Though we return to monthly browser updates after last month’s brief respite — none of this November’s browser security issues are worm-able, and we have not seen anything that would require a return to an urgent browser update cycle. The Windows platform gets the most attention this time, but no single issue requires immediate deployment — though some legacy systems may require full testing for graphically intensive applications that rely on older graphic/media conversion technology. And the Microsoft Office and associated development platforms receive some lower-rated patches, with recommendations for a standard roll-out regime.
We have included a helpful infographic that this month looks a little lopsided, as all of the attention should be on the Windows components.
Key testing scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that drives our portfolio testing process. This month, our analysis of the Patch Tuesday release generated the following testing scenarios:
- Test connecting via Remote Desktop Connection and a VPN and confirm that copy/paste operations between devices and connected devices are successful.
- Test applications that render large windows on GPU-enabled devices.
- Confirm that EMF files play back as expected and that EMF files can successfully be converted to EMF+ files.
- Test JScript apps that use recursive function calls.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues related to the latest builds from Microsoft:
- Microsoft SharePoint (2016 and 2019): When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. To complete the install and ensure that the update is correctly applied, workaround details are provided by Microsoft here.
- Windows 10 (1909 and later): System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a newer version of Windows 10. For more information about the issues, workaround steps, and the currently resolved issues, see KB4564002.
- Windows 10 (2004 and later): Certain Japanese half-width Katakana and full-width Katakana characters that have a consonant mark aren’t interpreted as the same character. There are no published fixes or work-arounds at the moment.
- Windows ESU: After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer.” Microsoft is working on this one. I suggest waiting until next week before large-scale deployments to legacy systems.
You can find Microsoft’s summary of Known Issues for this release in a single page..
This month, we have a single major revision for documentation reasons released by Microsoft:
- CVE-2020-16943: The applicable target platforms have been updated for this vulnerability to Microsoft Dynamics. No (further) action required.
Mitigations and workarounds
Microsoft published a small number of workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month, including:
- CVE-2020-17049: Microsoft published additional steps to mitigate the effect of a vulnerability in the Windows Kerberos infrastructure relating to the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc
- CVE-2020-17052: Microsoft published a recommended mitigation for this vulnerability in the MS Script component (as consumed by all Microsoft browsers) that affects network throttling. More information is included in the Browser section (below).
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
Microsoft has released five updates for browser platforms, with four rated critical and the remaining update rated important by Microsoft. These browser updates are clustered into the functional groups:
One of the browser patches (CVE-2020-17052) has a recommended mitigation for this vulnerability that includes:
“To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally.”
You can read more about Microsoft’s network throttling technology and how to apply the relevant policies here. All of these browser updates address difficult-to-exploit, complex security scenarios that require user interaction to compromise the target system. Given that these vulnerabilities have not been reported as publicly exploited or disclosed, we recommend that you add these browser patches to your standard patch deployment schedule.
Microsoft has released 12 critical updates and 54 patches rated as important for this update cycle. These November Windows updates cover the following areas:
All of the critical updates relate to resolving Microsoft Camera and codec issues. Although these reported vulnerabilities require local access, full control and arbitrary code execution are possible on a compromised system. These (Codec-focused) attacks are relatively straightforward to exploit and could lead to a remote code execution (RCE) scenario with full control of the target system. Historically, the biggest issues with updates to the Windows GDI (graphics) stack was due to poor app packaging practices; vendors and/or system integrators included core system libraries (DLLs) inside their packages — making updates like this month’s GDI and Windows Kernel updates really troublesome. Fortunately, this practice has been reduced due to better vendor MSIs and better packaging practices. Before you roll out this update, make sure that your application packages are “clean” (do not include GDI.DLL or Win32K.sys) — otherwise, you may encounter difficult troubleshooting scenarios with very complex applications.
Add this update to your standard desktop update schedule.
Microsoft this month distributed 22 updates to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics) that that cover the following application or feature groupings:
Twenty-one of these updates are rated as important by Microsoft with the final one (SharePoint) given a low rating. I think the reason these patched vulnerabilities are rated lower by Microsoft is because local access is required to compromise the target platform or the attack vector (method of access) is very complex. These are hard-to-exploit vulnerabilities that require user interaction. These patches affect Word, Excel and Access, so testing internally developed applications, especially those with macros or JScript, is well advised. There is no rush; add these Office updates to your standard deployment.
Microsoft development platforms
Microsoft has released three updates for Visual Studio, all rated as important. All of these vulnerabilities require local access to the target system and are relatively difficult to exploit. In addition to the Visual Studio updates, Microsoft released 15 patches to the Azure Sphere line. The functional grouping for this month’s Microsoft development platform update looks like this:
The Azure Sphere security offering is fairly new and most likely will not be a significant component of enterprise deployments. You can read more about Azure Sphere. And so just focusing on the Visual Studio updates, we recommend you add this month’s updates to your standard “Development” release schedule.
Adobe Flash Player
Microsoft has not released any updates (or kill bits) for any of the Adobe products (Flash is the first to come to mind) this month. That said, I have now seen the removal of Flash (through the automated uninstall made available through the update). Nothing bad happened. That is what you should expect, once you remove Flash from your system. Sigh.
If you got this far…
You may be interested in the patch management perspective we are currently employing. Microsoft has updated its patch release documentation with a lot of new data, all published online and accessible through API’s. We have started using this new data to create our testing “hotspots” sections that detail what patches will affect which feature or component of Windows or the intended Microsoft product.
Working with Microsoft on its patching process, we have seen just how seriously Microsoft takes getting these updates right (Hey, it’s only a billion users, right?). Our focus has been and will continue to be on, “What happens to the apps?” Next month, you will see additional data on feature-level impacts from each update and some granular detail on our experiences with each update group. You can read more about the new documentation format in this Microsoft blog post.