Header Ads

Breaking News

Take your time, get it right for March Patch Tuesday


This is a big update to the Windows platform for the Microsoft March Patch Tuesday release cycle. Consisting of 115 patches, mostly to the Windows desktop, with almost all of the critical issues relating to browser-based scripting engine memory issues, this will be a difficult set of updates to release and manage.

The testing profile for the Windows desktop platform is very large, with a lower than usual exploitability/risk rating. For this month, we do not have any reports of publicly exploited or disclosed vulnerabilities (zero-days), so my recommendation is to take your time, test the changes to each platform, create a staged rollout plan and wait for future (potentially) imminent changes from Microsoft.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:

  • When using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes. For important guidance on updating Windows containers, please see Windows container version compatibility.
  • After installing KB4493509, devices with some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."
  • CVE-2020-0903 | Microsoft Exchange Server Spoofing Vulnerability: When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
  • Internet Explorer: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer” and the update might show as Failed in Update History. Please see KB4497181.

And on Windows 7.x, 8.x and Server 2012 builds you will still see the following (outstanding) known issues:

  • Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).” This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Major revisions

There have been numerous updates to the Microsoft LDAP Channel binding and signing advisory over the past year. Microsoft has recently posted a new update that includes:

“Microsoft is announcing that the March 10, 2020 security updates are available that add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. Further information and configuration options can be found here: ADV190023. While the latest servicing stack information can be found here (ADV990001).”

The following Remote Desktop vulnerabilities have now been updated to include all versions of Windows 10:

No further action for all of these major revisions is required if you are using Microsoft automatic updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office (Including Web Apps and Exchange)
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe Flash Player

Browsers

It's not you, it's your browser. With 15 critical updates and one remaining patch rated as important by Microsoft, the majority of critical vulnerabilities addressed in this month’s Patch Tuesday relate to browser-based scripting Engines (Chakra, JavaScript). Though all of the critical rated patches could lead to remote code execution scenarios, their CVSS scores and thus their corresponding exploitability are quite low (average 4.4 out 10).

Further narrowing the security concerns for these reported vulnerabilities is that they only apply to relatively few Windows builds. If you are on the latest release of Windows 10, you are probably OK. If you are on an old version of Windows (pre-Chakra), you are not affected. If you are running a really early version of Windows 10 (who are you?), then you have a problem. Add these browser patches to your standard rollout schedule.

Microsoft Windows

With 73 updates (of which 6 are rated as critical), this month’s Windows update covers a lot of functionality across the Windows ecosystem, including changes to: Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Kernel, Windows Core Networking, Windows Storage and File Systems, Windows Peripherals, Windows Update Stack, and Windows Server.

Some areas of concern include LNK file handling changes (CVE-2020-0684), updates to the Microsoft graphics core engine (GDI) and a slew of patches to the Windows media engine (CVE-2020-0801, CVE-2020-0807, CVE-2020-0809, CVE-2020-0869).

Aside from the documented security issues, I feel that this month we are at risk of some patch deployment challenges. This month’s Patch Tuesday is a large update that covers a lot of “functional territory.” This means a lot of testing will be required across core Windows functionality and application dependencies.

Working through the patch manifest and update payloads, there are some core files that have been updated that have caused application issues in the past. One good example includes the file MSXML3R.DLL, which was updated in CVE-2020-0844. We have already encountered a number of potential issues in the following applications as part of our algorithmic analysis, including:

  • WinZip 18.5
  • VMWare Workstation Professional
  • NV/HPE Controller
  • Siebel Tools 8.1.x

Our advice this month is to take your time with this update, create a staged rollout (IT first) and then deploy in concentric rings of business priority.

We also expect some out-of-band updates later this month — possibly with an update to the LNK patches or the SMB issue. For further guidance on the potential issues with the latest SMB vulnerability, Microsoft has released an advisory here: ADV200005.

Editor's note: Microsoft released KB4551762 on March 12 to address the SMBv3 vulnerability.

Microsoft Office

This month Microsoft Office has one critical patch in Word (CVE-2020-0852) with eight other vulnerabilities rated as important by Microsoft. The Word-related vulnerability addresses a memory issue and could lead to a remote code execution scenario; it is relatively difficult to exploit. Add these updates to your regular patch cadence office.

Microsoft Development Platforms

For March Microsoft has released five patches for its development platform, all rated as important by Microsoft. Mostly affecting the Azure DevOps server, they are (currently) difficult to exploit and lead only to spoofing and elevation of privilege attacks. Add these minor updates to your standard development update effort.

Adobe Flash Player

Adobe has chosen not to release any updates for this March Patch Tuesday cycle. Unfortunately, this does not mean that there are no vulnerabilities to exploit this month. Expect an update from Adobe next week or shortly after. Until then, it’s Margarita time!

Copyright © 2020 IDG Communications, Inc.


Source link

No comments