Take your time, get it right for March Patch Tuesday
Credit to Author: Greg Lambert| Date: Thu, 12 Mar 2020 11:41:00 -0700
This is a big update to the Windows platform for the Microsoft March Patch Tuesday release cycle. Consisting of 115 patches, mostly to the Windows desktop, with almost all of the critical issues relating to browser-based scripting engine memory issues, this will be a difficult set of updates to release and manage.
The testing profile for the Windows desktop platform is very large, with a lower than usual exploitability/risk rating. For this month, we do not have any reports of publicly exploited or disclosed vulnerabilities (zero-days), so my recommendation is to take your time, test the changes to each platform, create a staged rollout plan and wait for future (potentially) imminent changes from Microsoft.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
And on Windows 7.x, 8.x and Server 2012 builds you will still see the following (outstanding) known issues:
Microsoft is working on a resolution and will provide an update in an upcoming release.
There have been numerous updates to the Microsoft LDAP Channel binding and signing advisory over the past year. Microsoft has recently posted a new update that includes:
“Microsoft is announcing that the March 10, 2020 security updates are available that add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. Further information and configuration options can be found here: ADV190023. While the latest servicing stack information can be found here (ADV990001).”
The following Remote Desktop vulnerabilities have now been updated to include all versions of Windows 10:
No further action for all of these major revisions is required if you are using Microsoft automatic updates.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
It’s not you, it’s your browser. With 15 critical updates and one remaining patch rated as important by Microsoft, the majority of critical vulnerabilities addressed in this month’s Patch Tuesday relate to browser-based scripting Engines (Chakra, JavaScript). Though all of the critical rated patches could lead to remote code execution scenarios, their CVSS scores and thus their corresponding exploitability are quite low (average 4.4 out 10).
Further narrowing the security concerns for these reported vulnerabilities is that they only apply to relatively few Windows builds. If you are on the latest release of Windows 10, you are probably OK. If you are on an old version of Windows (pre-Chakra), you are not affected. If you are running a really early version of Windows 10 (who are you?), then you have a problem. Add these browser patches to your standard rollout schedule.
With 73 updates (of which 6 are rated as critical), this month’s Windows update covers a lot of functionality across the Windows ecosystem, including changes to: Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Kernel, Windows Core Networking, Windows Storage and File Systems, Windows Peripherals, Windows Update Stack, and Windows Server.
Some areas of concern include LNK file handling changes (CVE-2020-0684), updates to the Microsoft graphics core engine (GDI) and a slew of patches to the Windows media engine (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869).
Aside from the documented security issues, I feel that this month we are at risk of some patch deployment challenges. This month’s Patch Tuesday is a large update that covers a lot of “functional territory.” This means a lot of testing will be required across core Windows functionality and application dependencies.
Working through the patch manifest and update payloads, there are some core files that have been updated that have caused application issues in the past. One good example includes the file MSXML3R.DLL, which was updated in CVE-2020-0844. We have already encountered a number of potential issues in the following applications as part of our algorithmic analysis, including:
Our advice this month is to take your time with this update, create a staged rollout (IT first) and then deploy in concentric rings of business priority.
We also expect some out-of-band updates later this month — possibly with an update to the LNK patches or the SMB issue. For further guidance on the potential issues with the latest SMB vulnerability, Microsoft has released an advisory here: ADV200005.
Editor’s note: Microsoft released KB4551762 on March 12 to address the SMBv3 vulnerability.
This month Microsoft Office has one critical patch in Word (CVE-2020-0852) with eight other vulnerabilities rated as important by Microsoft. The Word-related vulnerability addresses a memory issue and could lead to a remote code execution scenario; it is relatively difficult to exploit. Add these updates to your regular patch cadence office.
For March Microsoft has released five patches for its development platform, all rated as important by Microsoft. Mostly affecting the Azure DevOps server, they are (currently) difficult to exploit and lead only to spoofing and elevation of privilege attacks. Add these minor updates to your standard development update effort.
Adobe has chosen not to release any updates for this March Patch Tuesday cycle. Unfortunately, this does not mean that there are no vulnerabilities to exploit this month. Expect an update from Adobe next week or shortly after. Until then, it’s Margarita time!