Patch Tuesday

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritise where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Patch Tuesday has been around for years, but there’s too much emphasis on the Microsoft Updates. IT manages many diverse environments, including Mac OS X, and applications from Adobe, Oracle, Google, Mozilla, Citrix, and many other vendors. This can make vulnerability management difficult. Stay on top of patching with Ivanti. To answer any of your other questions, check out our Patch Tuesday FAQs.


April 2020 (15 April)
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


March 2020 (11 March)

March is most definitely full of madness as Microsoft resolves 115 unique vulnerabilities! The good news is you can predict what to do much easier than your basketball picks. Patch the OS and browsers and you take care of 97 CVEs from the 115 contenders.

February 2020 (12 February)

Microsoft released a full case of patches—maybe not “99 Bottles of Beer”…but “99 CVEs to Patch”? Unlike the song where you need to take each bottle down and pass it around, the good news here is many of these CVEs can be resolved by applying just a few Microsoft updates. Of highest priority are the operating systems and browsers. And don’t forget to set aside time for Adobe and Mozilla along with a handful of security updates.

January 2020 (15 January)

Nothing like starting off the new decade with rumors your computer cryptography has a vulnerability which can result in a lack of trust for almost everything you do! The reality is that this vulnerability has not been publicly disclosed nor exploited and our friends at Microsoft have a solution. Besides the Crypto vulnerability, the most notable news is still the final public patch release for Windows 7, Server 2008, and Server 2008 R2. Apply the updates soon; major security vulnerabilities are exploited quickly!

December 2019 (11 December)

There are 14 Shopping/Patching Days remaining until Christmas and only one more Patch Tuesday before Windows 7 and Server 2008/2008 R2 reach their inevitable end of support, unless you're among the 59% of IT professionals who still don’t have all of their users on Windows 10. Also make sure you update your Acrobat, Acrobat Reader, and Chrome versions as there are 21 CVEs in the Adobe release and 51 CVEs in Google’s releases this month.

November 2019 (13 November)

Can Patch Tuesday ever be labeled boring? November’s Patch Tuesday light list of advisories and vulnerabilities from Microsoft and Adobe is close. But don’t be tempted to delay or ignore these security updates. In this month’s releases are another Internet Explorer Zero Day and a publicly disclosed Office for Mac vulnerability. The sooner you patch, the sooner you’ll be protected from known security risks. No matter how tedious, stay committed to your digital safety and cyber security to keep your software and systems updated.

October 2019 (9 October)

Thirteen updates from Microsoft released for October! To test age-old superstitions, we conducted an experiment by breaking a mirror while walking with a black cat under a ladder with buckets of salt on top spilling out for good measure. Nothing could possibly go wrong! But just to be safe, knock on wood, grab a rabbit’s foot and join our Patch Tuesday webinar to find out what to expect.

September 2019 (11 September)

Here’s your guide to harvesting September’s software updates to enhance security online. Start with Microsoft to update the zero-day vulnerabilities in the operating systems, and move on to SharePoint. Next, Office, Exchange and .NET are ripe for patching. On the third-party side, Adobe Flash is back with a security update including 2 CVEs. And, keep an eye out for the Google Chrome release available later today or tomorrow. So pick your patches now to boost your yield, and avoid missing out on new features in addition to security fixes.

August 2019 (14 August)

During this summer of sizzling heatwaves throughout the Northern Hemisphere, activity on the security front could get even hotter with new wormable vulnerabilities reported in Microsoft remote desktop services. Protecting your devices and servers works just like the rules of applying sunscreen; apply patching early and often to repel attacks and protect your organization against various exploits. And as you get your patching updates well underway, keep things cool by confirming your patch groups are up-to-date and safe from malware and other threats.

July 2019 (10 July)

Countries celebrating Independence Days in July include Argentina, the Bahamas, Belgium, the Maldives, the United States, and Venezuela. Create your own independence from hackers today by installing patches for Microsoft’s OS, Office, .Net, SQL, VSTS, Microsoft Exchange Server, and some of its other development binaries. Follow up with patching for Mozilla’s Firefox and Firefox ESR. Patching minimizes exposure to threats attacking your network. At Ivanti, we enthusiastically propose celebrating your independence from hackers with picnics, parties, and parades throughout July!

June 2019 (12 June)

"June is bustin’ out all over!” goes the exuberant song written for “Carousel” by Rodgers and Hammerstein. The refrain certainly fits June’s outbreak of software updates, which are bustin’ out all over, far beyond the meadow and the hill! Microsoft has 14 security updates, including 4 publicly disclosed CVEs, and Adobe has one security update. Make your priority patching Windows Operating System, and then Adobe Flash. Remember, increasing sunshine and warm weather won’t discourage the actions of determined attackers. So don’t let your patching slide “Jest because it’s June, June, June!”

May 2019 (15 May)

Superstition holds you shouldn’t buy a broom, wash a blanket, or get married in May. What you should do, though, is patch—and all the more so this May Patch Tuesday! Make quick work of this month’s zero day. No need for superstition there, as that one has proven itself a menace via exploits in the wild. Prioritize everything publicly disclosed and patch the Windows vulnerability primed to unleash a WannaCry-like event two years after the original (to the very month, in fact—so maybe there is something to May superstitions after all).

April 2019 (10 April)

For the Ivanti patch product team, the snow is melting and spring is here—and that means it’s time for April Patch Tuesday spring cleaning. Let’s get our houses in order! Patch what you can, prioritizing Adobe and Microsoft’s OS and browsers. Get rid of Wireshark where possible, because that one’s serving up the bad this month. And remove Shockwave, too, because it’s coming in hot and patching is no longer an option. Exploits are looming there, and that’s not good for your IT team feng shui.

March 2019 (13 March)

Unless you’ve the luck of the Irish—and, really, even if you do—you’ll want a rapid start on March Patch Tuesday. The rainbow this month ends in Windows zero days and public disclosures. And, unlike the elusive four-leaf clover, elevation of privilege is popping up all over, so make sure you’re reviewing your admin privileges when you patch the vulnerabilities in your environment. As we sign off this month, take note that Chrome will need attention, too, starting with the zero day resolved on March 1. May you be halfway to safety before the hackers know you’re vulnerable!

February 2019 (13 February)

The average spent on Valentine’s Day is a topic that’s been making the rounds on social media. It’s generated shock and awe—but it’s nothing compared to the damage one exploited vulnerability can unleash on your organization. So, let’s keep the money in February flowing into flower stores and candlelit dinners, rather than into the pockets of those we’d never choose to date. For February the men (and women) of Patch Tuesday recommend you lavish attention upon Microsoft. Patch the exploited zero day, public disclosures, and privilege escalation vulnerability. Also, make time for the ever-popular target, Adobe. Because nothing leaves a worse taste in your mouth than a breach you could have prevented—unless, perhaps, it’s those chalky conversation hearts.

January 2019 (9 January)

Happy New Year! Celebration continues in 2019 with a mild January Patch Tuesday. But, make sure you’ve deployed Microsoft’s emergency patch, released post December Patch Tuesday, so attackers with a New Year’s zero-day resolution don’t suck all the fun out of your month. Also, take note of the public disclosure, and take this calm before whatever comes next to catch up on Java support changes going forward. Java SE 8 will soon receive its last public update.

December 2018 (12 December)

This December Patch Tuesday attackers have added a smattering of coal to the gifts in our holiday stockings. You don’t want the Flash exploits slipping down the chimney while your back is turned, so make sure Adobe is on your list for maintenance goodies. Attackers could also turn the lights out on your holiday festivities via a Microsoft zero day and public disclosure, so prioritize those CVEs—and make sure you’ve checked off the other updates before shutting off the lights on 2018. Happy patching and happy holidays!

November 2018 (14 November)

Each year in the states we fight to give our intrepid Thanksgiving holiday breathing room between Halloween and the impending onslaught of the Christmas season. So, as “Turkey Day” approaches for Ivanti’s Patch Tuesday team, we’ll take a quick moment now to give thanks for the latest updates that keep us employed. November Patch Tuesday offers up a bountiful selection of CVEs, including 60+ vulnerabilities resolved by Microsoft, Apache updates thrown in to add a pinch of third-party flavor to the affair, and in this mix a zero day and a dash of public disclosures. Take note, though: Like the turkey that will be front and center on our tables in a matter of days, all Patch Tuesday eyes should focus first on the Windows OS and Edge updates.

October 2018 (10 October)

Halloween is just around the corner for many, but October Patch Tuesday hasn't brought with it a host of vulnerability scares. The number of CVEs declined over recent months, so you have a little breathing room to get your house in order. As you plan your patching priorities, though, do keep in mind that Java patches will be out later this month.

September 2018 (12 September)

Across the globe the season is changing, but for September Patch Tuesday the forecast is much as it was last month—another zero day, some public disclosures, a light smattering of third-party updates, and 60+ vulnerabilities resolved by Microsoft. Déjà vu! Also part of our regular patch weather pattern these days, we’re reporting cases of elevation of privilege among the CVEs. So, as we say in this part of the world, “rinse and repeat” with your security procedures: 1) patch in order of criticality, and 2) make sure you have a multi-layered security solution in place.

August 2018 (15 August)

It may be summer in the part of the world where our Patch Tuesday team resides, but hackers don’t take vacations, the patches keep coming, and we’re in the trenches with the lowdown on patch priorities. In particular, you’ll want to address a couple exploited zero days making the most of not only software bugs but also those pesky admin privileges we’re always going on about. And as you get your patch updates well underway, make sure to read Microsoft’s advisory on the new L1TF Meltdown andSpectre variant to keep ahead of possible attacks on that front.

July 2018 (11 July)

Whether you're smack dab in the middle of the "dog days" of summer or entering the coldest month of your year, Patch Tuesday is, as they say, as constant as the weather. The same goes for patch management: This July we recommend you prioritize the Adobe and Microsoft updates and roll out all other patches in a timely fashion. Keep an eye out for Oracle updates too. And whether it's hot or cold where you are, don't forget to layer on security so the apps you can't patch don't expose your business to the elements. 

June 2018 (13 June)

“April showers bring May flowers”—but did you know May flowers bring June bugs? A less known line from that poem for sure, but quite apt for a Patch Tuesday synopsis where software updates are the name of the game. This June there’s more grist for the mill, though there are fewer patches than we’ve seen of late. Take note of the fix for a new zero day targeting a Flash bug. And use this relative downtime to make sure your patch processes are in good working order. Remember: Meltdown and Spectre are back with all new bugs to banish from your IT environment.

May 2018 (9 May)

They say May brings flowers, but we're getting more Patch Tuesday showers this month. Get ready to defend against a heavy downpour of CVEs, including zero-days and other critical vulnerabilities. Rain is also in the forecast in the guise of public disclosures, so patch the holes in those systems before the deluge can begin. And finally? Some of this inclement weather is designed to grant the necessary access rights - so, remember, even with privilege management in place, you need to properly layer on security to keep the storms at bay. 

April 2018 (11 April)

"April showers" the poem begins, and while it's not an all-out storm, April Patch Tuesday provides more than a sprinkling of updates, including critical patches. Take note as well of the out-of-band patch that protects you from an Elevation of Privilege vulnerability as well as the Java update. Java remains a common target for threat actors. In the midst of these clouds, though, here's a silver lining: Microsoft lifted the AV compatibility check prior to delivery of Windows security updates. It's full speed ahead on patching! 

March 2018 (14 March)

March is synonymous with luck, and this March Patch Tuesday luck is on your side. There are some Critical updates. And Microsoft resolved two publicly disclosed vulnerabilities, so you'll want to patch those holes before someone turns your luck from good to bad. And of course - because they're far from as rare as a four-leaf clover - the Meltdown and Spectre updates continue to roll out. But all in all, it looks like you'll get your pot of gold this month in the form of time back to focus on core business goals. 

February 2018 (14 February)

Are you feeling like you'd like to have poked your fingers into the center of the Meltdown and Spectre patches like a box of Valentine's chocolates? There were some unsavory surprises for sure. Fortunately, the kinks are largely worked out and February Patch Tuesday is more straightforward. If there is one word for this month in patching, it's not "love" or "romance" but "privilege." Patch the elevation-of-privilege vulnerabilities, and then take a closer look at your policy on privilege management. Make sure you're keeping attackers from storming the heart of your organization. 

January 2018 (10 January)

It’s 2018, we’re resolved to help you secure your systems against whatever the new year brings, and January Patch Tuesday is bringing it! This month’s updates include a fix for a known Office exploit and a host of patches to tackle the Meltdown and Spectre vulnerabilities. About that last bit, though, take note: there is no known malicious use of these vulnerabilities to date. Take the time you need now to put the patches through their paces and get them in place, because this security issue is likely to tempt the bad guys.  

December 2017 (13 December)

Patch Tuesday December is only a small flurry of updates. Total CVE count from Microsoft is 32 unique CVEs and none of these are exploited or disclosed at this time. Adobe has an update for Flash Player resolving one Moderate CVE. It is still rated as a Priority 2 update, which is why Microsoft has classified the Flash update for IE as Critical. 

November 2017 (15 November)

The holidays are just around the corner. How, you wonder, are we going to tie those into November Patch Tuesday? Through tradition, of course! Because what are the holidays without that treasured recipe you replicate line by line each year? And what is security without steadfast adherence to the list of controls you've put in place? The KRACK vulnerability is another in this year's endless litany of reminders that keeping up with software updates is critical. Be sure you've pushed out the October OS updates - and don't let the tradition slip this month either, as there are quite a few Critical security vulnerabilities to patch. 

October 2017 (11 October)

Around the globe, Halloween and related celebrations are right around the corner. In the states, this is the month of trick-or-treat and pumpkin patches. And out in Redmond, Washington, Microsoft is focused on patches of a different sort—keeping an eye on vulnerabilities hackers could use to unleash nasty tricks upon the world. For October Patch Tuesday you’d be wise to patch all Microsoft CVEs swiftly, publicly disclosed and otherwise, before more than just the one we’ve noted below get exploited.

September 2017 (13 September)

If Equifax andThe Shadow Brokers were any indication, September Patch Tuesday drives home the fact that security concerns are alive and well this month. There are some Win10 public disclosures to attend to, and plenty of other Critical updates to go around—so let the update party commence! Plus, this month’s zero day serves as a reminder to limit admin rights in your environment as well.

August 2017 (9 August)

August Patch Tuesday continues the trend of providing some time to get your house in order. Don't let the number of Critical updates fool you: most are expected. You can take those on and attend to some of the revenue-generating business goals waiting in the wings. With no exploits in sight, you might even find yourself whistling while you go about your day. 

July 2017 (12 July)

May and June brought tornadoes of weaponized malware, but we appear to have blue skies in Kansas again for July Patch Tuesday. Don't get too comfortable, though. If history is any indication, we're in the eye of the cyber threat storm. So, use the downtime wisely: fewer updates today mean you can really focus on the public disclosures to get your house in order before the winds start picking up. 

June 2017 (14 June)

Relative calm may have seemed the forecast for June Patch Tuesday, but it turns out we were in the eye of the storm. Adobe came aboard with a critical update. But more to the point, a red sky appeared this morning with a newly exploited SMB vulnerability, and Microsoft is plugging that hole in its boat today. It’s also taken the recent onslaught of attacks as a missive to review legacy software and release additional updates. It’s all hands on deck today for those still relying on older systems.

May 2017 (10 May)

There’s no fix today for Microsoft’s new “crazy bad” vulnerability in the Malware Protection Engine. Stay tuned and stay vigilant—while you tackle what May Patch Tuesday does have to offer. Top of mind should be the updates that patch exploited vulnerabilities as well as the Flash Player update. And in this second month since Microsoft nixed security bulletins, you’ll see we’re making tweaks to our approach to keep updates organized and easy to reference.

April 2017 (11 April)

Given last month’s torrential patch downpour, April Patch Tuesday was bound to make a quieter entrance-but that doesn’t mean that it sprinkled. Anything but, in fact. The list includes swan song security updates for one Windows OS and the first of many for another. And speaking of Vista: patch away, then deal with the aging software you can no longer patch. This month’s IIS 6.0 Zero Day underlines the need for continued vigilance.

March 2017 (15 March)

March Patch Tuesday certainly came in like a lion, with Microsoft releasing two months of updates at once. February’s SMB Zero Day disclosure made its entrance this month, IE updates struck out on their own, and those are far from the only bulletins to take the March Patch Tuesday stage. Rumors of the demise of Patch Tuesday Security bulletins have been greatly exaggerated.

January 2017 (10 January)

January has ushered in a new year of Patch Tuesdays with a manageable number of updates and no exploits or Zero Day vulnerabilities. This could be the calm before the storm. This is the lightest Patch Tuesday since January 2014. Next month you should expect some adjustments and more updates as Microsoft changes methodologies. This is also the last Patch Tuesday where Microsoft will use Security Bulletins.

December 2016 (13 December)

December Patch Tuesday has a flurry of exploits and public disclosures. Coming in to Patch Tuesday we already had one Zero Day from Mozilla (CVE-2016-9079), which updated on November 30th. Today Adobe released 9 bulletins, including a Critical update for Adobe Flash that resolves a Zero Day (CVE-2016-7892). And Microsoft is updating Flash for IE and resolving 5 publicly disclosed vulnerabilities.

November 2016 (8 November)

While the results of today’s US presidential election may be out of your hands, you can still impact the outcome of Patch Tuesday on your environment. You can’t buy votes for your favorite candidate, but you can buy yourself some time by implementing privilege management and application control. Reduce the risk of threats that could target your users before patches get applied.

October 2016 (11 October)

After several months with no zero day disclosures, October Patch Tuesday brings updates for four vulnerabilities already exploited in the wild. Beginning this month, Microsoft and Adobe are also changing how they distribute their updates, which may impact how you can access the patches. Finally, we are expecting a Google Chrome release today and Oracle’s Quarterly CPU next week, so plan on updates for Java JRE and many other Oracle solutions.

September 2016 (13 September)

This month's Patch Tuesday includes several critical updates that address vulnerabilities targeting end users, all of which should be considered top priorities. Both Adobe and Microsoft also released critical updates for Flash Player. September 2016 will be the final Patch Tuesday on the old servicing model. Starting in October, Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems.

August 2016 (9 August)

Google and Mozilla both released their critical updates last week, and there is plenty more to think about from Microsoft. This month, all five of the Critical bulletins from Microsoft addressed user-targeted vulnerabilities.  If you haven't already, it may be time to consider adding privilege management as extra protection against these kinds of threats. Finally, if you are looking at the most recent Windows 10 update, you might want to hold off for a bit.

July 2016 (12 July)

Even though there are no Zero Day vulnerabilities, July's Patch Tuesday is far from boring. Several of the vulnerabilities are user-targeted and could be mitigated with proper privilege management - a good reminder of the value of a layered security defense in protecting against both unknown and currently unpatched vulnerabilities.

June 2016 (14 June)

It is raining in the UK and Adobe Flash Player has a zero day. Neither of these events are all that surprising. CVE-2016-4171 was observed in limited, targeted attacks by members of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16 to add to Microsoft's 16 bulletins.

May 2016 (10 May)

Patch Tuesday has a few juicy surprises for us. One vulnerability being exploited in the wild affects both Internet Explorer and Windows, and two public disclosures will raise concerns with Internet Explorer and .Net Framework.  We also have a Zero Day in Flash Player.

April 2016 (12 April)

Leading up to April Patch Tuesday has been like the weather forecast with the stormy hype around the Badlock vulnerability that affects Samba and Windows. With Badlock, instead of rain, the reality is partly cloudy. There are eight total CVEs relatived to Badlock; only one affects Windows (MS16-047). The other 12 bulletins from Microsoft and updates from Adobe and Oracle should be the focus for this month.

March 2016 (8 March)

March Patch Tuesday brings lots of updates, but no public disclosures or exploited vulnerabilities -yet. The Microsoft updates tackle social engineering threats, addressing vulnerabilities the IE and Edge browsers and Windows, where users might be convinced to open specially crafted web content, files and media.

February 2016 (9 February)

February Patch Tuesday started a bit early with Oracle releasing an out-of-band update for Java to resolve a critical vulnerability that allows DLL Hijacking. Microsoft has released 13 bulletins, six of which are critical, resolving a total of 42 vulnerabilities. Of the vulnerabilities being resolved, two have been publicly disclosed. We also have releases from Adobe for Flash and Photoshop, Mozilla for Firefox, and Google is expected to release a Chrome udpate with security fixes and support for the latest Flash Plug-In.

January 2016 (12 January)

Microsoft has released 12 bulletins, nine of which are critical, resolving a total of 71 vulnerabilities. Adobe released a whopper of a Flash update resolving 78 vulnerabilities.  Google Chrome is dropping today as well. Aside from an update for the Flash Player plug-in and its 78 security fixes, there are reportedly security fixes coming for the browser as well.

No results found