Given that 113 updates arrived for April‘s Patch Tuesday, IT admins have a lot to do. For older systems, Adobe font issues (CVE-2020-0938, CVE-2020-1020) will should get immediate attention. Changes to the Windows Scripting handler and the browser-based Chakra scripting engine may require some additional testing for in-house applications.
This month’s Office updates are relatively low impact unless you are running SharePoint server – which will then require a number of updates, leading to a server reboot. With three (so far) zero-days and a number of critical memory-related patches to Windows, my advice is: don’t panic. Patch older systems first. Test core applications for scripting dependencies and then schedule the remaining updates according to your normal update cycle.
Known Issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:
- CVE-2020-0760: The most important issue with this month’s patch cycle is the change to how Microsoft handles VBScript code in Office. You can read more about some of these changes and how the April updates affect Office.
- KB4549949: After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” Microsoft is working on a resolution and will provide an update in an upcoming release.
- KB4550930: Windows Server (Security only) updates may encounter issues with deploying application installations using Group Policy Objects (GPO’s) and MSI Installer packages.
- KB4550929: After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters. This issue will only affect older Windows Server builds.
You can also find Microsoft’s summary of Known Issues for this release.
Major Revisions
Only one major revision for documentation reasons has been released for April by Microsoft:
- CVE-2020-0905: In the Security Updates table, Microsoft corrected the Download links for the following products: Microsoft Dynamics NAV 2018, Microsoft Dynamics 365 BC On, Premise, Dynamics 365 Business Central 2019 Spring Update, and Dynamics 365 Business and Central 2019 Release Wave 2 (On-Premise).
No further action for all of these major revisions is required if you are using Microsoft automatic updates.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Cloud and Devices
- Adobe Flash Player (to be discontinued)
Browsers
Microsoft has released two critical updates to its browsers this month (CVE-2020-0969 and CVE-2020-0970). Both of these updates relate to memory handling in either the Chakra or VB Scripting engines. Both vulnerabilities require a user to visit a specially crafted website and then take a number of steps to fall victim to these difficult to exploit vulnerabilities. Add these updates to your regular patch release schedule.
Windows
Microsoft released a very large number of updates for the Windows ecosystem, with seven reported as critical and 59 as important – possibly leading to a greater trend of almost immediate revisions to the patch release cycle with (at least) one change to the number and nature of Microsoft patches. So, we have gone from one zero-day for April to three in the space of a few hours. The following Microsoft vulnerabilities are now rated as zero-days and will require immediate attention:
- CVE-2020-1027: A memory handling vulnerability in the Windows kernel.
- CVE-2020-0938: Handling issues with Adobe Type PostScript fonts.
- CVE-2020-0968: Scripting handling of memory may lead to execution of arbitrary code
- CVE-2020-1020: Another issues with Adobe fonts, this time with a potential mitigation.
If you are running an older system (pre-Windows 10), then the most urgent patch is CVE-2020-1020, which will require a reboot on all affected systems. Microsoft has offered a number of work-arounds in the event that updates to these legacy machines are delayed including:
- Disable the Preview Pane and Details Pane in Windows Explorer.
- Disable the WebClient service.
- DisableATMFD registry key using a managed deployment script.
- DisableATMFD registry key manually.
- Rename ATMFD.DLL.
All of these actions will require significant management overhead and may cause application compatibility problems or lead to difficult trouble-shooting scenarios. You can read more about how to handle this particular issue in the (recently) revised Microsoft security advisory: ADV200006.
If you are running more modern Windows desktops and servers, the situation is different. Note, that even though these high-profile vulnerabilities have been reported as exploited in the wild, they are unlikely to compromise well-patched modern systems – hence, the rating as important for these patches by Microsoft. My recommendation: add these Windows updates to your regular patch cycle, but be prepared for a few more updates and changes over the coming days from Microsoft. Test out the scripting (Chakra and VBScript) changes to your Line-of-business or core applications before full deployment.
Microsoft Office
April is a big update month for Microsoft Office with 28 updates, and unusually, five reported as critical. Thankfully, all of the critical (and most of the remaining) vulnerabilities this month relate to Microsoft SharePoint server which should be protected by most corporate firewalls. The remaining patches relate to Microsoft Word and Excel with pretty standard memory handling and input handling (sanitation) issues that could lead to arbitrary code execution from a remote user (from the internet).
The focus this month should be on patching desktops, and add your server updates to a regular update plan.
Microsoft Development Platforms
Microsoft has released only three updates to its development platforms with two affecting Visual Studio and a final, more serious one in the MSR Javascript Cryptography library. All these updates are rated as important by Microsoft. However, the MSR Cryptography library has been recently updated (in addition to these recent patches) and you may need to test your in-house packages before deploying this update. You can find a list of changes on the MSR Git repository here.
Adobe Flash Player
Note that these are serious times (it’s a pandemic after all), and since Google did not release its usual April Fool’s day joke, Adobe decided that they would take a much needed break. No Adobe updates for Microsoft platforms this month.