This month’s Patch Tuesday update from Microsoft attempts to address 123 unique security vulnerabilities including an urgent issue with Microsoft Outlook (CVE-2020-1349) and a very serious vulnerability in Windows (CVE-2020-1350). The big difference this month is that a “Patch Now” (as in right now-now) effort may not be enough. With average update cycles measured in weeks for most organizations, rapid mitigation strategies are required. Microsoft has offered registry-based fixes, some suggested code-based fixes, and a request to simply stop using certain features.
It’s not all bad as Flash has died, Microsoft OneDrive has a compatibility hard block for Windows 10 Release 2004 and Microsoft has resumed optional and non-security updates again.
Key Testing Scenarios
This is a new section and reflects some of our “update hot-spot” analysis that covers both desktop and server platforms across multiple versions of Windows. Each application portfolio is unique and represents a distinct testing profile. For this July update cycle, we have identified the following areas where further testing may be warranted for your environment.
- VPN connections, especially if you are downloading your updates when using a VPN. Hint: don’t!
- Test both virtual and physical printers.
- Focus on Event Logging (Event Tracer, MSI Installer and Error Reporting).
- PDF output and editing in the latest version of Microsoft Edge.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982″
- After installing the July update on a Windows 10 device with a wireless wide area network (WWAN) LTE modem, reaching the internet might not be possible.
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)”
- Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This only applies to the ESU products such as Windows 7, Windows Server 2008.
You can also find Microsoft’s summary of Known Issues for this release in a single page.
Two major revisions for documentation reasons have been released by Microsoft:
- CVE-2020-1425: Informational update only – no action required.
- CVE-2020-1457: Informational update only – no action required.
Mitigations and Workarounds
For this July release of updates, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVEs) addressed this month including:
ADV200008: Recommended Action – Enable the Request Smuggling feature through registry settings.
CVE-2020-1036: Advisory – RemoteFx will soon be deprecated. Don’t just update your servers, but remove this feature. Read more here.
CVE-2020-1147: Advisory – Code changes are required to resolve this issue.
CVE-2020-1350: Advisory: There is a registry change required to resolve this issue. More information is available here.
With a single critical update (CVE-2020-1403) and three updates rated as important, this month brings a relatively light patch cycle for Microsoft’s browsers. CVE-2020-1403 addresses a vulnerability in how VBScript handles memory where visiting a specially crafted website may result in the execution of arbitrary code run on the vulnerable system. Given that this issue affects Internet Explorer (IE) 11 and 9, it’s a prime candidate for hidden, aging or legacy code used within an internally developed application. Unlike other patches this month, Microsoft has not offered any workarounds (other than use Chromium). So, add this update to your standard patch release cycle.
Speaking of Chromium, Microsoft has released its latest stable channel update (84.0.522.40), which addresses a specific vulnerability (CVE-2020-1341). Note that this latest Chromium release will now prompt user-based warnings on system file (DLL) downloads. And I am not sure that you can stop this update from happening.
There is an urgency to this month’s update that we have not seen in a little while. Microsoft has attempted to address 13 critical, and 83 important vulnerabilities for this July Patch Tuesday. It looks like CVE-2020-1350 is “worm-able” (meaning the attack can spread from one system to another, without human intervention) and affects the core DNS component in the Windows ecosystem. We can credit CheckPoint for raising this issue and it looks like the U.S. DSH has released an emergency directive; it can be found here. If you can’t deploy this update immediately, Microsoft recommends that you update the settings in the DNS portion of the registry and reduce the TCP Package Size settings.
You can read more about this registry-based mitigation strategy here. Otherwise, add these Windows updates to your “Patch Now” release schedule.
July brings a larger-than-usual number of updates for Microsoft Office with four rated as critical and the remaining 17 rated as important by Microsoft. We see the usual SharePoint security issues addressed (CVE-2020-1025, CVE-2020-1439), noting that these updates will require a server update. The real concern is with Microsoft Outlook (CVE-2020-1349). This Outlook vulnerability addresses a memory handling issue that could lead to a remote code execution scenario. All a user has to do in this case, is click on an email containing a specially crafted link.
Add this update to your “Patch Now” deployment effort.
Microsoft Development Platforms
July brings a relatively small update to the Microsoft development platform, with one update rated as critical (CVE-2020-1147) and the remaining updates rated as important by Microsoft. These other four important updates from Microsoft affect Visual Studio and are relatively difficult to exploit, leading to a higher threshold for scheduling updates. Add these four updates to your regular (fully tested) development update schedule.
For the critical one, where XML data is not handled correctly, Microsoft recommends an update, but goes further to suggest that a code change is required to better handle (more securely) the DataSet and DataTable variable types. You can find out more here.
Adobe Flash Player
Microsoft has not released any updates for Adobe products this month as part of its Patch Tuesday update cycle. That said, there are a number of critical-rated updates for Adobe products this month; more is available here. And finally, today is the day, the day that Flash dies.