It really is saying a lot when Microsoft releases more than 100 updates each month and this is now considered “business as usual.” Speaking of the “new normal,” Microsoft has changed the release cadence of its optional updates (generally released later each month).
In a statement about the new update regularity, the company said: “We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2).
There is no change to the monthly security updates B release – Update (or Patch) Tuesday.”
You can find out more with our Readiness infographic.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
You can also find Microsoft’s summary of Known Issues for this release in a single page. Most importantly for this May release, Microsoft has not (yet) released any specific mitigations or workarounds for any updates released this month.
One major revision and one minor documentation update for this May update cycle:
- CVE-2020-0605: The vulnerability addressed in this patch appears to be serious enough to generate several .NET updates for the May 2020 update cycle. Rather than release this update, please ensure that you deploy the full .NET May release suite to all currently supported Microsoft .NET platforms. Microsoft has also made specific information relating to PowerShell changes available.
- CVE-2018-0886: This is a minor documentation update to complete the affected products table. No further action required here.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
With most of the focus on the Windows desktop and server platforms for this month’s updates, the Microsoft browsers have three key vulnerabilities that are addressed:
All of these updates are rated as critical by Microsoft and have proportionally high NIST ratings (7.8 or above). We suggest that these browser based updates are included in your standard desktop and server update release schedules.
With 73 updates rated as important and five further patches rated as critical by Microsoft, this is now a pretty standard update for Patch Tuesday. Working through each of the updates it struck me how we are seeing some real patterns (or patch hotspots) in the Microsoft Windows subsystems with the following affected areas (I have included the number of CVE entries for each system):
- Windows GDI Information Disclosure Vulnerability (4)
- Windows State Repository Service Elevation of Privilege Vulnerability (12)
- Windows Runtime Elevation of Privilege Vulnerability (12)
- Windows Clipboard Service Elevation of Privilege Vulnerability (4)
- Jet Database Engine Remote Code Execution Vulnerability (4)
We generally see updates to GDI, the JET database and Windows Installer, but 12 updates to the State Repository service (a browser page handling component) and the Clipboard service respectively is unusual. The concern here is: how would you test your applications for these kinds of lower level system changes? I would give this month’s update a little time before full deployment, but I don’t see anything this month that would cause a problem for a 14-day update deployment window.
Add these windows updates to your standard desktop deployment schedule.
Microsoft is still supporting its legacy platforms with the Extended Security Updates (ESU) grouping and it looks like we have one critical update for the aging (but still loved) Windows 7 desktop platform. CVE-2020-1153 addresses a remote code execution vulnerability in the Windows GDI component that has been rated as critical by Microsoft. This is a “Patch Now” update for the Windows 7 platform.
If you have (and possibly use) Microsoft SharePoint, then you have a problem with this update cycle. All of the Microsoft Office updates for May relate to critical vulnerabilities in SharePoint – all of which affect the Server platforms and will require a server reboot.
Microsoft Development Platforms
Microsoft has released a single, critical update to Visual Studio (CVE-2020-1192). This reported vulnerability could lead to a remote code execution scenario, if the compromised system has a logged on user with administrative privileges. It’s a difficult to exploit issue in how Python loads workspace configuration settings and so this update should be added to your standard development release schedule.
Adobe Flash Player
Adobe has released 24 updates for its planned release cycle this May – including 12 that are rated as critical by Adobe. Given that these Adobe updates are product focused (rather than platform focused) and do not affect Adobe Flash Player, Microsoft has chosen not to include any Adobe updates in this release cycle. We recommend that you consult the Adobe Enterprise toolkit site as it includes the full application patches (MSP files) and the enterprise installers.
You can find the Adobe Enterprise tool-kit here.
One of the more “interesting” things about the Adobe update and release cycles is that there are now two formal release approaches: classic and continuous. The continuous model supports the ongoing changes to the more recent connected and web-integrated products while the classic model allows for singular or monolithic updates to aging legacy products. We recommend the rapid deployment of the Adobe Enterprise installer for Acrobat and Reader.
Copyright © 2020 IDG Communications, Inc.