November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.
The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!
This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.
A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.
This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.
Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.
November 2020 Patch Tuesday forecast
- Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
- Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
- Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
- Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
- Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.
It’s October and that means Halloween will be here at the end of the month. It won’t be much fun if we only get to ‘dress up’ and look at each other via video conference. But then, we’ve had a lot of ‘tricks’ thrown at us this last month – Zerologon, explosion of ransomware, COVID phishing attacks, and more. Will we get more tricks next week or are we in for a treat on Patch Tuesday?
The Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472, also referred to as the Zerologon vulnerability, dominated the news this past month. The US Department of Homeland Security issued Emergency Directive 20-04 on September 18, requiring all government agencies with a domain controller to update their servers within three days.
Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. Per the outlined process in the article, the first step is to apply the August 11 updates which will begin enforcement of Secure RPC (Remote Procedure Call), but still allow non-compliant devices to connect and log the connections. Full enforcement will begin with the deployment of the February 9, 2021 updates.
All systems in your environment should be updated and monitored between now and February to verify they are configured and using the secure channels properly. Once the February updates are deployed, only vulnerable systems explicitly listed in group policy will be allowed to connect to the domain controller.
It’s not unexpected that the education community has been hit the hardest by cyberattacks in the past several months. Students of all ages are now spending many hours online in daily remote learning sessions and are constantly exposed to a full host of attacks. The Microsoft Security Intelligence center is showing that 62% of malware encounters are affecting this industry.
As funny as it may sound, this is partially an ‘education’ issue. Most students haven’t received any form of security training and need to be aware of phishing attacks and what to look for, the importance of strong passwords, the need to keep personal or ‘sensitive’ information private, and similar practices we in the industry often take for granted.
With the sudden increase of connections from personal computers, many of which are running out-of-date software, it is more important than ever to maintain solid security practices for the infrastructure and support systems. Teachers should be running authorized software and IT must be prepared to apply the latest security updates, especially for programs like Zoom, WebEx, GoToMeeting, etc., which are critical for remote learning. We’ll weather this storm and the good news is that we’ll have a more security-aware group entering the workforce in the upcoming years.
October 2020 Patch Tuesday forecast
- Microsoft continues to address record numbers of vulnerabilities each month. Expect that to continue in October. Microsoft Exchange Server received a major update last month, so I don’t expect another one. But we will see the standard updates for operating systems and Office, and extended support updates for Windows 7 and Server 2008.
- Select service stack updates (SSUs) should appear as they usually do.
- The last security updates for Adobe Acrobat and Reader were in August. There are no pre-announcements on their web site, but we may see an update.
- Apple will most likely release major security updates for iTunes and iCloud later in October if they maintain their quarterly schedule.
- Google Chrome 86 was released this Tuesday with significant security updates. Don’t expect any updates around Patch Tuesday.
- Security updates were released on September 22 for Mozilla Firefox and Thunderbird. We could see some additional updates next week.
In summary, expect the standard set of Microsoft releases, maybe some updates from Adobe, and probably two from Mozilla. Based on this limited list of updates, It sounds like we should be in for a treat!
On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
Another month has passed working from home and September Patch Tuesday is upon us. For most of us here in the US, September usually signals back to school for our children and with that comes a huge increase in traffic on our highways. But I suspect with the big push for remote learning from home, those of us in IT may be more worried about the increase in network traffic. So, should we expect a large number of updates this Patch Tuesday that will bog down our networks?
The good news is that I expect a more limited release of updates from Microsoft and third-party vendors this month. In August, we saw a HUGE set of updates for Office and also an unexpected .NET release after just having one in July.
Also looking back to last month, there were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Let’s hope the updates are more stable this month without the need to re-apply, or worse, redistribute these large updates across our networks using even more bandwidth.
Last month I talked about software end-of-life (EOL) and making sure you had a plan in place to properly protect your systems in advance. Just as an early reminder we have the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued Extended Security Updates (ESUs) for critical and important security updates just like they did for Windows 7 and Server 2008.
These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021 along with the announcement that Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience. These changes are all still a few months out but plan accordingly.
September 2020 Patch Tuesday forecast
- We’ll see the standard operating system updates, but as I mentioned earlier, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
- Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
- A security update for Acrobat and Reader came out last Patch Tuesday. There are no pre-announcements on their web site so we may see a small update, if any.
- Apple released security updates last month for iTunes and iCloud, so we should get a break this month if they maintain their quarterly schedule.
- Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
- We’re due for a Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.
Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.
There doesn’t seem to be an end in sight to the COVID-19 crisis, but there are some important end-of-life/end-of-support dates we should be aware of when it comes to software.
Before we dig into this month’s forecast of updates, I want to spend a little time on the importance of planning ahead to avoid the high costs associated with extended support contracts, or sometimes worse, modifying your network environment to mitigate risks.
Remember when Windows XP end-of-life was a ‘date on the horizon’ that you would deal with when it got closer? Suddenly Windows 7 has reached the same point. In fact, we’ve just gone over the six-month point in the first year of Extended Support Updates for Windows 7 and Server 2008.
The operational lifespan of an operating system version is shrinking, and the model has changed as Microsoft moved to the software-as-a-service model for Windows 10. It is imperative we keep track of critical dates associated with both operating systems and applications in order to maintain a functional work environment.
Microsoft has extended the support dates on a few operating systems, but those dates are rapidly approaching. The Enterprise and Education editions of Windows 10 versions 1709 and 1803 reach end of service in October and November respectively this year. The Home and Professional editions of Windows 10 version 1809 reach end-of-service in November as well. Double check your applications to ensure compatibility as you make the operating system upgrades on these systems – you only have 2-3 months left!
We have a little breathing room for the remaining non-Windows 10 operating systems. Both Windows 8.1 and the Server 2012 variations reach their end-of-extended-support in October 2023. Once we reach that point in time, we’ll only have Windows 10 left (or the latest new operating system from Microsoft).
There will be situations where you’ll reach the end of support and there won’t be new patches for the system, but you need to maintain the operating systems and their legacy applications to meet business needs. You’ll need to look at other options to mitigate the security risks introduced by these increasingly vulnerable systems.
Consider virtualization or locking down the system to run only the specific applications you need. Electronic separation is another option—moving them from direct internet connectivity or into more protected parts of your network. Heightened monitoring through next-gen antivirus or endpoint detection and response solutions can also provide added protection. Choose what works best for you but have a plan and timeline in place for their replacement.
My forecast last month was accurate with regards to record numbers of CVEs addressed. I don’t believe we’ll see this sustained growth but expect a higher than average number to be addressed again this month.
August 2020 Patch Tuesday forecast
- Expect a normal set of operating system and application updates, including ESUs, from Microsoft. I’ve been anticipating a SQL server or Exchange server update, so maybe it will happen this month?
- Every operating system received a service stack update (SSU) last month. We may get a break here next week.
- In keeping with the ‘planning for the end’ theme this month, Adobe Flash reaches end-of-life at the end of the year. Plan accordingly because a lot of applications still rely on Flash. Adobe may be giving Flash extra attention as we near the end of its life, so be on the lookout.
- We have a pre-notification from Adobe that APSB20-48 for Acrobat and Reader should release on patch Tuesday.
- Apple released security update 12.10.8 for Windows iTunes at the end of July. We could see a similar update for iCloud this week.
- Google Chrome 85 is in the beta channel and may be released next week.
- Mozilla provided security updates for Firefox 79, Firefox 68 ESR and 78 ESR, as well as Thunderbird 68 and 78 the last week of July. There is a small possibility of a minor security update for some of these applications next week.
The days of sitting on an operating system for 5-10 years with just patching are gone. Patching remains critical for the tactical protection of your systems, but strategic planning for the ongoing upgrades of operating systems and applications is the key to their long-term stability and security.
Microsoft has averaged roughly 90 common vulnerabilities and exposures (CVE) fixes per month over the past five months. With everyone working from home and apparently focused on bug fixes, I expect this large CVE fixing trend to continue. Despite these record CVE numbers, the actual number of updates have been down; we haven’t seen Exchange or SQL Server updates in a while.
The hot topic of conversation over the last two weeks has been the release of out-of-band security updates for CVE-2020-1425 and CVE-2020-1427, both of which address a memory issue within the Microsoft Windows Codecs Library.
While Microsoft does security updates out-of-band from time to time, the points of contention were these updates were only available from the Microsoft Store and were released with very limited information. The fact that CVE-2020-1425 is rated critical with limited availability through the store has many people wondering why this is the case. This is an unusual release for Microsoft. Keep your eyes open on Tuesday to see if these CVEs show up in the cumulative monthly update.
We’ll see another set of updates for Windows 10 version 2004 and Windows Server version 2004. It’s now been over a full month since the May 27 release of this ‘new’ operating system. As with all operating system releases you’ll want to stay on top of these updates because a larger number of security fixes, as well as important stability updates, are made over the first couple of months.
If you are experiencing any particular issues as you roll out this new operating system you should check out the known issues page for the latest information. You may find a fix is already available or will soon be on the way.
Continue to be diligent with your vulnerability management and system updates as we move deeper into the summer. It’s been kind of quiet in the news regarding new publicly reported exploits, but old vulnerabilities remain and new variants on ransomware and other malicious software continue to surface – Try2Cry being a good example. Here’s what’s been released recently and what to expect next week.
July 2020 Patch Tuesday forecast
- Expect to see a larger number of Microsoft updates this month. We are due for a new set of .NET updates and, as I mentioned above, we are overdue for a SQL server or Exchange server update.
- Servicing stack updates (SSUs) and Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 are expected in the group release as usual.
- The Oracle Critical Product Update (CPU) aligns with patch Tuesday once again this quarter. Don’t forget your Java update and other OpenJDK-based products such as Amazon Correto, AdoptOpenJDK, and others which will follow close behind.
- After the surprise Adobe Flash release last month, could we see another? Unlikely, but be on the lookout. The last major security update for Acrobat and Reader was in early May so look for a security release this week.
- Apple released their security updates for iTunes and iCloud back in late May and have been releasing roughly every other month. We may not see a release on Tuesday but be on the lookout later this month.
- Google released a security update for Chrome 84 this week.
- Mozilla provided minor security updates this week for Firefox 78, and major updates for Firefox ESR 68 and Thunderbird 68 the last week of June. We may see a minor update for these applications next week.
It’s hard to believe we’re almost halfway through our 2020 Patch Tuesdays already. Working from home has a strange effect on time – each day seems very long, but the weeks are flying by. Regardless, another patch Tuesday is coming next week. May 2020 Patch Tuesday was pretty light on updates as predicted, so I’m expecting we’ll see a more standard release of updates from Microsoft this month.
Windows 10 and Windows Server
One item to factor into your patch Tuesday process is the new release of Windows 10 version 2004 and Windows Server version 2004. These latest versions of Windows 10 were released without major fanfare, as Microsoft pre-announced, on May 27.
Unlike the 1903 to 1909 update which was done via feature enablement, this is a full, new release. The good news is that the update time has come down significantly from earlier versions such as 1703 which could take up to 90 minutes on average
For those of you using Windows Update for Business for deployment, there are several enhancements to check out. One of operational importance is the new ability in InTune to identify the target version you want to update to and maintain on all your devices. You can also configure this as a Group Policy or Configuration Service Provider (CSP) policy.
This update also contains enhancements to existing security features in Windows 10. Application Guard, which uses containers, now supports Microsoft Edge on Chromium and can be enabled to enforce protection when Microsoft 365 applications are opened. Microsoft also rolled out more configuration options around their Sandbox feature which was introduced back in version 1903. Windows 10 version 2004 will follow the usual 18-month support model and you can find out more details around the entire set of 2004 features here.
Microsoft announced that starting in May 2020, they are pausing all optional, non-security updates for Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2). They are doing this to relieve the pressure of updating systems while everyone is working remotely. These updates will be included in the regular patch Tuesday releases.
Just a quick reminder Microsoft also delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13 and the Sharepoint 2010 Family (SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010) to April 13, 2021. Along with this extended timeline comes the need to continue patching these older systems with the latest security updates.
June 2020 Patch Tuesday forecast
- Expect to see the full set of Microsoft operating system and application updates this month with the exception of .NET updates which were released in May. We didn’t see any of the server updates last month, e.g. SQL, Exchange, etc. so expect at least a few of these.
- A new set of Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released along with the standard updates.
- Servicing stack updates (SSUs) have continued to be released almost monthly and some are mandatory to install before deploying the latest cumulative or security updates. Pay careful attention to the requirements surrounding these in order to prevent problems during your patch cycle.
- Adobe released a major security update for Acrobat and Reader last month and a minor security release this week. Adobe Flash has not seen a security update for a while, so it could happen.
- Apple released their security updates for iTunes, iCloud, and the supported operating systems last week.
- Google released a security update for Chrome 83 this week.
- Mozilla provided security updates this week for Firefox 77, Firefox ESR 68.9, and Thunderbird 68.9
June Patch Tuesday will be light on major third-party releases, allowing us to focus on the Microsoft releases. With 2-3 months of managing updates in this strange new world and an expected standard release set from Microsoft, June Patch Tuesday should be steady as she goes.
It’s been a hectic month for everyone worldwide, but we may get a small break in the action this patch Tuesday. The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management.
Threat actor activity around COVID-19 exploitation increased dramatically in April. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity. This advisory provides a detailed summary of several attacks and valuable links to actions you can take for mitigation.
The number of reported COVID-themed attacks, particularly phishing, have risen more than 475 percent according to this blog from BitDefender Labs and that was in March. Coupled with this rising threat is the challenge of managing a now dispersed work force on previously unused remote and BYOD devices, resulting in a higher risk of a security breach.
IT departments are stretched to the limit, ‘keeping the lights on’ for many businesses and they have little time to deal with the added complexities of deploying regular security updates to these devices.
Oracle released their Critical Patch Updates (CPU) last month which happened to coincide with April Patch Tuesday (it is usually the week after). They had 399 updates across their entire product line. These included updates for Java 7, 8, 11, and 14. A total of 15 vulnerabilities were addressed with CVE-2020-2803 having the highest base CVSS 3.0 score at 8.3.
If you are running the Java JRE in your environment, please update your 7 or 8 versions. If you are developing applications with Java, get the latest 11 or 14 updates to ensure these vulnerabilities are addressed. The next Oracle CPU is scheduled for July.
One break last month came from Microsoft when they delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13, 2020 and the SharePoint 2010 Family – SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010 – to April 13, 2021. There was a sigh of relief from a few people.
Also last month, Microsoft addressed 113 CVEs in the patch Tuesday release, which included fixes to font vulnerabilities CVE-2020-1020 and CVE-2020-0938 associated with Advisory 20006. With record numbers of CVEs being fixed each month and the growing threat actor activity, it is more important than ever to keep your systems up-to-date with these latest releases.
May 2020 Patch Tuesday forecast
- Microsoft should release a.NET update this month in addition to the usual OS and application set. We’ll see if the high number of resolved CVEs continues.
- Expect new servicing stack updates (SSUs) for select operating systems this month; most have been getting periodic updates.
- The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released on Patch Tuesday as usual. Also be aware that Microsoft released an updated licensing preparation package this week under KB 4538483.
- We should see Windows 10 2004, the May release as it is being called, either next Tuesday or soon thereafter.
- Google released a security update for Chrome 81 this week.
- Similarly, Mozilla provided security updates this week for Firefox 76, Firefox ESR 68, and Thunderbird 68.
- The last security updates for Adobe Acrobat and Reader were in March; we may see an update this month, but Adobe has been releasing major security updates quarterly, so this is more likely to occur in June.
The adage says we should soon see May flowers. With most of the third-party vendors releasing their security updates this week we should have a light patch Tuesday coming. Take some time and smell those roses. After this past month we’ve all earned it.
I should have reserved the title from last month’s article – Let’s put the madness behind us for this month. Of course, it has a completely different meaning now in the wake of the COVID-19 pandemic chaos. The biggest change and challenge for most of us is managing and securing an IT environment while working from home.
Extending the edge of the corporate network through VPNs has taxed many environments, placing greater reliance on collaboration and communication tools. And with that, vulnerabilities have surfaced, and in some cases, exploitation has occurred. Let’s look at some important events since last patch Tuesday.
The cyber threat of COVID-19
COVID-19 has been not only a threat in a physical sense, but also generated one of the larger cybersecurity threats in recent memory. Attackers have built on the public’s need for the latest, global COVID-19 information by creating widespread phishing attacks. These phishing attacks often contain downloaders which exploit known vulnerabilities.
Many of these attacks are posing as the World Health Organization, National Institutes of Health, or other trusted sources for information. During this crisis it remains a priority to make employees aware of these attacks and to continue to apply the software updates needed to protect your systems.
Attacks on collaboration software
I mentioned recent attacks on collaboration software, with Zoom unfortunately being the leader in the news. Several vulnerabilities concerning passwords and privilege escalation have been discovered in this widely used application, and the overall security of the product has been questioned by many.
Attackers have been able to interrupt live sessions. In this time of working from home, the need for regular interaction to accomplish our jobs is more important than ever, and we need to trust the tools we are using. Zoom has been responding rapidly, providing updates to combat this recent wave of attacks.
Windows SMBv3 vulnerability
This vulnerability exists in Windows 10 1903 and 1909 and garnered a lot of attention because it received the highest Common Vulnerability Scoring System (CVSS) score of 10. It does not require user authentication and could be used to propagate a worm. Please make sure you’ve applied this update.
Microsoft delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 from April 14 until October 13. Per Microsoft, this will remove at least one burden for those who were in the process of updating to a new edition. Of course, this means that both Windows 10 1709 and 1803 will reach end-of-support within a month of each other – 1803 ends November 10 so plan accordingly!
While on the subject of Windows 10, the release of Windows 10 2004 may be happening soon and there is cause for concern with so many people working from home. There is no control over the update being applied on a system running Home edition, so for employees, or their children doing schoolwork, this update could be very disruptive. Watch for more information from Microsoft and let your employees know what to expect.
The IT world is changing rapidly and as we’ve seen with Zoom, Microsoft and others, both policies and patch releases are being adapted to address the situation. The entire work-from-home scenario is forcing vendors to continuously assess the security state of their applications, so I anticipate we will see more releases addressing a smaller number of vulnerabilities as they are discovered and fixed.
April 2020 Patch Tuesday forecast
- Microsoft should provide their regular updates across the board for the latest Windows 10 workstations and servers as well as the usual applications, i.e. Office, SharePoint, etc. Be on the lookout for a fix to the font vulnerability reported in Advisory 20006, Type 1 Font Parsing Remote Code Execution Vulnerability.
- Mozilla provided security updates this week for Firefox, Firefox ESR and Thunderbird. We may not see anything from them next week.
- Likewise, Google released a security update for Chrome this week, so I don’t expect to see anything on Patch Tuesday.
- There are no pre-announcements for Adobe Acrobat, Reader, or Flash but I wouldn’t rule out an update next week.
We should have a smaller set of updates than usual released next week. But with the rising number of attacks coupled with the chaos surrounding the COVID-19 pandemic, it is more important than ever to protect our work-from-home employees. Once again, patch endures.
It’s March 2020 Patch Tuesday and Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The good news is that none of them under active attack.
For the time being, Adobe seems to be skipping this Patch Tuesday and there’s no indication whether the customary security updates are just delayed or there won’t be any at all in the coming days.
Last month, Microsoft plugged 99 security holes in a variety of its products. Unexpectedly, this month the number is even higher.
The 26 critical flaws all allow remote code execution, but some are more easily exploited than others.
For example, CVE-2020-0852 affects Microsoft Word and exploitation can be achieved without the target having to open a specially crafted file that would trigger it.
“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user,” noted Trend Micro’s Zero Day Initiative’s Dustin Childs, and pointed out that having a bug that doesn’t require tricking someone into opening a file should be enticing to malware and ransomware authors.
Also, once again, the company fixed yet another RCE (CVE-2020-0684) that can be triggered by a vulnerable target system process a specially crafted .LNK file.
CVE-2020-0872 is a RCE affecting Microsoft Application Inspector (version v1.0.23 or earlier), the recently released source code analyzer that comes in handy for checking open source components for unwanted or risky features.
“To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component,” Microsoft explained.
“Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January,” Childs noted. “It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.”
CVE-2020-0905 is a RCE affecting the Dynamics Business Central client and could allow attackers to execute arbitrary shell commands on a target system.
“While this vulnerability is labeled as ‘Exploitation Less Likely,’ considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations,” urged Animesh Jain, Product Manager of Vulnerability Signatures at Qualys.
Childs is of the same mind. “Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly,” he added.
It must also be pointed out that, in this batch of fixes, there is one for a spoofing vulnerability in Microsoft Exchange Server, but this flaw is less serious than CVE-2020-0688, a fix for which was released in February but is still being actively exploited in the wild. Admins are advised to plug that security hole ASAP (if they haven’t already).
Mozilla updates Firefox
Adobe might not have released security updates on this March 2020 Patch Tuesday, but Mozilla released Firefox 74, with TLS 1.0 and TLS 1.1 disabled by default, stricter rules for add-ons, a tool for preventing Facebook from tracking users around the web, and several developer features.
No critical flaws have been fixed in this edition of the popular browser and Firefox ESR68.6 (also released today).
Richard Melick, Sr. Technical Product Manager, Automox, pointed out that while none of the Firefox flaws patched this time are under active exploitation, the time to weaponization averages 7 days, so users/admins should upgrade as soon as possible.
“Impacting the iPhone, CVE-2020-6812 stood out as a vulnerability that would allow a website with camera or microphone access to gather information on the user through the connected AirPods. While not the most critical, this information could be gathered and help adversaries track a user and further gather more personally identifiable information if left unpatched. Essentially, if you’re listening in, someone else may be as well,” he added.
Did you survive the madness of February 2020 Patch Tuesday and its aftermath? We saw Windows 7 and Server 2008 finally move into extended security support and then Microsoft pulled a rare, standalone Windows 10 security patch following some unexpected results.
For some of us, these two events caused a bit of chaos until they were sorted out. Let’s take a quick look in the rearview mirror, before jumping ahead to what looks like an easy drive for March.
Microsoft did a great job providing information and testing tools in advance of the Windows 7 and Server 2008 end-of-life, but that doesn’t mean everyone was ready when it happened. The extended security updates (ESUs) are supplied as part of the update catalog, but installation on the endpoint fails without first installing and activating a subscription key. Other pre-requisites include the appropriate SHA-2 code signing update and latest service stack updates (SSUs) which, if you have been patching regularly, you will have already installed.
So, last Patch Tuesday, as you can imagine, getting the systems to the proper state with all three components in place – activated key, SHA-2 update, and latest SSU, and then applying the new ESU patches was disruptive for some. But now that everyone has been through the procedure, the process of applying the March updates should be much smoother.
The release and subsequent removal of KBs 4524244 and 4502496 created a lot of discussion and confusion. Woody Leonhard provided a detailed chronology and technical breakdown in his article. This is a complicated situation involving the Unified Extensible Firmware Interface (UEFI) boot loader.
In summary, Microsoft released this security update to fix an issue where a third-party UEFI boot manager could allow a reboot, bypassing secure boot entirely. By launching from a hostile operating system, the system would be compromised. Keep in mind this does require physical access to the system. Unfortunately, there were unexpected side effects to the fix which included breaking other boot routines, most notably on HP PCs with Ryzen processors. The updates were pulled, and we are waiting to see if Microsoft re-releases a more comprehensive fix this patch Tuesday.
I mentioned in the forecast last month that the Microsoft Security Advisory 190023 contained more detail on the upcoming security features for the Lightweight Directory Access Protocol (LDAP). This advisory was again updated on February 28, with recommendations on using the new options to harden this protocol.
The advisory specifically stated, “The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.” These features will be included in the March Patch Tuesday updates, so take advantage and enable them. Also follow best practices and experiment on your test systems before rolling out to production.
March 2020 Patch Tuesday forecast
- Microsoft addressed the highest number of CVEs in recent memory last month, so expect a lighter set of updates next week. The ESUs should again track the CVEs addressed with the other standard support operating systems. Office updates were light last month, so there may be a few more coming.
- Mozilla had some major updates for all products last month but expect a minor update next week. Vulnerabilities continue to pop up in browser-related products.
- Google just released their security update for Chrome this week, so I don’t expect to see anything on patch Tuesday.
- Apple released their first major updates in January, so we may see a minor update.
- Adobe issued major updates for Reader and Acrobat last month, so we should only see a minor update this month if any. I’ll go out on limb and say we won’t see a Flash update this month.
The forecast for updates looks light this month, so breathe a sigh of relief as we leave the February madness behind.
The January 2020 Patch Tuesday was a light one as predicted; everyone was still catching up from the end-of-year holidays. As we gain momentum into February and move towards Valentine’s Day, I anticipate Microsoft, and at least Mozilla, will give plenty of love and attention to their applications and operating systems.
Microsoft had announced back in August with Advisory 190023 that they were planning several updates to their implementation of the Lightweight Directory Access Protocol (LDAP). That advisory explained the need for LDAP channel binding and LDAP signing to increase security. Originally planned for Q4 2019, Microsoft has pushed the first part of this update out to March 2020.
The company is planning a two-part rollout, with the March release paving the way for major change and enforcement later in the year. As explained in the advisory, the “Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.”
Microsoft delayed this until March so administrators can properly test the LDAP configuration changes. There’s been a lot of discussion on the various security forums concerning this, so factor in some extra test time next month.
Windows 7 and Server 2008/2008 R2 patches
Getting back to February Patch Tuesday, the big change will be the lack of Windows 7 and Server 2008/2008 R2 patches this month. I say that tongue-in-cheek because they will still be publicly available but require a special key to install on the endpoint; this key is issued as part of the Microsoft Extended Security Update (ESU) program.
Microsoft has made this as painless as possible to accommodate the large, remaining installed base of these systems. However, with the end of any operating system there is always some confusion and panic as reality sets in.
If you have systems you just can’t migrate/upgrade yet to Windows 10 and you don’t have a planned ESU program in place, you should consider some additional options to mitigate their security risk. Consider virtualizing some of the workload and locking down the system to run only the specific applications you need. Application control can help with this lockdown and often provides some privilege management protection as well.
You can also consider a segmentation approach, i.e. remove them from direct internet connectivity or move them to more protected parts of your network.
Finally, add on some next-gen anti-virus (AV) or endpoint detection and response (EDR) solutions for added protection. You know these systems will become targets, so due diligence is important to their protection until you can migrate them.
February 2020 Patch Tuesday forecast
- Microsoft is overdue to release some major updates, so expect them this month. We should see updates across the board with a large number of CVEs addressed in all of them. In addition to the usual OS and Office updates, we should see server updates for SharePoint, Exchange, and SQL. I don’t expect another .NET update since one was released in January, but you never know.
- Mozilla is also overdue for a set of major updates across their product lines.
- Google released major updates for Chrome this week, so we should only see a minor update, if any, on patch Tuesday.
- Apple released their first major updates of the year last week, so similar to Google, we expect only minor updates, if any at all.
- Adobe is a bit unpredictable this month. Their last major security update for Acrobat and Reader was back in early December, so the pressure is mounting for another one. Keep an eye for their pre-announcement bulletins and plan accordingly.
Even if we have a heavy patch release next Tuesday, make sure you set some time aside to spend with your significant other or a close friend the following Friday – Happy Valentine’s Day!
The holidays are over, and another Patch Tuesday is rapidly approaching. My New Year’s resolution was to stop procrastinating when it comes to getting organized. I have several locations in my house where I store things and every time I open a drawer or door, I think “I really could make better use of this space if I just took the time to get it organized.”
Over the holidays, I finally took the time to get started. I cleared out stuff I no longer needed, cleaned out the area, arranged what was left, and was amazed at the results. One less thing I had to worry about, and I felt better about myself too. Maybe there is a lesson here to be carried over to our security operations?
We all have those systems that always have issues during updates. We know they are there and dread working on them, just because they slow down our patch cycle. In the end, they are either the last to get patched or they don’t get patched at all and we just wait another month worrying about them being in a possible vulnerable state. Maybe we need a resolution to tackle these systems head-on so we don’t need to worry about them anymore.
Take the time to resolve the issues, or if they are old, consider a complete replacement of the hardware and software. We have enough stress in our lives so don’t prolong it worrying about these systems month after month. Take the time to fix the issues and you will be more efficient overall. Join me in this resolution and we can start the new decade right.
The January 2020 Patch Tuesday will provide us with the last free update of Windows 7 and Server 2008/2008 R2. We’ve talked about it for the last several months and it is finally here. Microsoft released additional guidance if you are planning on subscribing to extended security updates; make sure your systems are prepared.
It’s challenging to forecast what we will see from Microsoft this month. I was expecting to finish out last year with a bang, but we really ended on a whimper. The OS updates contained minimal CVE fixes with only 16 for Windows 10 and the low teens across the remaining legacy systems.
Other than these OS updates, we had the usual Office releases but no Exchange, Sharepoint, .NET, or other updates. It was one of the lightest patch Tuesday releases in a long time. Microsoft may have ‘saved up’ other updates for January Patch Tuesday, but I suspect not.
January is a typically a light month for releases, and I expect that trend to continue.
January 2020 Patch Tuesday Forecast
- We are overdue, so expect a .NET update from Microsoft. Windows 7 and Server 2008/2008 R2 may get some special attention this month since it is the final public security release.
- Mozilla released a major update on Tuesday, so if we get anything next week it will only be a minor update.
- Google released their last major updates back on December 10 and a minor update this week, so I don’t expect anything here.
- We saw security updates for Acrobat, Reader, and Flash (after several months with none) last month. Be on the lookout for a possible Flash update, but no pre-announcements have been made for any of these products so far.
- Apple released major security updates on December Patch Tuesday, so I don’t expect any this month.
With a light January 2020 Patch Tuesday forecast, give some thought to starting the decade right!
Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.
The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was the result of servers not properly configured, allowing open public access. This was reported in April and additional accounts were exposed in September. Proper security configuration is definitely a challenge across thousands of servers, but it is THE fundamental security requirement before dealing with software vulnerabilities.
Next up in public view was the compromise of Epic Games’ servers that hosted the wildly popular Fortnite game. This security incident back in January was the result of several software vulnerabilities being exploited, resulting in another situation where personal account information was stolen. It is estimated that the security compromise impacted over 200 million gamers worldwide.
Breaches and data loss were not limited to these two social or consumer sites. Reported breaches included Capital One and First American from the financial industry, LabCorp and Quest Diagnostics from the medical field, and the Federal Emergency Management Agency (FEMA) from the government sector. From the report estimates I’ve seen, there will be an unprecedented 5+ billion records stolen this year.
Getting back to the Patch Tuesday forecast, the big news (maybe the elephant in the room to use an old phrase) is that next month, January Patch Tuesday, we’ll see the last free update of Windows 7 and Server 2008/2008 R2. Windows 7 continues to be a popular operating system only being overtaken by Window 10 in January 2019.
Despite the approaching end-of-life, Windows 7 slowly dropped from 36% to 28% in worldwide Microsoft market share throughout the year. After that final update, a lot of consumer desktops and laptops will go unpatched until they finally stop working and are replaced. Many will be compromised, resulting in stolen personal data, but even worse they will be used for additional attacks against our corporate systems.
It will be interesting to see how this possible threat plays out in 2020. In the meantime, be aware that Microsoft has released additional guidance on preparing your Windows 7 machines for extended security updates if you continue to subscribe.
This looks like a busy Patch Tuesday coming up, so I am going to trust all of you to configure and update your systems. It’s time to buy those last presents online. Now where did I put that credit card again?
December 2019 Patch Tuesday Forecast
- Microsoft will provide the usual round of updates including the monthly rollups and security-only patches for all the operating systems, along with Office, SharePoint server, and Internet Explorer. Based on their current track record, expect another round of service stack updates as well. We may also see a .NET update this month.
- An update is coming for Acrobat and Reader; Adobe provided a pre-notification they will release APSB19-55 next week. The most recent security Flash release was September Patch Tuesday, so we may see a final one to close out the year, but no promises.
- Chrome 79 is scheduled for release from Google.
- We may see an ‘Apple Patch Tuesday,’ although they don’t always release on Tuesday, with security updates for macOS, iTunes and/or iCloud for Windows. Keep an eye on these because I suspect Apple wants to wrap up the year with up-to-date, secure software.
- Mozilla released security updates for Firefox 71, Thunderbird 68.3 and Firefox ESR 68.3 on Monday this week. Anything released next week would be minor bugfixes, but definitely make sure you install these security fixes.