A large – but manageable – February Patch Tuesday brings critical browser updates

With 99 reported vulnerabilities and patches to both Microsoft browsers, Office and Windows, this month’s Patch Tuesday update is not as large an administrative burden as you might initially think. We’ve rated the browser updates as a “Patch Now” update due to issues with the Chakra engine, but both Office and Windows can be scheduled according to a regular patch cadence. Unfortunately, we have another Adobe Flash update to deploy, but no critical development updates for February.

Known Issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:

  • Microsoft Cluster Shared Volumes (CSV) can still generate the error message,” “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).” Microsoft is still working on a solution. Until a fix is released, you can try the operation as an administrator or try to “own” directories in question before the operation.
  • After installing some Asian language packs you may still (see KB4493509) receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

Microsoft has been working on a fix for both these issues for a while now; we don’t expect a resolution any time soon.

Major Revisions

This month, two CVEs have undergone a major revision increment:

  • CVE-2019-1332: CVE information revised to announce the availability of Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU) and Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR).
  • CVE-2019-8267: Microsoft revised this to include Internet Explorer 11 installed on all supported editions of Windows 10 Version 1809, Windows Server 2019, Windows 10 Version 1903, and Windows 10 Version 1909 because they are affected by this vulnerability. This change may affect your server update cycle

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office (Including Web Apps and Exchange)
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
  • Cloud and Devices
  • Adobe Flash Player (to be discontinued)

Browsers

Microsoft has released nine updates to both browsers (Internet Explorer and Edge) this month, with five rated as critical, two as moderate and the remaining two as important. The biggest concerns are the four critical updates to the Chakra core scripting engine that could lead to remote code execution.

Microsoft advises that these four critical vulnerabilities could lead to a scenario where “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Add this update to your “Patch Now” schedule.

Windows

Ok, this may sound like a lot of updates: Microsoft has released 79 patches to the Windows desktop and server ecosystem. Five of these updates are rated as critical and the rest are all rated as important by Microsoft. It sounds (and feels) like a lot of patches, but other than the critical updates to the Remote Desktop (RDP) platform, the administrative burden is not that great.

This patch cycle feels more like an administrative cycle than that one that addresses critical or exploited vulnerabilities. It’s “clean-up” time for Microsoft after the Christmas break and a very light January patch cycle.

Add these updates to your standard release schedule.

Microsoft Office

Microsoft has released six updates to Microsoft Office – all rated as important. The most serious for this month affects Microsoft Excel with a potential (but difficult-to-exploit) remote code execution scenario involving how Excel handles objects in memory. All of this month’s reported vulnerabilities require access to the target system and require users to take explicit action on vulnerable systems. There is an update this month to Microsoft SharePoint server which will require a reboot of all affected servers.

Add these Office patches to your regularly scheduled updates.

Development Tools (.NET and Chakra Core)

This month, Microsoft has not released any updates to the many variations of .NET, but we do have one update to SQL Server that has been rated as important. CVE-2020-0618 is relatively difficult to exploit, as it requires access to the SQL server instance and requires specially crafted pages sent to the SQL Server Reporting services.

Add this update to your regularly scheduled patch release cadences.

Cloud and Devices

We have allocated this space to the recent cloud (Azure) and device updates from Microsoft. This month, Microsoft has not released any Azure related patches, but has published a Microsoft Surface (device level) patch (CVE-2020-0702) that has been rated as important (and difficult to exploit).

Add this device related update to your regular patch cycle.

Adobe Flash Player

I thought that we were done with critical Adobe Flash Player updates from Microsoft. I even instructed our development team to remove this section from our internal bulletins. Well, they (Flash Player) updates are back, with a vengeance.

This month, we see another ActiveX flaw in Flash Player (ADV20003/CVE-2020-3757) that could lead to the execution of arbitrary code on the compromised computer. According to the Adobe security bulletin, “The vulnerability exists due to a type confusion error when processing Flash content. A remote attacker can create a specially crafted .SWF file, trick the victim into playing it, trigger a type confusion error and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of the target system.”

Microsoft has documented a potential work-around relating to the Flash ActiveX control which includes making the following registry changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

“Compatibility Flags”=dword:00000400

Add this update to your “Patch Now” release schedule.

Greg Lambert

CEO, Product Evangelist

Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Patch Tuesday

Advisories and mitigations, oh my! Critical updates for Windows this July

July’s Patch Tuesday update round-up deals with 123 separate security vulnerabilities, including an urgent issue with Microsoft Outlook and a very serious flaw in Windows CVE-2020-1350.

Read More
Assurance Dashboard

Assurance Security Dashboard July 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Patch Tuesday

Large in number, large in nature, this Patch Tuesday needs your attention

With another critical update to Adobe Flash Player, critical updates to Microsoft’s browsers and the number and nature of updates to Windows platform, this month yields a large testing surface for companies.

Read More