Browser updates are back for Update Tuesday – Testing may be needed for Windows patches

Microsoft this week released 112 updates to its Windows, browser, development and Office platforms. But there were no zero-days or reports of publicly exploited vulnerabilities for November.

Though we return to monthly browser updates after last month’s brief respite — none of this November’s browser security issues are worm-able, and we have not seen anything that would require a return to an urgent browser update cycle. The Windows platform gets the most attention this time, but no single issue requires immediate deployment — though some legacy systems may require full testing for graphically intensive applications that rely on older graphic/media conversion technology. And the Microsoft Office and associated development platforms receive some lower-rated patches, with recommendations for a standard roll-out regime. 

We have included a helpful infographic that this month looks a little lopsided, as all of the attention should be on the Windows components.

Key testing scenarios

Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

  • Test connecting via Remote Desktop Connection and a VPN and confirm that copy/paste operations between devices and connected devices are successful.
  • Test applications that render large windows on GPU-enabled devices.
  • Confirm that EMF files play back as expected and that EMF files can successfully be converted to EMF+ files.
  • Test JScript apps that use recursive function calls.

Known Issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:

  • Microsoft SharePoint (2016 and 2019): When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. To complete the install and ensure that this update is correctly applied, work-around details are provided by Microsoft here.
  • Windows 10 (1909 and later): System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. For more information about the issues, workaround steps, and the currently resolved issues, please see KB4564002.
  • Windows 10 (2004 and later: Certain Japanese half-width Katakana and full-width Katakana characters that have a consonant mark aren’t interpreted as the same character. There are no currently published fixes or work-arounds for this issue.
  • Windows ESU: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer”. Microsoft is working on this one. I suggest waiting until next week before large scale deployments to your legacy systems.

You can also find Microsoft’s summary of Known Issues for this release in a single page here.

Major Revisions

This month, we have a single major revision for documentation reasons that has been released for this November by Microsoft:

CVE-2020-16943: The applicable target platforms have been updated for this vulnerability to Microsoft Dynamics. No (further) action required.

Mitigations and workarounds

For this November release, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month including:

  • CVE-2020-17049: Microsoft has published additional steps to mitigate the effect of a vulnerability in the Windows Kerberos infrastructure relating to the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

CVE-2020-17052: Microsoft has published a recommended mitigation for this vulnerability in the MS Script component (as consumed by all Microsoft browsers) that affects network throttling. More information is included in the Browser section.

Browsers

Microsoft has released five updates for their browser platforms for this November update, with four rated as critical and the remaining update rated as important by Microsoft. These browser updates are clustered into the functional groups:

One of the Microsoft browser patches (CVE-2020-17052 includes a Microsoft published recommended mitigation for this vulnerability that includes:

“To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally.”


You can read more about Microsoft’s network throttling technology and how to apply the relevant policies here. All of these browser updates address difficult to exploit, complex security scenarios that require user interaction to compromise the target system. Given that these vulnerabilities have not been reported as publicly exploited or disclosed, we recommend that you add these browser patches to your standard patch deployment schedule.

Microsoft Windows

Microsoft has released 12 critical updates and 54 patches rated as important for this November Windows update cycle. These November Windows updates cover the following functional areas:

All of the critical updates relate to resolving Microsoft Camera and codec issues. Although these reported vulnerabilities require local access, full control and arbitrary code code execution are possible on a compromised system. These (Codec focused) attacks are relatively straightforward to exploit and could lead to a remote code execution (RCE) scenario with full control of a target system. Historically, the biggest issues we used to see with updates to the Windows GDI (graphics) stack was that due to poor application packaging practices vendors and/or system integrators included core system libraries (DLL’s) inside their packages – making updates like this month’s GDI and Windows Kernel updates really troublesome. Fortunately, this practice is much reduced due to better vendor MSI’s and better packaging practices. So, before you roll-out this update make sure that your application packages are “clean” (do not include GDI.DLL or Win32K.sys) – otherwise you may encounter difficult troubleshooting scenarios with very complex applications. Add this update to your standard desktop update schedule.

Microsoft Office

This month Microsoft has distributed 22 updates to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics) that that cover the following application or feature groupings:

21 of these updates are rated as important by Microsoft with the final update with a low rating (SharePoint). I think the reason that these patched vulnerabilities are rated lower by Microsoft this month is due to the fact that in order to compromise the target platform, local access is required or the attack vector (method of access) is very complex. These are hard to (repeatedly) exploit vulnerabilities that require user interaction. These patches affect Word, Excel and Access this month, so testing internally developed applications, especially ones that contain macros or JScript, would be well advised. There is no rush this month – add these Microsoft Office updates to your standard deployment effort.

Microsoft Development Platforms

Microsoft has released three updates for the Visual Studio development all rated as important for this November patch cycle. All of these Visual Studio vulnerabilities require local access to the target system and are relatively difficult to exploit. In addition to the Visual Studio updates Microsoft has also released 15 patches to the Azure Sphere security product line. So, the functional grouping for this month’ Microsoft development platform update looks like the following:

The Azure Sphere security offering is fairly new and most likely will not be a significant component of enterprise deployment efforts. You can read more about Azure Sphere here. And so just focusing on the Visual Studio updates, we recommend that you add this month’s updates to your standard “Development” release schedule.

Adobe Flash Player

Microsoft has not released any updates (or kill bits) for any of the Adobe products (Flash being the first to come to mind) this month. That said, I have now seen the removal of Flash (through the automated uninstall made available through the update). Nothing bad happened. Which is what you should expect, once you remove Flash from your system. Sigh.

If you got this far...

You may be interested in the patch management perspective that we are currently employing. Microsoft has updated their patch release documentation with a lot of new data, all published on their website and accessible through API’s. We have started using this new data to create our testing “hotspots” sections that detail what patches will affect which feature or component of Windows or the intended Microsoft product. Working with Microsoft on their patching process, we have seen just how much work is involved and how seriously Microsoft takes getting these updates right (hey, it’s only a billion users, right?). Our focus has been and will continue to be on, “what happens to the apps?”. Next month you will see additional data on feature level impacts from each update and some granular detail on our experiences with each update group. You can read more about the new documentation format found in this Microsoft blog posting found here.

 

Greg Lambert

CEO, Product Evangelist

Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Leave a Comment

Your email address will not be published. Required fields are marked *

Understanding the Threatscape Report

The Readiness “Threatscape” report summarizes your risk of not applying this month’s patches, using all publicly-available vulnerability data.

It’s important to note that it’s equally important to know the risk to your applications if you DO apply this month’s patches. This is of course is dependent on:

  • The current state (version and build) of each platform (Windows, Office, Browser, etc.).
  • Which applications are part of your portfolio.

Luckily, determining the risk of applying patches is easy (and fast and dynamic, thanks to our Dynamic Platform Assessment tool.

To understand what will happen when you apply this month’s patches, contact us and assess your first 25 applications for free.

For each major platform, the pie chart shows the breakdown of vulnerabilities rated critical, important, moderate and low. These match the tables below the graph.

The size of the pie represents the total number of vulnerabilities. The larger the pie, the more vulnerabilities present.

The position of the pie on the vertical axis represents the relative risk to your application portfolio. The higher the position, the higher the exploitability.

Related Posts

Assurance Dashboard

Assurance Security Dashboard November 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Partners

Readiness has now joined the UK G-Cloud 12 Framework

It gives me great pleasure to write today that we have now been formally accepted into the UK Government G-Cloud 12 program.

What is the G-Cloud program? The UK Government G-Cloud is an initiative targeted at easing procurement by public-sector bodies in departments of the United Kingdom Government of commodity information technology services that use cloud computing.

Read More
Patch Tuesday

Microsoft focuses on Office, less so on Windows, and offers nothing for browsers on Patch Tuesday

A surprisingly light update for this Patch Tuesday, with a reduced number of Windows updates, no Microsoft browser updates and some critical Office patches. So far. Microsoft is scheduled to release more updates this month. Also, we will get to see if there are any OOB patches for this release cycle.

Read More