With just 58 updates to deal with this month, the December Patch Tuesday should make for a welcome light-duty patch-and-test cycle. There were no zero-days or reports of publicly exploited security issues, though there is a critical update to Microsoft Exchange Server that should be a priority. But we saw less pressure on the Windows, browser, and Office updates.
Microsoft has also released two Servicestack Updates (SSUs) for its desktop and server platforms (ADV990001) and an update to the Chromium project (ADV200002).
Our helpful infographic this month looks a little lopsided, as all of the attention should be on the Windows components
Key testing scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:
- Printing: One of the core subsystems has been updated for the Microsoft Windows desktop ecosystem: SPLWOW64. This process handles printing requests from Win32 processes and this month, Microsoft has enforced a measure of “messaging hygiene” in how this process reads requests — and how it manages the size of those requests. We recommend that you run test print jobs from all of your browsers, Office, and your core line of business applications. Hint: print different sizes of documents ,go for the larger ones, and try printing to a file (PDF).
- Windows Defender and Hyper-V: Ensure that read-only requests are properly handled in your Hyper-V containers and sand-boxes and that Windows Defender Application Guard (WDAG) properly handles READ-ONLY requests.
- Microsoft OneDrive: We think a verified copy of 1-2000 files up to Microsoft’s cloud storage would be wise.
- Microsoft Edge: Test your legacy applications in Microsoft Edge.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:
- When updating to December’s last service stack, some system and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10.
You can also find Microsoft’s summary of known issues for this release in a single page.
This month, we have three major revisions for documentation reasons released by Microsoft:
- CVE-2020-1325: This update is now available for Azure DevOps Server version 2019.
- CVE-2020-1596: This CVE addresses a vulnerability in the protocol TLS_DHE. The industry has mostly stopped using TLS_DHE. Microsoft advises customers to disable TLS_DHE. This is the same advice offered by Microsoft for the October update cycle.
- CVE-2020-1704 : This revision to the Kerberos KDC Security update released in November attempts to resolve a number of reported issues with this patch. Microsoft recommends that all affected systems are updated with this revised patch. You can read more about protecting your systems inthis Microsoft support note.
Mitigations and workarounds
For December, Microsoft published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVEs) addressed this month, including:
- ADV200013: Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver. An attacker who successfully exploited this vulnerability could spoof the DNS packet, which can be cached by the DNS Forwarder or the DNS Resolver. Microsoft has published a registry-based remediation that should mitigate the worst of this spoofing vulnerability. The impact from these proposed (registry) changes could have a significant impact on your network. It’s time for the professionals to get involved for this system change.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office (Including Web Apps and Exchange).
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe Flash Player.
With a single critical update (CVE-2020-17131) and a single moderate patch (CVE-2020-17153) we are definitely seeing a trend here of fewer patches and updates to the Microsoft browser stack. We usually have a long list of browser-based functional areas to highlight, but this month we have just the following:
- Microsoft Edge (CVE-2020-17131).
- Microsoft Chakra Scripting Engine (CVE-2020-17153).
The Microsoft Edge update (CVE-2020-17131) would generally be a priority due to the potential for a remote-code execution scenario due to memory corruption issues. However, this vulnerability is relatively difficult to exploit and we have not seen any reports of exploits in the wild. Add this very light browser update to your standard update deployment effort
The final month of Windows updates for 2020 sees only a single critical Windows patch (CVE-2020-17095) and a further 15 updates rated as important. Here are how the patches are dispersed across the following features (or functional groupings)
- Microsoft Windows (Win32 Subsystem) (CVE-2020-17134 – CVE-2020-17139).
- Windows Error Reporting (CVE-2020-17094).
- Windows Hyper-V (CVE-2020-17095).
- Windows SMB (CVE-2020-17096).
- Windows Media (CVE-2020-17097).
- Microsoft Graphics Component (CVE-2020-17098).
- Windows Lock Screen (CVE-2020-17099).
- Windows Backup Engine (CVE-2020-16958–CVE-2020-16964).
I think Microsoft must be worried that the Hyper-V vulnerability (CVE-2020-17095) will soon be publicly exploited. To fully compromise a targeted system, all that’s required is to run a specially crafted application to create un-validated VSMB packet (network) data. That said, there are a number of updates to the Windows platform that will require some testing, including: GDI, Microsoft Backup, and the Windows Lock Screen component. Referencing the “Key Testing Scenarios” section in this post, I strongly recommend testing application-specific printing features before significant deployment of this Microsoft update.
Add this Windows update to your standard release cycle, with sufficient time for key line-of-business application testing.
This month, Microsoft has distributed two critical updates and nine patches rated as important to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics). They cover the following application or feature groupings:
- Microsoft Exchange (CVE-2020-17132).
- Microsoft Office SharePoint (CVE-2020-17118).
- Microsoft Office (Excel and Outlook) (CVE-2020-17122 – CVE-2020-17130).
- Microsoft Dynamics (CVE-2020-17133).
The real focus this month is on the critical Exchange Server patch (CVE-2020-17132), which attempts to resolve a vulnerability in Exchange Server validating “cmdlet” arguments. Unfortunately, it appears that this is a relatively easy to exploit (low complexity), network-based vulnerability that does not require user interaction to lead to arbitrary code executions on your enterprises’ Exchange Servers (this is not a good thing). Unusually for us, we recommend that you make this Exchange update an immediate “Patch Now,” call it a “Priority Patch Now,” if that helps move things along. Otherwise, add the other Office updates to your standard update release schedule.
Microsoft Development Platforms
There aren’t any critical updates released this month for Microsoft development tools. That said, there are four updates to Visual Studio and the Azure SDK rated as important by Microsoft and two further patches for the Azure DevOps server that are also rated as important, shown in the following feature group listing:
- Azure DevOps (CVE-2020-17135 and CVE-2020-17145).
- Visual Studio (CVE-2020-17148, CVE-2020-17156, CVE-2020-17159).
- Azure SDK (CVE-2020-17002).
All of these reported vulnerabilities are relatively difficult to exploit and it looks as if Microsoft developed and deployed a patch before these issues were exploited in the wild. You don’t have to worry about the update to the Azure DevOps environment (Microsoft will take care of the update process), so we recommend adding these developer tool patches to your standard update release schedule.
Adobe Flash Player
Microsoft has not released any updates for Adobe products for December. I was wondering if it was going to have another “kill-bit” update as Flash EOL this month. Since Adobe Flash is (soon to be) dead, we can all start worrying about Adobe Reader now. Adobe released a patch for Reader (APSB 20-67) resolving 14 security issues, four of which were rated as critical.
Now, how are we supposed to update Adobe products again?