This month Microsoft released patches for 99 vulnerabilities with 12 rated “Critical” in severity.

All patches have been approved in our patch policy.

Huge patch month. Last month’s 0-day JScript bug (ADV200001) announced on January 17 has been patched (CVE-2020-0674). CVE-2020-0729 fixes a critical flaw Windows handling of shortcut (.lnk) files. Also fixed is a Remote Code Execution vulnerability (CVE-2020-0688) in Exchange. CVE-2020-0618 addresses a remote code execution vulnerability existing in Microsoft SQL Server Reporting Services. The monthly Adobe Flash update has returned this month. New Servicing Stack Updates (SSU) for Windows 7/2008/2008R2 and for Windows 10 1903/1909. There are some bugs. Make sure to review “Known Issues” below.

FYI [ADV990001] – New Servicing Stack Updates (SSU) for some operating systems. Up to date SSUs are critical. Many do not show up in the regular Windows Updater scans and should be installed in the background automatically. ClubMSP offers scripts to audit the current SSU version as well as installation scripts. It is recommended that all partners run the “MS Stack Audit” to determine if their machines are current. “MS Stack Audit AIO” can be used to install the newest SSU if necessary.

Heads Up – If you have purchased Extended Security Updates (ESU) for Windows 7/2008 you will need to install KB4538483 “Extended Security Updates (ESU) Licensing Preparation Package” This patch shows up in Kaseya’s patch policy.

Disclosed: CVE-2020-0674, CVE-2020-0683, CVE-2020-0686, CVE-2020-0689, CVE-2020-0706
Exploited: CVE-2020-0674

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

Affected software include:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Internet Explorer
  • Microsoft Exchange Server
  • Microsoft SQL Server
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Windows Malicious Software Removal Tool
  • Windows Surface Hub

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:2/11/2020)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (Published:01/17/2020 | Last Updated:02/11/2020)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
Important Microsoft has completed the investigation into a public report of this vulnerability. We have issued CVE-2020-0674 – Scripting Engine Memory Corruption Vulnerability to address this vulnerability. For more information about this issue, including download links for an available security update, please review CVE-2020-0674.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

ADV200002 | Chromium Security Updates for Microsoft Edge based on Chromium (Published:02/11/2020)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200002
This advisory will be updated whenever Microsoft releases a version of Microsoft Edge which incorporates publicly disclosed security updates from the Chromium project.

ADV200003 | February 2020 Adobe Flash Security Update
(Published:01/28/2020 | Last Updated:02/07/2020)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200003
This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB20-06: CVE-2020-3757.

Known Issues

Microsoft is reporting problems with Windows Server container images. They have also posted an issue with last month’s KB4534310 for Windows 7 and Windows Server 2008 R2. They have not yet acknowledged a profile loading problem with this month’s Cumulative Update for Windows 10 1903/1909 (KB4532693).

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now. Note: Microsoft Exchange Server updates KB4536987,KB4536988,KB4536989 may require a “Run as administrator” installation on servers that are using user account control (UAC).

Windows Server container images
You might encounter issues when using Windows Server container images for the February 11, 2020 security update release
https://support.microsoft.com/en-us/help/4542617/you-may-encounter-issues-when-using-windows-server-docker-container-im
Applies to: Windows Server 2016/2019, all versions Windows Server version 1709/1803/1809/1903/1909
Symptoms include:

  • When you run the command “docker run” you might not receive output and it might become non-responsive.
  • Your Windows Server Container in Kubernetes does not reach the “running” state
  • You receive the error, “docker: Error response from daemon: container encountered an error during Start: failure in a Windows system call: The wait operation timed out. (0x102).”
    Workaround: See KB4542617 link above

Status: While we investigate this issue, current pull requests using floating tags for Windows Server container images (such as ltsc2019, 1809, 1909, etc.) will temporarily default to pull the container images with the January 14, 2020 security update.

Wallpaper set to Stretch is displayed as black in Windows 7 SP1 and Server 2008 R2 SP1
https://support.microsoft.com/en-us/help/4539602/wallpaper-set-to-stretch-is-displayed-as-black
Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
Symptoms: Installing the KB4534310 update might cause your wallpaper that is set to Stretch to display as black.
Fix: See KB44539602 link above – stand-alone package for this update

Other Sources

Windows 10 KB4532693 Update Bug Hides User Data, Loads Wrong Profile
https://borncity.com/win/2020/02/13/windows-10-update-kb4532693-kills-user-data-profile/
Applies to: Windows 10 1903/1909
Symptom: After installing KB4532693 the user’s desktop is missing icons. The KB4532693 update loads a temporary profile during the update installation but is failing to restore the user’s profile when done. C:\Users will have a renamed profile with extension .000 or .bak.
Fix: Uninstall KB4532693

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB4537820 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4537821 – Windows 8.1, Windows Server 2012 R2
  • KB4537814 – Windows Server 2012
  • KB4537810 – Windows Server 2008 (ESU)

Security Only Update

  • KB4537813 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4537803 – Windows 8.1, Windows Server 2012 R2
  • KB4537794 – Windows Server 2012
  • KB4537822 – Windows Server 2008 (ESU)

Cumulative Update for Windows 10

  • KB4537776 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4537764 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4537765 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4537789 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4537762 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4532691 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4532693 – Version 1903 “May 2019 Update” (OS Build 18362)
  • KB4532693 – Version 1909 “November 2019 Update” (OS Build 18363)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

KB4537767 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

KB4537759 – Security Update for Adobe Flash Player

February 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4538704/february-2020-updates-for-microsoft-office

Notable CVEs

CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.
To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.
The security update addresses the vulnerability by modifying how the Microsoft SQL Server Reporting Services handles page requests.

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

CVE-2020-0689 – Microsoft Secure Boot Security Feature Bypass Vulnerability (KB4502496 and KB4524244)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0689
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability can bypass secure boot and load untrusted software.
To exploit the vulnerability, an attacker could run a specially crafted application.
The security update addresses the vulnerability by blocking vulnerable third-party bootloaders.

CVE-2020-0729 | LNK Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.
The security update addresses the vulnerability by correcting the processing of shortcut LNK references.