This is a big update to the Windows platform for the Microsoft March Patch Tuesday release cycle. Consisting of 115 patches, mostly to the Windows desktop, with almost all of the critical issues relating to browser-based scripting engine memory issues, this will be a difficult set of updates to release and manage.
The testing profile for the Windows desktop platform is very large, with a lower than usual exploitability/risk rating. For this month, we do not have any reports of publicly exploited or disclosed vulnerabilities (zero-days), so my recommendation is to take your time, test the changes to each platform, create a staged rollout plan and wait for future (potentially) imminent changes from Microsoft.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- When using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes. For important guidance on updating Windows containers, please see Windows container version compatibility.
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
- CVE-2020-0903 | Microsoft Exchange Server Spoofing Vulnerability: When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
- Internet Explorer: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer” and the update might show as Failed in Update History. Please see KB4497181.
And on Windows 7.x, 8.x and Server 2012 builds you will still see the following (outstanding) known issues:
- Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).” This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Microsoft is working on a resolution and will provide an update in an upcoming release.
There have been numerous updates to the Microsoft LDAP Channel binding and signing advisory over the past year. Microsoft has recently posted a new update that includes:
The following Remote Desktop vulnerabilities have now been updated to include all versions of Windows 10:
No further action for all of these major revisions is required if you are using Microsoft automatic updates.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
Microsoft has released nine updates to both browsers (Internet Explorer and Edge) this month, with five rated as critical, two as moderate and the remaining two as important. The biggest concerns are the four critical updates to the Chakra core scripting engine that could lead to remote code execution.
Microsoft advises that these four critical vulnerabilities could lead to a scenario where “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Add this update to your “Patch Now” schedule.
With 73 updates (of which 6 are rated as critical), this month’s Windows update covers a lot of functionality across the Windows ecosystem, including changes to: Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Kernel, Windows Core Networking, Windows Storage and File Systems, Windows Peripherals, Windows Update Stack, and Windows Server.
Some areas of concern include LNK file handling changes (CVE-2020-0684), updates to the Microsoft graphics core engine (GDI) and a slew of patches to the Windows media engine (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869).
Aside from the documented security issues, I feel that this month we are at risk of some patch deployment challenges. This month’s Patch Tuesday is a large update that covers a lot of “functional territory.” This means a lot of testing will be required across core Windows functionality and application dependencies.
Working through the patch manifest and update payloads, there are some core files that have been updated that have caused application issues in the past. One good example includes the file MSXML3R.DLL, which was updated in CVE-2020-0844. We have already encountered a number of potential issues in the following applications as part of our algorithmic analysis, including:
- WinZip 18.5
- VMWare Workstation Professional
- NV/HPE Controller
- Siebel Tools 8.1.x
Our advice this month is to take your time with this update, create a staged rollout (IT first) and then deploy in concentric rings of business priority.
We also expect some out-of-band updates later this month — possibly with an update to the LNK patches or the SMB issue. For further guidance on the potential issues with the latest SMB vulnerability, Microsoft has released an advisory here: ADV200005.
This month Microsoft Office has one critical patch in Word (CVE-2020-0852) with eight other vulnerabilities rated as important by Microsoft. The Word-related vulnerability addresses a memory issue and could lead to a remote code execution scenario; it is relatively difficult to exploit. Add these updates to your regular patch cadence office.
Microsoft Development Platforms
For March Microsoft has released five patches for its development platform, all rated as important by Microsoft. Mostly affecting the Azure DevOps server, they are (currently) difficult to exploit and lead only to spoofing and elevation of privilege attacks. Add these minor updates to your standard development update effort.
Adobe Flash Player
Adobe has chosen not to release any updates for this March Patch Tuesday cycle. Unfortunately, this does not mean that there are no vulnerabilities to exploit this month. Expect an update from Adobe next week or shortly after. Until then, it’s Margarita time!
CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.