With 99 reported vulnerabilities and patches to both Microsoft browsers, Office and Windows, this month’s Patch Tuesday update is not as large an administrative burden as you might initially think. We’ve rated the browser updates as a “Patch Now” update due to issues with the Chakra engine, but both Office and Windows can be scheduled according to a regular patch cadence. Unfortunately, we have another Adobe Flash update to deploy, but no critical development updates for February.
Known Issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- Microsoft Cluster Shared Volumes (CSV) can still generate the error message,” “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).” Microsoft is still working on a solution. Until a fix is released, you can try the operation as an administrator or try to “own” directories in question before the operation.
- After installing some Asian language packs you may still (see KB4493509) receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
Microsoft has been working on a fix for both these issues for a while now; we don’t expect a resolution any time soon.
Major Revisions
This month, two CVEs have undergone a major revision increment:
- CVE-2019-1332: CVE information revised to announce the availability of Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU) and Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR).
- CVE-2019-8267: Microsoft revised this to include Internet Explorer 11 installed on all supported editions of Windows 10 Version 1809, Windows Server 2019, Windows 10 Version 1903, and Windows 10 Version 1909 because they are affected by this vulnerability. This change may affect your server update cycle
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Cloud and Devices
- Adobe Flash Player (to be discontinued)
Browsers
Microsoft has released nine updates to both browsers (Internet Explorer and Edge) this month, with five rated as critical, two as moderate and the remaining two as important. The biggest concerns are the four critical updates to the Chakra core scripting engine that could lead to remote code execution.
Microsoft advises that these four critical vulnerabilities could lead to a scenario where “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Add this update to your “Patch Now” schedule.
Windows
Ok, this may sound like a lot of updates: Microsoft has released 79 patches to the Windows desktop and server ecosystem. Five of these updates are rated as critical and the rest are all rated as important by Microsoft. It sounds (and feels) like a lot of patches, but other than the critical updates to the Remote Desktop (RDP) platform, the administrative burden is not that great.
This patch cycle feels more like an administrative cycle than that one that addresses critical or exploited vulnerabilities. It’s “clean-up” time for Microsoft after the Christmas break and a very light January patch cycle.
Add these updates to your standard release schedule.
Microsoft Office
Microsoft has released six updates to Microsoft Office – all rated as important. The most serious for this month affects Microsoft Excel with a potential (but difficult-to-exploit) remote code execution scenario involving how Excel handles objects in memory. All of this month’s reported vulnerabilities require access to the target system and require users to take explicit action on vulnerable systems. There is an update this month to Microsoft SharePoint server which will require a reboot of all affected servers.
Add these Office patches to your regularly scheduled updates.
Development Tools (.NET and Chakra Core)
This month, Microsoft has not released any updates to the many variations of .NET, but we do have one update to SQL Server that has been rated as important. CVE-2020-0618 is relatively difficult to exploit, as it requires access to the SQL server instance and requires specially crafted pages sent to the SQL Server Reporting services.
Add this update to your regularly scheduled patch release cadences.
Cloud and Devices
We have allocated this space to the recent cloud (Azure) and device updates from Microsoft. This month, Microsoft has not released any Azure related patches, but has published a Microsoft Surface (device level) patch (CVE-2020-0702) that has been rated as important (and difficult to exploit).
Add this device related update to your regular patch cycle.
Adobe Flash Player
I thought that we were done with critical Adobe Flash Player updates from Microsoft. I even instructed our development team to remove this section from our internal bulletins. Well, they (Flash Player) updates are back, with a vengeance.
This month, we see another ActiveX flaw in Flash Player (ADV20003/CVE-2020-3757) that could lead to the execution of arbitrary code on the compromised computer. According to the Adobe security bulletin, “The vulnerability exists due to a type confusion error when processing Flash content. A remote attacker can create a specially crafted .SWF file, trick the victim into playing it, trigger a type confusion error and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of the target system.”
Microsoft has documented a potential work-around relating to the Flash ActiveX control which includes making the following registry changes:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:00000400
Add this update to your “Patch Now” release schedule.