Though a DNS spoofing vulnerability in Windows (CVE-2020-1464) has been rated as a zero-day due to reports of exploitation in the wild, the focus for this month’s updates should be on testing key Windows features prior to deployment. Primarily, printing and back-up scenarios will require your attention. You will also need to work with multiple and potentially overlapping updates to Window and the .NET development platform and, in some cases, Windows Store updates to your application portfolio.
Given the number and nature of changes we have seen in the update testing cycle during the past month, we advise a “Patch Now” approach to Windows 10, but with an extended test cycle on printing and more attention to the Windows 8.x platforms.
Key Testing Scenarios
This section reflects some of our “update hotspot” analysis that covers both desktop and server platforms across multiple versions of Windows. Each application portfolio is unique and represents a distinct testing profile. For this August update cycle, we have identified the following areas where further testing may be warranted for your environment:
- Test your printers, including virtual printers. And, make sure that you open at least one PDF file (successfully).
- Test your backup RESTORE scenarios after installing the latest update and following a reboot.
- UWP deployments may require additional testing. This August update addresses an issue in Universal Windows Platform (UWP) apps that allows single sign-on authentication when an app does not have the Enterprise Authentication capability. With the release of CVE-2020-1509, UWP applications might begin prompting the user for credentials.
- Starting in July 2020, all Windows Updates will disable the RemoteFX vGPU feature because of a security vulnerability. For more information about the vulnerability, see CVE-2020-1036 and KB4570006. After you install this update, attempts to start virtual machines (VM) that have RemoteFX vGPU enabled will fail. You can learn more here.
Once you are done testing your applications, you may want to reboot twice due to the recent changes in the Secure Boot blacklist.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:
- After installing KB4550969 or later, when using Microsoft Edge Legacy, you might receive the error,”0x80704006. Hmmmm…can’t reach this page” when attempting to reach websites on non-standard ports. Microsoft advises to use the latest version of (Chromium) Edge
You can also find Microsoft’s summary of Known Issues for this release in a single page.
Two major revisions for documentation reasons have been released for July by Microsoft:
- CVE-2020-0794: A documentation update to affected platforms. No action required.
- CVE-2020-1347: A documentation update to affected platforms. No action required.
Mitigations and workarounds
For this August release of updates, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVEs) addressed this month, including:
- CVE-2020-1472: See How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 for more details.
- CVE-2020-1530, CVE-2020-1537 : The security updates for supported editions of Windows 8.1 and Windows Server 2012 R2 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.
- CVE-2020-1560, CVE-2020-1585 : These updates are NOT automatically included in Windows Update, and will be downloaded through Windows Store. You will need to check the application version. The secure versions are 1.1.31753.0 and later.
This month’s browser update brings five critical updates to Microsoft’s Edge (HTML) and Internet Explorer. It looks like the same old issues with ActiveX controls and PDF (memory) handling that could lead to remote code execution scenarios through a user visiting a specially crafted website.
If you have a corporate security policy for handling ActiveX controls in place, then the urgency of these patches is much reduced. Watching some of the “test patterns” from Microsoft over the past few weeks, I would recommend a full UAT test run on corporate browser based systems with a focus on printing and printing PDF’s.
Hint: change the paper size to letter, then legal and back again. Or A4 to letter and then back again. Either way, exit from each browser and watch your memory profile for your sessions. Add this update to your regularly scheduled release schedule.
Even with the 10 critical rated vulnerabilities followed by 79 issues rated as important by Microsoft, it’s a single vulnerability for August we need worry about: CVE-2020-1464. This spoofing vulnerability in the certificate validation chain has been reported as exploited in the wild and, thus, should be considered a zero-day.
Microsoft has not published any acknowledgements on who (publicly) reported the issue and has indicated that its internal research team had discovered the vulnerability previously – possibly even as far back as 2003. Working with Microsoft over the past year, one of the primary concerns for our group has been supply chain compromises. Expect to see more of these kinds of issues and corresponding fixes in the near future.
For all the system administrators currently managing legacy systems under the Microsoft Extended Security Update (ESU) program, this is the first month where the following operating systems will not receive optional, non-security updates (C-Releases):
- Windows 10, Version 1607
- Windows Server 2012 (R2)
- Windows 8.1
In addition to some of the urgency of this month’s Windows update, Microsoft has begun “bifurcating” some updates with some key vulnerabilities addressed via a Windows update and/or a .NET update. For example, there are two security updates for Windows 10 1908 and Server 2019 to address the multiple versions of .NET that may be present on the target systems. To add to this, some updates are now included in Windows Store (CVE-2020-1560, CVE-2020-1585) not Windows update. We will see more of this multi-update strategy in the coming months. Add this month’s Windows update to your “Patch Now” release cycle.
With a single critical vulnerability in Microsoft Outlook, this update cycle for Microsoft Office is more urgent than usual. Unfortunately, the preview pane in Outlook is the attack vector that makes this memory corruption issue a particular worry. In addition to this serious security issue, Microsoft has released 19 other important updates for Outlook and Excel.
SharePoint Server gets an update (CVE-2020-1580) this month that addresses another XSS (Cross-Scripting) vulnerability, which will require a reboot to the server. Given these issues and the other associated zero-days on the Windows platform, we recommend a “Patch Now” for the August Office updates.
Microsoft development platforms
Compared with the rather serious issues with Windows this month, Microsoft’s development platform has a relatively quiet update cycle. With one remote code vulnerability (CVE-2020-1046) rated as critical and three remaining issues affecting .NET and ASP.NET all with low(ish) exploitability indexes, add these updates to your standard development update cycle.
Adobe Flash Player
Microsoft has not released any updates for the Adobe product family for this month. That said, a key part of the testing profile for all Windows updates include:
- opening a PDF file.
- changing the letter size.
- printing the PDF file.
- exiting the application (likely a browser).
- restarting the application without errors.
We suggest a “smoke-test” of these key features for your line-of-business (LOB) applications prior to deployment of this month’s Windows updates.