This posting is a little later than usual due to a number of late-in-the-week updates from Microsoft. We started off the week with no zero-days, not a single publicly reported exploit or active exploits in the wild. As we were working with the Microsoft teams, we felt that an out-of-bound patch was imminent that would change our advice on patch cycles for October. After some initial analysis, it appeared that the final “change” for this release was a relatively minor update to Visual Studio – leading to no change in our recommendations in this relatively benign update.
Things to watch out for in this update include: updates to Win32K (always a crowd-pleaser), change to a core business application dependency (MSXML6 libraries) and potentially difficult troubleshooting scenarios in an update to Microsoft’s Dynamic Data Exchange (DDE)
Key testing scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:
- Potential secure boot issues (Bitlocker) may arise with some anti-virus providers. Sorry, can’t name any vendor names here.
- MSXML6.DLL has been updated. Identify and test all applications that have a functionality dependency on version 6 of the MSXML libraries. This is particularly important for in-house developed line-of-business (LOB) applications.
- Validate Windows Error Reporting (WER) logs. Any effort building test rigs here, will be rewarded with future re-use.
- Test all remote desktop (RDP) sessions (include a VPN connection in your testing process).
- Ensure that ClearType and OTF fonts render after patching (post patch reboot).
Known Issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- When installing a third-party driver, you might receive the error, “Windows can’t verify the publisher of this driver software”. You might also see the error, “No signature was present in the subject” when attempting to view the signature properties using Windows Explorer.
- When updating to Windows 10, version 1903 or Windows 10, version 1909 from any previous version of Windows 10, you might receive a compatibility report dialog with “What needs your attention” at the top and the error, “Continuing with the installation of Windows will remove some optional features.” If your device has access to HTTP blocked for LOCAL SYSTEM accounts, to mitigate this issue you can enable HTTP access for the Windows 10 Setup Dynamic Update (DU) using the LOCAL SYSTEM account.
You can also find Microsoft’s summary of Known Issues for this release in a single page here.
Major Revisions
This month, we have three major revisions released for this October by Microsoft:
- CVE-2020-16943: new published information for Microsoft Dynamics. No actions required.
- CVE-2020-17022: this is a late breaking update from Microsoft that needs to be included in the Windows update cycle.
- CVE-2020-17023: another post-Tuesday patch to the Visual Studio code base. No change to our Development recommendations.
Mitigations and workarounds
For this October release, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month including:
- CVE-2020-16896: Microsoft has suggested the following mitigations and work-around options:
- Disable Remote Desktop Services if they are not required.
- Enable Network Level Authentication (NLA)
- Block TCP port 3389 at the enterprise perimeter firewall
- CVE-2020-16947 and CVE-2020-16949 – in this case the Preview Pane IS an attack vector, unlike CVE-2020-16933 where the Preview pane is not.
Browsers
Incredible. I have nothing to say here. This is a result of no (zero) updates for any of Microsoft browsers. I am not quite sure that I have this right. So, don’t add anything to your standard browser update schedule. Yet.
Microsoft Windows
This October Windows update delivers seven patches rated as critical, with the remaining 46 rated as important by Microsoft. Affecting Microsoft Hyper-V server, the built-in Windows camera codec and associated libraries (GDI). There are some minor updates to Microsoft Installer (MSI) and a few tweaks to how drivers are handled by the Microsoft Shim (compatibility) engine. The one vulnerability to watch out for this month is the update to the Microsoft networking stack (TCP/IP) with the patch to CVE-2020-16898. This is a tough patch to test out and helpfully Microsoft has offered a work-around through disabling ICMPv6 with the following command; “netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable”.
All of the remaining reported vulnerabilities for this month are considered difficult to exploit and require user actions to lead to compromised systems. I think that we should consider this a bit of a reprieve from some pretty heavy-duty patch cycles lately. Add these Windows updates to your standard release schedule.
Microsoft Office
Thank goodness for Microsoft Office – so, at least we have something to talk about once all of the (Canadian) Thanksgiving turkey has been eaten. The real focus this October Patch Tuesday is Microsoft Office, with three updates rated critical, 19 rated as important and the final patch given a moderate rating. The most concerning vulnerability for October relates to an Outlook issue (CVE-2020-16947) where a specially crafted email, viewed in the Outlook Preview pane, could lead to arbitrary code run on the target machine. You don’t have to fully open the message; just view in the preview pane. There are two further updates
(CVE-2020-16918 and CVE-2020-17003) that apply to the Microsoft 3D View application included in the Office 365 for Enterprise subscription pack. The first is rated as important, the second as critical by Microsoft. Unfortunately, this means with the other patches for Excel, Word and SharePoint, that this month we need to add the Microsoft Office patches to the “Patch Now” release schedule.
Microsoft Development Platforms
Though not quite as light as the browser section for this month’s updates, Microsoft has released three very minor updates to .NET, Power-shell and Python that are difficult to exploit and easy to avoid with good practice. Add these patches from Microsoft in your standard development release cycle.
Adobe Flash Player
I was wondering if we were going to see any more Flash updates from Microsoft before Flash is officially retired (through forced removal). Yet for this October Patch Tuesday update, we have one more Flash patch from Microsoft that addresses a critical rated issue that may lead to (another) remote code execution scenario. This update will refresh all of the Flash related libraries (ActiveX, EXE’s and DLL’s) which hopefully, will soon be removed from all Windows systems, this December 31. Add this update to your “Patch Now” release cycle.
If you got this far, you are probably interested to hear that Microsoft will change its release note format. Read morehere.