A ‘business-as-usual’ Patch Tuesday update for Windows desktops

It really is saying a lot when Microsoft releases more than 100 updates each month and this is now considered “business as usual.” Speaking of the “new normal,” Microsoft has changed the release cadence of its optional updates (generally released later each month).

In a statement about the new update regularity, the company said: “We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2).

There is no change to the monthly security updates B release – Update (or Patch) Tuesday.”

Known Issues

One major revision and one minor documentation update for this May update cycle:

  • CVE-2020-0605: The vulnerability addressed in this patch appears to be serious enough to generate several .NET updates for the May 2020 update cycle. Rather than release this update, please ensure that you deploy the full .NET May release suite to all currently supported Microsoft .NET platforms. Microsoft has also made specific information relating to PowerShell changes available.
  • CVE-2018-0886: This is a minor documentation update to complete the affected products table. No further action required here.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office (Including Web Apps and Exchange)
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe Flash Player

Major Revisions

Only one major revision for documentation reasons has been released for April by Microsoft:

  • CVE-2020-0905: In the Security Updates table, Microsoft corrected the Download links for the following products: Microsoft Dynamics NAV 2018, Microsoft Dynamics 365 BC On, Premise, Dynamics 365 Business Central 2019 Spring Update, and Dynamics 365 Business and Central 2019 Release Wave 2 (On-Premise).

No further action for all of these major revisions is required if you are using Microsoft automatic updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office (Including Web Apps and Exchange)
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
  • Cloud and Devices
  • Adobe Flash Player (to be discontinued)

Browsers

With most of the focus on the Windows desktop and server platforms for this month’s updates, the Microsoft browsers have three key vulnerabilities that are addressed:

  • CVE-2020-1062: Internet Explorer Memory Corruption Vulnerability
  • CVE-2020-1064: MSHTML Engine Remote Code Execution Vulnerability
  • CVE-2020-1093: VBScript Remote Code Execution Vulnerability
  • All of these updates are rated as critical by Microsoft and have proportionally high NIST ratings (7.8 or above). We suggest that these browser based updates are included in your standard desktop and server update release schedules.

Windows

With 73 updates rated as important and five further patches rated as critical by Microsoft, this is now a pretty standard update for Patch Tuesday. Working through each of the updates it struck me how we are seeing some real patterns (or patch hotspots) in the Microsoft Windows subsystems with the following affected areas (I have included the number of CVE entries for each system):

  • Windows GDI Information Disclosure Vulnerability (4)
  • Windows State Repository Service Elevation of Privilege Vulnerability (12)
  • Windows Runtime Elevation of Privilege Vulnerability (12)
  • Windows Clipboard Service Elevation of Privilege Vulnerability (4)
  • Jet Database Engine Remote Code Execution Vulnerability (4)

We generally see updates to GDI, the JET database and Windows Installer, but 12 updates to the State Repository service (a browser page handling component) and the Clipboard service respectively is unusual. The concern here is: how would you test your applications for these kinds of lower level system changes? I would give this month’s update a little time before full deployment, but I don’t see anything this month that would cause a problem for a 14-day update deployment window.

Add these windows updates to your standard desktop deployment schedule.

Microsoft is still supporting its legacy platforms with the Extended Security Updates (ESU) grouping and it looks like we have one critical update for the aging (but still loved) Windows 7 desktop platform. CVE-2020-1153 addresses a remote code execution vulnerability in the Windows GDI component that has been rated as critical by Microsoft. This is a “Patch Now” update for the Windows 7 platform.

Microsoft Office

If you have (and possibly use) Microsoft SharePoint, then you have a problem with this update cycle. All of the Microsoft Office updates for May relate to critical vulnerabilities in SharePoint – all of which affect the Server platforms and will require a server reboot.

Microsoft Development Platforms

Microsoft has released a single, critical update to Visual Studio (CVE-2020-1192). This reported vulnerability could lead to a remote code execution scenario, if the compromised system has a logged on user with administrative privileges. It’s a difficult to exploit issue in how Python loads workspace configuration settings and so this update should be added to your standard development release schedule.

Adobe Flash Player

Adobe has released 24 updates for its planned release cycle this May – including 12 that are rated as critical by Adobe. Given that these Adobe updates are product focused (rather than platform focused) and do not affect Adobe Flash Player, Microsoft has chosen not to include any Adobe updates in this release cycle. We recommend that you consult the Adobe Enterprise toolkit site as it includes the full application patches (MSP files) and the enterprise installers.

You can find the Adobe Enterprise tool-kit here.

One of the more “interesting” things about the Adobe update and release cycles is that there are now two formal release approaches: classic and continuous. The continuous model supports the ongoing changes to the more recent connected and web-integrated products while the classic model allows for singular or monolithic updates to aging legacy products. We recommend the rapid deployment of the Adobe Enterprise installer for Acrobat and Reader.

Greg Lambert

CEO, Product Evangelist

Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Patch Tuesday

A Fat Windows Update for September’s Patch Tuesday

Microsoft released 129 updates to its Windows ecosystem this month. The good news: we are not dealing with any zero-days or publicly reported vulnerabilities.

Read More
Assurance Dashboard

Assurance Security Dashboard September 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Patch Tuesday

A zero-day and testing of key printing features will drive August Windows updates

Though a DNS-spoofing vulnerability in Windows has been rated as a zero-day, the focus for this month’s updates should be on testing key Windows features prior to deployment.

Read More