Virtual Administrator’s May 2020 Patch Recommendations

This month Microsoft released patches for 111 vulnerabilities with 16 rated “Critical” and 95 “Important” in severity.

All patches have been approved in our patch policy.

May brings a lot of patches but few problems. The top concern this month is CVE-2020-1126, an Remote Code Execution (RCE) vulnerability in Windows Media Foundation. Another RCE critical vulnerability in Microsoft Graphics Components (CVE-2020-1153). Multiple browser vulnerabilities in both IE (CVE-2020-1062, CVE-2020-1035) and Edge (CVE-2020-1059, CVE-2020-1096, CVE-2020-1056). A few SharePoint RCE vulnerabilities – CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, CVE-2020-1102. A vulnerability (CVE-2020-1118) in Transport Layer Security (TLS) could trigger a denial-of-service attack by continually rebooting the target system.

Two new SSUs for Windows 7, Server 2008/2008R2. One new Security Advisories (ADV200004) posted at the end of April.

Disclosed: None

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Windows Defender
  • Visual Studio
  • Microsoft Dynamics
  • .NET Framework
  • .NET Core
  • Power BI

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:5/14/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

 

ADV200004 | Availability of updates for Microsoft software utilizing the Autodesk FBX library (Published:04/21/2020 | Last Updated:04/23/2020)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200004

Microsoft is announcing the release of updates to address multiple vulnerabilities found in the Autodesk FBX library which is integrated into certain Microsoft applications. Details about the vulnerabilities can be found here – https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002

Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it.

The security updates address these vulnerabilities by correcting the way 3D content is handled by Microsoft software.

 

Known Issues

No new known issues have been posted by Microsoft.

 

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4556836 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4556846 – Windows 8.1, Windows Server 2012 R2
  • KB4556840 – Windows Server 2012
  • KB4556860 – Windows Server 2008 (ESU)

 

Security Only Update

  • KB4556843 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB4556853 – Windows 8.1, Windows Server 2012 R2
  • KB4556852 – Windows Server 2012
  • KB4556854 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

  • KB4556826 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4556813 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4556804 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4556812 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4556807 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4551853 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4556799 – Version 1903 “May 2019 Update” (OS Build 18362)
  • KB4556799 – Version 1909 “November 2019 Update” (OS Build 18363)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4556798 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

May 2020 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4549680/may-2020-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2020-1118 | Microsoft Windows Transport Layer Security Denial of Service Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1118

A denial of service vulnerability exists in the Windows implementation of Transport Layer Security (TLS) when it improperly handles certain key exchanges. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

To exploit this vulnerability, a remote unauthenticated attacker could send a specially crafted request to a target system utilizing TLS 1.2 or lower, triggering the system to automatically reboot.

The update addresses the vulnerability by changing the way TLS key exchange messages are validated.

 

CVE-2020-1126 | Media Foundation Memory Corruption Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1126

A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.

The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.

 

CVE-2020-1035 | VBScript Remote Code Execution Vulnerability (IE Cumulative/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1035

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

 

CVE-2020-1153 | Microsoft Graphics Components Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1153

A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.

To exploit the vulnerability, a user would have to open a specially crafted file.

The security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.