as a non-security in our content. The bulletin ID should be named MSNS18-XX-XXXXXXX where the first 2 are the month and the last 2 are the KB Number.
Q: Does the monthly rollup (MR) include everything going back to October 2016 but the security only bundle (SO) include this month only?
- A: The SO will only remediate the CVEs for this month without any additional non-securities, while the MR will remediate all Securities AND Non-Security fixes since October 2016 for the operating system.
Q: Does the Ivanti engine determine if the client needs the SO vs the MR?
- A: We offer both the SO and the MR to an endpoint. To differentiate, we classify the MR as a non-security as it contains non-security fixes alongside the security remediations.
Q: Do I need to apply Office 2013 patches on machines that have Office 365 Business Premium?
- A: No, the separate patches are only for the MSI install. Office 365 is updated through a different path, the release history is here.
Q: Any thoughts on updates classified as “Feature Packs” for WSUS? (For example .net 4.7.2)
- A: The feature packs have more in common with a software distribution package, where you can easily install and upgrade newer .net packages. Without the feature packs, only the current .net versions throughout your environment will be patched within their respective version.
Q: Last month there was some new Spectre/Meltdown guidance around changing registry settings. I thought Ivanti was going to release a new security tool to cover those changes. Has that been done? If so, where can I find it?
A: We were going to release that last month, however, we had a few stability issues around flipping those keys on the endpoints. Now that the SSBD fix is covered on all Windows OSes, we should be releasing that shortly.