A Fat Windows Update for September’s Patch Tuesday

Microsoft has released 129 updates to its Windows ecosystem, but the good news  this month is that we are not responding to any zero-days or publicly reported vulnerabilities. Microsoft appears to be getting serious about removing Adobe Flash Player (a good thing) and we see a very broad update to Windows desktops and servers. Unusually, Microsoft’s browsers are not a huge focus this month, and both the Microsoft Office (excluding SharePoint) and development platform have received only a few, lower profile patches.

Key testing scenarios

This section reflects some of our “update hot-spot” analysis that covers both desktop and server platforms across multiple versions of Windows. Each application portfolio is unique and represents a distinct testing profile. For this September update cycle, we have identified the following areas where further testing may be warranted for your environment.

  • CVE-2020-0997, CVE-2020-1129, CVE-2020-1285: We suggest testing WMA files for this update.
  • CVE-2020-1532: Please ensure that the application (installation related) repair process functions as expected due to Windows Installer and Windows Store updates.
  • CVE-2020-1596: Please ensure that your SChannel TLS connections work as expected – especially over remote connection scenarios (VPN’s).

Given the update to Windows Defender (CVE-2020-0951), we suggest that you ensure that your (non-Microsoft) anti-virus solution still works as expected. If I were to suggest a testing scenario for this month, it would include an application (downloaded from the Windows Store) that tries to print directly from an external graphics device (camera) over a remote/VPN connection.

We tried this – and we are still around.

Known Issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:

  • You may have issues (“0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”) with Chinese/Japanese characters with Microsoft’s Input Method Editor (IME) this month. You can find out more here.
  • After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters. Microsoft is working on this issue.

You can also find Microsoft’s summary of known issues for this release in a single page.

Major Revisions

This month, we have a single major revision for documentation reasons that’s been released for this past July:

  • CVE-2020-1162: This is an informational update to include coverage for Server 2019. No further action required.

Mitigations and workarounds

For this September release, Microsoft published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVEs) addressed this month, including:

  • CVE-2020-16873: Instead of patching try the following mitigation code snippet:
    public class CustomWebView : WebViewRenderer { protected override Android.Webkit.WebView CreateNativeControl() { var webView = base.CreateNativeControl(); webView.Settings.SetSupportMultipleWindows(true); return webView; } }
  • CVE-2020-1596: The industry has mostly stopped using TLS_DHE. Microsoft advises customers to disable TLS_DHE. Rather than patch, it may be time to stop using this feature.

Browsers

This month, Microsoft released seven updates for its browsers (three rated as critical, the remaining four rated as important). These updates, at their worst, could lead to remote code execution (RCE) scenarios, but are all considered relatively difficult to exploit under a well-managed enterprise environment.

Aside from the usual Internet Explorer (IE) memory clean-up/hygiene issues addressed by CVE-2020-0878, I think the patch to watch this month is CVE-2020-1012. This update to both Microsoft browsers and the Windows 10 platform may prove to present a tricky testing profile due to the changes to the core browser library (WinInet.DLL) Further testing may be required due to other VPN updates included in this month’s Windows desktop update.

For those users who have installed Microsoft’s new Chromium-based Edge, the Browser Helper Object (BHO) update CVE-2020-16884 may raise a few eyebrows as it operates as a bridge between legacy IE systems and the new Edge. BHOs (also called Browser Hijack Objects) were always a concern due to the way they had unrestricted access to the Explorer internal event and memory model. You want to reduce your exposure to these objects and we expect that BHOs will follow in the path of ActiveX controls – a slow painful death.

Add these browser updates to your standard patch release schedule.

Microsoft Windows

With nine critical updates – and 68 rated as important – this is not a big update for September, but rather a broad one. It’s the coverage of changed or patched areas that should be the focus. Some of the basic areas that have been updated in this September release for Windows include:

  • Windows Installer;
  • Windows Media codecs (with a focus on Camera libraries;
  • Active Directory, the file system and backups;
  • Printing and remote desktops (VPN) and Windows Store;
  • And, of course the Windows Kernel subsystems (Win32ky.sys).

We have mentioned in previous sections key testing scenarios with a focus on printing, VPN connections and Windows Installer self-repair behavior. It may be time to take stock of your (potentially multiple) desktop update options and have a look at how you are deploying your applications – they need to be able to install, update (repeatedly) and uninstall, all without triggering unexpected behaviors from Windows Store, Windows Update or Microsoft Office changes to your platform.

Simple! Add this large-ish and rather broad Windows update to your standard release schedule.

Yes, it appears that OneDrive has its own update technology and methodology, which should be a concern to most enterprise administrators. Given where Microsoft is going with its update process, I hope that this stand-alone, application-specific update process is soon retired. Add these Microsoft Office updates to your standard release schedule. 

Microsoft Office

Microsoft has released seven critical rated updates to the Microsoft Office platform for September – all of which relate to remote code execution vulnerabilities in Microsoft SharePoint Server. The remaining 20 updates are rated as important and mostly deal with SharePoint (again) XSS security issues. This month we see a few updates to Microsoft OneDrive (CVE-2020-16851 and CVE-2020-16852) addressing vulnerabilities in the OneDrive updater.

Yes, it appears that OneDrive has its own update technology and methodology, which should be a concern to most enterprise administrators. Given where Microsoft is going with its update process, I hope that this stand-alone, application-specific update process is soon retired. Add these Microsoft Office updates to your standard release schedule. 

Microsoft Development Platforms

Microsoft’s Visual Studio is this month’s focus, with a single critical and four other updates rated important for the development toolset. Other than the update to the diagnostic tools-set (CVE-2020-1133), the other updates this month appear to be focused on Visual Studio and not on the underlying platforms. Add these updates to your standard deployment cadence.

Adobe Flash Player

It’s the middle of the end for (Adobe) Flash.

Microsoft has included an update this month that will put in place the infrastructure to ensure that Flash is not installed on any machine that also includes Microsoft Edge – by Dec. 31 2020 or January 2021 at the latest. The Windows group posted a blog entry this month on the topic of “Update Removal of Adobe Flash Player.” It says: “In Summer of 2021, all the APIs, group policy and user interfaces that specifically govern the behavior of Adobe Flash Player will be removed from Microsoft Edge (legacy) and Internet Explorer 11.”

So this is serious now. Add this (likely) final Adobe update from Microsoft to your regularly scheduled update plan. 

Greg Lambert

CEO, Product Evangelist

Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Patch Impact Assessment Summary

Browser updates are back for Update Tuesday – Testing may be needed for Windows patches

Microsoft released 129 updates to its Windows ecosystem this month. The good news: we are not dealing with any zero-days or publicly reported vulnerabilities.

Read More
Assurance Dashboard

Assurance Security Dashboard November 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Partners

Readiness has now joined the UK G-Cloud 12 Framework

It gives me great pleasure to write today that we have now been formally accepted into the UK Government G-Cloud 12 program.

What is the G-Cloud program? The UK Government G-Cloud is an initiative targeted at easing procurement by public-sector bodies in departments of the United Kingdom Government of commodity information technology services that use cloud computing.

Read More