December brings peace and joy – well, maybe – but at least Microsoft has provided us with a relatively easy Patch Tuesday update. There is an urgent update to Microsoft Internet Explorer 11 and three critical updates to the Windows platform that will require some attention this month. In addition, we have cumulative updates for the .NET and SQL server platforms that will require some testing before general deployment. That said, I think that 2020 will bring many interesting Patch Tuesdays with Microsoft’s new “staged” feature releases already included Windows 10 1909.
Each month, we try to highlight some of the more serious issues with this month’s and past updates to Microsoft desktop, server and development platforms. I have included a few that are likely to affect this month’s update cycle including:
- Office 2013 and Office 2016: You may receive the following message, “This application is not trusted to consume rights managed content. The Authenticode signature for the application is not valid. Contact your administrator for further investigation.” To resolve this issue, install Office update 3172523.
- Windows 10 1803 onwards: When setting up a new Windows device during the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages. Microsoft is working on this one. IME’s are very complex keyboard input “layers” that reside across multiple builds and configurations requiring massively disparate linguistic skills to debug. From my experience with installing/configuring/breaking IME’s in Asia (in the late 90’s) I suspect that we may see this issue again.
- Across all Windows desktop and server builds, we have the following ongoing issue, “Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.”
- Microsoft is aware of an issue in Windows Hello for Business (WHfB) with public keys that persist after a device is removed from Active Directory, if the AD exists. After a user sets up Windows Hello for Business (WHfB), the WHfB public key is written to the on-premises Active Directory. The WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned.
And thanks to Woody Leonard (Ask Woody), for picking up on the offering of Autopilot. Just like in October, it looks like the Autopilot patch is once again being offered to all Pro machines, whether they have Autopilot or not.
No major Microsoft update revisions (at the time of writing) have been published.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
You now have something to talk about at the annual Christmas party. For this December update there is (only) a single reported vulnerability for all of Microsoft’s browsers. While this is an absolutely huge improvement over the sometimes “tens” of urgent “Patch Now” memory corruption vulnerabilities, this success is somewhat tempered by the fact that we are still fixing VBScript issues (CVE-2019-1485) in 2019. So, Microsoft has released a single critical update for Internet Explorer 11 that really does require urgent attention due to its link to ActiveX and its potential exploitability. Add this update to your “Patch Now” schedule, if you are still using IE11.
Microsoft has addressed a total of 21 vulnerabilities on the Windows platform for this December Patch Tuesday with three rated as critical (CVE-2019-1471, CVE-2019-1468 and ADV990001) and the remaining 18 rated as important. The critical rated vulnerabilities could lead to remote code execution scenarios with multiple vectors for bad actors to attack the compromised platform. In addition to these security issues there are several new features “included” but not released with Windows 10 1909. Microsoft offered the following explanation:
“Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an enablement package, which is a small, quick-to-install “master switch” that simply activates the Windows 10, version 1909 features.”
This is revolutionary stuff, maybe a little scary. Microsoft is basically saying, “we have changed some stuff, added some stuff, and will let you know about it later.” I would really like a definitive list of new features, the impact and dependencies and a plan of when these changes are going to be implemented. Which I think most deployment engineers would consider reasonable. Given the usual holiday season staffing issues and the lack of clarity around these changes, I suggest that some testing (and waiting) may be advised before a general roll-out of these Windows updates.
December has not been so kind to the Microsoft Office suite, with six reported vulnerabilities, all rated as important by Microsoft. Microsoft does not publish the risk rating or Common Vulnerability Scoring System (CVSS) for individual Microsoft Office updates, but this patch group has a very high rating of 9.8. If you are using Office 365 then you may have experienced issues with patch downloads. The issue affects channels 1808 to 1911 and more information can be found here. There is a remote code execution scenario for Microsoft PowerPoint (CVE-2019-1462) that may need some urgent attention but the other updates should be included in your standard update release schedule.
Microsoft’s Git development application is the main victim/offender this month with five serious vulnerabilities (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387) and one moderate and one important update. We have not seen any other updates to the Visual Studio platform or more importantly to Azure for this month. All versions of the Microsoft .Net development platform will receive a cumulative update package (KB4533002) with the special note from Microsoft stating that, “This update is included in the Quality Rollup that’s dated December 10, 2019. Parts of this update were previously released in the Quality Rollup that’s dated September 10, 2019.” I’m not sure what to do with this information. Sigh. Add this update to your standard release schedule.
Microsoft SQL Server gets a special mention this month with two cumulative updates released (CU 18 KB 4527377 and CU 11 KB 4527378). As Microsoft employs the “pure cumulative” model to all SQL Server patches and releases, all previously released hotfixes (including Critical On Demand patches) are included and “more thoroughly” tested. You can read more about Microsoft SQL Server patch strategies and models here and here respectively. Unless you have a critical dependency on the GIT application, then please add this month’s update to your standard release schedule.
Adobe has addressed 17 critical security updates which are not included in this month’s Microsoft Patch Tuesday as all of these issues relate to product level issues (Adobe Reader and Acrobat) rather than widely used desktop and server components (i.e. Flash). Affected applications include Acrobat Reader, Photoshop, Illustrator and Brackets. In Adobe Acrobat and Reader, Adobe fixed 14 critical arbitrary code execution flaws, including out-of-bounds write glitches, use after free flaws, untrusted pointer dereference vulnerabilities, heap overflow errors, buffer errors and a security bypass. You can find more APSB19-55 This a huge month for Adobe security issues – but not a big issue for desktop deployment engineers. For December, may I add, it is definitely not “margarita time”…but you don’t have to deploy any urgent desktop or server updates courtesy of Adobe.
I wanted to spend a few moments thanking everyone for their feedback and their attention over the past year. I love writing about this stuff, and I hope that I have helped a few people out, and maybe saved someone a little time each month. Thank you – and I look forward to more updates, more patches and much more in 2020.