A large – but manageable – February Patch Tuesday brings critical browser updates
Credit to Author: Greg Lambert| Date: Thu, 13 Feb 2020 03:00:00 -0800
With 99 reported vulnerabilities and patches to both Microsoft browsers, Office and Windows, this month’s Patch Tuesday update is not as large an administrative burden as you might initially think. We’ve rated the browser updates as a “Patch Now” update due to issues with the Chakra engine, but both Office and Windows can be scheduled according to a regular patch cadence. Unfortunately, we have another Adobe Flash update to deploy, but no critical development updates for February.
You can find more information in our helpful infographic here.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
Microsoft has been working on a fix for both these issues for a while now; we don’t expect a resolution any time soon.
This month, two CVEs have undergone a major revision increment:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has released nine updates to both browsers (Internet Explorer and Edge) this month, with five rated as critical, two as moderate and the remaining two as important. The biggest concerns are the four critical updates to the Chakra core scripting engine that could lead to remote code execution.
Microsoft advises that these four critical vulnerabilities could lead to a scenario where “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Add this update to your “Patch Now” schedule.
Ok, this may sound like a lot of updates: Microsoft has released 79 patches to the Windows desktop and server ecosystem. Five of these updates are rated as critical and the rest are all rated as important by Microsoft. It sounds (and feels) like a lot of patches, but other than the critical updates to the Remote Desktop (RDP) platform, the administrative burden is not that great.
This patch cycle feels more like an administrative cycle than that one that addresses critical or exploited vulnerabilities. It’s “clean-up” time for Microsoft after the Christmas break and a very light January patch cycle.
Add these updates to your standard release schedule.
Microsoft has released six updates to Microsoft Office – all rated as important. The most serious for this month affects Microsoft Excel with a potential (but difficult-to-exploit) remote code execution scenario involving how Excel handles objects in memory. All of this month’s reported vulnerabilities require access to the target system and require users to take explicit action on vulnerable systems. There is an update this month to Microsoft SharePoint server which will require a reboot of all affected servers.
Add these Office patches to your regularly scheduled updates
This month, Microsoft has not released any updates to the many variations of .NET, but we do have one update to SQL Server that has been rated as important. CVE-2020-0618 is relatively difficult to exploit, as it requires access to the SQL server instance and requires specially crafted pages sent to the SQL Server Reporting services.
Add this update to your regularly scheduled patch release cadences.
We have allocated this space to the recent cloud (Azure) and device updates from Microsoft. This month, Microsoft has not released any Azure related patches, but has published a Microsoft Surface (device level) patch (CVE-2020-0702) that has been rated as important (and difficult to exploit).
Add this device related update to your regular patch cycle.
I thought that we were done with critical Adobe Flash Player updates from Microsoft. I even instructed our development team to remove this section from our internal bulletins. Well, they (Flash Player) updates are back, with a vengeance.
This month, we see another ActiveX flaw in Flash Player (ADV20003/CVE-2020-3757) that could lead to the execution of arbitrary code on the compromised computer. According to the Adobe security bulletin, “The vulnerability exists due to a type confusion error when processing Flash content. A remote attacker can create a specially crafted .SWF file, trick the victim into playing it, trigger a type confusion error and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of the target system.”
Microsoft has documented a potential work-around relating to the Flash ActiveX control which includes making the following registry changes:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:00000400
Add this update to your “Patch Now” release schedule.