Browser updates are back for Update Tuesday – Testing may be needed for Windows patches

Microsoft this week released 112 updates to its Windows, browser, development and Office platforms. But there were no zero-days or reports of publicly exploited vulnerabilities for November.

Though we return to monthly browser updates after last month’s brief respite — none of this November’s browser security issues are worm-able, and we have not seen anything that would require a return to an urgent browser update cycle. The Windows platform gets the most attention this time, but no single issue requires immediate deployment — though some legacy systems may require full testing for graphically intensive applications that rely on older graphic/media conversion technology. And the Microsoft Office and associated development platforms receive some lower-rated patches, with recommendations for a standard roll-out regime.

We have included a helpful infographic that this month looks a little lopsided, as all of the attention should be on the Windows components.

Key testing scenarios

Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

• Test connecting via Remote Desktop Connection and a VPN and confirm that copy/paste operations between devices and connected devices are successful.
• Test applications that render large windows on GPU-enabled devices.
• Confirm that EMF files play back as expected and that EMF files can successfully be converted to EMF+ files.
• Test JScript apps that use recursive function calls.

Known Issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:

• Microsoft SharePoint (2016 and 2019): When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. To complete the install and ensure that this update is correctly applied, work-around details are provided by Microsoft here.
• Windows 10 (1909 and later): System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. For more information about the issues, workaround steps, and the currently resolved issues, please see KB4564002.
• Windows 10 (2004 and later: Certain Japanese half-width Katakana and full-width Katakana characters that have a consonant mark aren’t interpreted as the same character. There are no currently published fixes or work-arounds for this issue.
• Windows ESU: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer”. Microsoft is working on this one. I suggest waiting until next week before large scale deployments to your legacy systems.

You can also find Microsoft’s summary of Known Issues for this release in a single page here.

Major Revisions

This month, we have a single major revision for documentation reasons that has been released for this November by Microsoft:

CVE-2020-16943: The applicable target platforms have been updated for this vulnerability to Microsoft Dynamics. No (further) action required.

Mitigations and workarounds

For this November release, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month including:

• CVE-2020-17049: Microsoft has published additional steps to mitigate the effect of a vulnerability in the Windows Kerberos infrastructure relating to the registry key: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesKdc

CVE-2020-17052: Microsoft has published a recommended mitigation for this vulnerability in the MS Script component (as consumed by all Microsoft browsers) that affects network throttling. More information is included in the Browser section.

Browsers

Microsoft has released five updates for their browser platforms for this November update, with four rated as critical and the remaining update rated as important by Microsoft. These browser updates are clustered into the functional groups:

• Microsoft Browsers: memory related corruption issues (CVE-2020-17053, CVE-2020-17058)
• Microsoft Scripting Engine (CVE-2020-17052,
• Microsoft Chakra Scripting Engine (CVE-2020-17048, CVE-2020-17054

One of the Microsoft browser patches (CVE-2020-17052 includes a Microsoft published recommended mitigation for this vulnerability that includes:

“To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally.”

You can read more about Microsoft’s network throttling technology and how to apply the relevant policies here. All of these browser updates address difficult to exploit, complex security scenarios that require user interaction to compromise the target system. Given that these vulnerabilities have not been reported as publicly exploited or disclosed, we recommend that you add these browser patches to your standard patch deployment schedule.

Microsoft Windows

Microsoft has released 12 critical updates and 54 patches rated as important for this November Windows update cycle. These November Windows updates cover the following functional areas:

• Windows Defender (CVE-2020-17090)
• Windows Kernel (CVE-2020-17087, CVE-2020-17035)
• Windows NDIS (CVE-2020-17088)
• Windows Update Stack (CVE-2020-17070 – CVE-2020-17088)
• Windows Wallet (CVE-2020-16999, CVE-2020-17037)
• Microsoft Graphics Component
• Common Log File System Driver (CVE-2020-17088)
• Microsoft Windows Codecs Library

All of the critical updates relate to resolving Microsoft Camera and codec issues. Although these reported vulnerabilities require local access, full control and arbitrary code code execution are possible on a compromised system. These (Codec focused) attacks are relatively straightforward to exploit and could lead to a remote code execution (RCE) scenario with full control of a target system. Historically, the biggest issues we used to see with updates to the Windows GDI (graphics) stack was that due to poor application packaging practices vendors and/or system integrators included core system libraries (DLL’s) inside their packages – making updates like this month’s GDI and Windows Kernel updates really troublesome. Fortunately, this practice is much reduced due to better vendor MSI’s and better packaging practices. So, before you roll-out this update make sure that your application packages are “clean” (do not include GDI.DLL or Win32K.sys) – otherwise you may encounter difficult troubleshooting scenarios with very complex applications. Add this update to your standard desktop update schedule.

Microsoft Office

This month Microsoft has distributed 22 updates to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics) that that cover the following application or feature groupings:

• Microsoft Teams (CVE-2020-17091)
• Microsoft Office SharePoint (CVE-2020-17015 – CVE-2020-17017
• Microsoft Shared/Common Code (CVE-2020-17062–CVE-2020-17067

21 of these updates are rated as important by Microsoft with the final update with a low rating (SharePoint). I think the reason that these patched vulnerabilities are rated lower by Microsoft this month is due to the fact that in order to compromise the target platform, local access is required or the attack vector (method of access) is very complex. These are hard to (repeatedly) exploit vulnerabilities that require user interaction. These patches affect Word, Excel and Access this month, so testing internally developed applications, especially ones that contain macros or JScript, would be well advised. There is no rush this month – add these Microsoft Office updates to your standard deployment effort.

Microsoft Development Platforms

Microsoft has released three updates for the Visual Studio development all rated as important for this November patch cycle. All of these Visual Studio vulnerabilities require local access to the target system and are relatively difficult to exploit. In addition to the Visual Studio updates Microsoft has also released 15 patches to the Azure Sphere security product line. So, the functional grouping for this month’ Microsoft development platform update looks like the following:

• Azure DevOps (CVE-2020-1325)
• Visual Studio (CVE-2020-17100, CVE-2020-17104)
• Azure Sphere (CVE-2020-16981– CVE-2020-16994

The Azure Sphere security offering is fairly new and most likely will not be a significant component of enterprise deployment efforts. You can read more about Azure Sphere here. And so just focusing on the Visual Studio updates, we recommend that you add this month’s updates to your standard “Development” release schedule.

Adobe Flash Player

Microsoft has not released any updates (or kill bits) for any of the Adobe products (Flash being the first to come to mind) this month. That said, I have now seen the removal of Flash (through the automated uninstall made available through the update). Nothing bad happened. Which is what you should expect, once you remove Flash from your system. Sigh.

If you got this far…

You may be interested in the patch management perspective that we are currently employing. Microsoft has updated their patch release documentation with a lot of new data, all published on their website and accessible through API’s. We have started using this new data to create our testing “hotspots” sections that detail what patches will affect which feature or component of Windows or the intended Microsoft product. Working with Microsoft on their patching process, we have seen just how much work is involved and how seriously Microsoft takes getting these updates right (hey, it’s only a billion users, right?). Our focus has been and will continue to be on, “what happens to the apps?”. Next month you will see additional data on feature level impacts from each update and some granular detail on our experiences with each update group. You can read more about the new documentation format found in this Microsoft blog posting found here.