![A hand flicks on an update switch. [ software update / fix / patch ]](https://images.idgesg.net/images/article/2020/08/hand_flicks_on_update_switch_software_update_fix_patch_by_stadtratte_gettyimages-1140137377_2400x1600-100854510-large.jpg?auto=webp&quality=85,70)
This posting is a little later than usual due to a number of late-in-the-week updates from Microsoft last week. We started off with no publicly reported zero-days or active exploits in the wild. (As we were working with Microsoft, we felt that an out-of-bound patch was imminent that would change our advice on patch cycles for October. But it appears the final “change” for this release was a relatively minor update to Visual Studio - leading to no change in our recommendations in this benign update.)
Things to watch out for include: updates to Win32K (always a crowd-pleaser),a change to a core business application dependency (MSXML6 libraries) and potentially difficult troubleshooting scenarios in an update to Microsoft’s Dynamic Data Exchange (DDE)
We have created a useful infographic that this month looks a little lopsided, as all of the attention should be on the Windows components
Key Testing Scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that drives our portfolio testing process. It generated the following testing scenarios:
- Potential secure boot issues (Bitlocker) may arise with some anti-virus providers. (Sorry, can’t name any vendor names here.)
- MSXML6.DLL has been updated. Identify and test all applications that have a functionality dependency on version 6 of the MSXML libraries. This is particularly important for in-house developed line-of-business (LOB) applications.
- Validate Windows Error Reporting (WER) logs. Any effort building test rigs here will be rewarded with future re-use.
- Test all remote desktop (RDP) sessions (include a VPN connection in your testing process).
- Ensure that ClearType and OTF fonts render after patching (post patch reboot).
Known Issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update. There are a few key issues that relate to the latest builds from Microsoft including:
- When installing a third-party driver, you might see the error, “Windows can’t verify the publisher of this driver software." You might also see the error, “No signature was present in the subject” when attempting to view the signature properties using Windows Explorer.
- When updating to Windows 10, version 1903 or version 1909 from any previous version of Windows 10, you might receive a compatibility report dialog with "What needs your attention" at the top and the error, "Continuing with the installation of Windows will remove some optional features.” If your device has access to HTTP blocked for LOCAL SYSTEM accounts, you can mitigate this issue by enabling HTTP access for the Windows 10 Setup Dynamic Update (DU) using the LOCAL SYSTEM account.
You can also find Microsoft’s summary of Known Issues for this release in a single page.
Major Revisions
This month, we have three major revisions released by Microsoft:
- CVE-2020-16943: Newly published information for Microsoft Dynamics. No actions required.
- CVE-2020-17022: This is a late-breaking update from Microsoft that needs to be included in the Windows update cycle.
- CVE-2020-17023: Another post-Tuesday patch to the Visual Studio code base. No change to our Development recommendations.
Mitigations and Workarounds
For October, Microsoft has published a small number of potential workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month, including:
- CVE-2020-16896: Microsoft has suggested the following mitigations and work-around options:
- Disable Remote Desktop Services if they are not required.
- Enable Network Level Authentication (NLA).
- Block TCP port 3389 at the enterprise perimeter firewall.
- CVE-2020-16947 and CVE-2020-16949 - in this case the Preview Pane is an attack vector, unlike CVE-2020-16933, where the Preview pane is not.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (Including Web Apps and Exchange);
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe Flash Player.
Browsers
Incredible. I have nothing to say here. This is a result of no (zilch) updates for any of Microsoft's browsers. I am not quite sure that I have this right. So, don’t add anything to your standard browser update schedule. Yet.
Microsoft Windows
This October Windows update delivers seven patches rated as critical, with the remaining 46 ranked important by Microsoft affecting Microsoft Hyper-V server, the built-in Windows camera codec and associated libraries (GDI). There are some minor updates to Microsoft Installer (MSI) and a few tweaks to how drivers are handled by the Microsoft Shim (compatibility) engine. The one vulnerability to watch out for this month is the update to the Microsoft networking stack (TCP/IP) with the patch to CVE-2020-16898. This is a tough patch to test and helpfully Microsoft has offered a work-around through disabling ICMPv6 with the following command; "netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable."
All of the remaining reported vulnerabilities are considered difficult to exploit and require user actions to lead to compromised systems. We should consider this a bit of a reprieve from some pretty heavy-duty patch cycles lately. Add these Windows updates to your standard release schedule.
Microsoft Office
Thank goodness for Microsoft Office — so, at least we have something to talk about once all of the (Canadian) Thanksgiving turkey is gone. The real focus this month is Microsoft Office, with three updates rated critical, 19 rated as important and the final patch given a moderate rating. The most concerning vulnerability relates to an Outlook issue (CVE-2020-16947) where a specially crafted email, viewed in the Outlook Preview pane, could lead to arbitrary code run on the target machine. You don’t have to fully open the message; just view in the preview pane.
There are two further updates (CVE-2020-16918 and CVE-2020-17003) that apply to the Microsoft 3D View application included in the Office 365 for Enterprise subscription pack. The first is rated important, the second, critical. Unfortunately, with the other patches for Excel, Word and SharePoint, this month we need to add the Microsoft Office patches to the “Patch Now” release schedule.
Microsoft Development Platforms
Though not quite as light as the browser section for this month's updates, Microsoft released three very minor updates to .NET, Power-shell and Python that are difficult to exploit and easy to avoid with good practice. Add these patches from Microsoft in your standard development release cycle.
Adobe Flash Player
I was wondering whether we would see any Flash updates from Microsoft before Flash is officially retired (through forced removal). For this October Patch Tuesday update, we have one more Flash patch from Microsoft that addresses a critical issue that may lead to (another) remote code execution scenario. This update will refresh all of the Flash related libraries (ActiveX, EXE’s and DLL’s) which hopefully, will soon be removed from all Windows systems, by Dec. 31. Add this update to your “Patch Now” release cycle.
If you got this far, you are probably interested to hear that Microsoft will change its release note format. Read more here.