Vulnerability Management - Patch based approach

In life, there are various ways to approach towards a problem, similar case is with Vulnerability Management as well. One such way is patch-based approach where in one identifies missing patches and then decide the course of actions.

So, whenever you observe a sudden surge in total vulnerability count then patch-based approach will suggest you to check for recently released patches. Now it is up to your organizational policy whether you want to stay on "n" or "n-1".

Following are the URLs you can visit to check for recently released patches for commonly used OSes and applications:

OS Category (Windows + RHEL + Cisco):
------------------------------------
Windows Server: https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info
Windows Workstation: https://learn.microsoft.com/en-us/windows/release-health/release-information
RHEL: https://access.redhat.com/solutions/3711551
Cisco:
1. Depends on the platform (newly-released series family, mid-life, approaching end-of-life, etc.)
2. Depends on the train (early deployment, single-release, maintenance release)

Non-OS Category:
------------------------------------
JAVA: https://www.java.com/releases/
.NET: https://learn.microsoft.com/en-us/dotnet/core/releases-and-support
Google Chrome: https://chromereleases.googleblog.com/
Mozilla Firefox: https://www.mozilla.org/en-US/firefox/releases/
Microsoft Edge: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel
Zoom: https://support.zoom.com/hc/en/category?id=kb_category&kb_category=d52a3eda8720391089a37408dabb3559
Cisco AnyConnect: https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-release-notes-list.html
Adobe Acrobat: https://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html
Microsoft365 Apps: https://learn.microsoft.com/en-us/officeupdates/release-notes-microsoft365-apps

Few patches are released on quarterly basis (e.g. JAVA) whereas few are released on monthly basis (e.g. Microsoft OS), few do not have any patching cadence.

Happy Learning !!
hashtag#VulnerabilityManagement hashtag#Cybersecurity

Vulnerability Management - End of Support

Windows 10 is never EOS .. Shocked? Just kidding.

Let me explain :)

Windows OS has several editions and versions. Let's take Windows 10 for an example.

Windows 10 21H2 Home and Pro editions became EOS on June 13, 2023.
https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-servicing

But Windows 10 21H2 Enterprise and Education editions became EOS on June 11, 2024.
https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-enterprise-education

But Windows 10 21H2 Long-Term Servicing Channel (LTSC) mainstream support will end on January 12, 2027.
https://learn.microsoft.com/en-us/windows/release-health/release-information

Did you observe? The more granular we go more accurate we get. EOS not only depends on the version and edition of an OS but also the servicing option selected by an organization. Also, there is a concept of ESU in Microsoft's world :)
https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates

Want to check version and edition of the OS on your laptop/workstation? Press "Win+R" to open Run prompt and type "Winver" and press "OK".

So, this level of granularity is required to clearly describe about EOS detail of a product. In few cases, you will encounter contradictions with Vulnerability Mangement solution providers as they are referring to one piece of information and you are referring to more granular detail in the same information.

As a VM analyst, EOL/EOS information becomes important as he/she has to assess the risk should the organization wish to stay with EOL/EOS products or if there is some delay in upgrade activity.

Happy Learning !!

hashtag#VulnerabilityManagement hashtag#Cybersecurity