Despite Microsoft’s announcement in May that all non-security releases (C and D updates) are paused until further notice, with 129 updates in June’s Patch Tuesday release cycle, there is plenty to do – for your deployment team and your application testing team(s).
We see another critical update to Adobe Flash Player (see how to set your kill bits below) and critical updates to Microsoft’s browsers that – depending on your legacy application portfolio – may require immediate action. The area to focus on this month is the number and nature of updates to the Windows platform.
A lot of Windows components and subsystems are “touched” by this month’s latest updates, leading to a large testing surface. Contrary to previous updates, this month’s few development tool updates may also lead to some additional testing requirements for specific services. There’s more information in this infographic.
For this month, we have to work on the assumption that all of the Windows, Browser and Adobe updates will require a reboot. The Microsoft Office and Developer tools updates may require a reboot, depending on your system.
Known Issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- After installing this update on a Windows 10 device with a wireless wide area network (WWAN) LTE modem, reaching the internet might not be possible. However, the Network Connectivity Status Indicator (NCSI) in the notification area might still indicate that you are connected to the internet. Microsoft is working on a resolution and will provide an update in an upcoming release.
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – Microsoft is working on a resolution to this issue.
You can also find Microsoft’s summary of Known Issues for the June 2020 release in a single page.
Major Revisions
Two updates had major revisions for this month’s update cycle from Microsoft:
- CVE-2020-0762 and CVE-2020-0763: Microsoft has released security updates for Windows Defender Security Canter engine to address both of these vulnerabilities
- CVE-2020-1108: To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
Browsers
With 22 relatively highly-rated exploits to resolve this month, Microsoft has released five critical, six important, five moderate and a further six updates rated as low. Normally, this number of updates to Microsoft’s browsers would lead to a rapid response and urgent deployment of patches, especially as these critical updates address issues that could lead to arbitrary code run on compromised systems (through simply visiting specially crafted malicious websites).
However, almost all of this month’s security vulnerabilities relate to how VBScript handles ActiveX code in memory. What does this mean? Well, for most well-run IT houses ActiveX has been verbotenverboten for a while, and is likely very tightly managed (i.e. disabled) along with browser support for VBScript. If you are running a tight ship, add these updates to your standard deployment effort. If you are worried about legacy applications with VBScript or ActiveX dependencies (literally) running amok, then these updates need to be added to the top of your testing regime.
Microsoft Windows
This month’s Patch Tuesday update is a (another) huge update for the Windows ecosystem. Even with Microsoft still pausing all optional updates and focusing on security fixes, June’s update cycle includes more than 90 security fixes to Windows and unusually includes the following quality update that resolves:
- Issues that prevent users from updating .MSI files from a network folder.
- Problems that can cause the promotion of a server to a domain controller to fail. This occurs when the Local Security Authority Subsystem Service (LSASS) process is set as Protected Process Light (PPL).
- A security issue described in CVE-2018-0886 by adding support for the “Encryption Oracle Remediation” policy setting and changing the default value from Vulnerable to Mitigated. For more information about how this might affect your environment if you are using Remote Desktop, see KB4093492.
Again, this is a huge update – with Microsoft addressing critical and important vulnerabilities across over 50 different areas in the Windows 10 OS.
- Windows Kernel: 14 fixes Elevation of privilege and Security Feature Bypass
- Windows Runtime: 11 Elevation of Privilege updates
- Windows Diagnostic Hub: 8 Elevation of privilege patches
- Windows Error Reporting: 4 Elevation of Privilege and information Disclosure issues
And with the older/legacy systems covered by Microsoft’s ESU patch regime we are seeing some real hotspots with vulnerabilities address this month in the following areas:
- VBScript: 6 Elevation of Privilege
- Windows Installer: 3 Elevation of Privilege
- Win32 Kernel: 4 Elevation of Privilege
Following all this, we have some real concerns about the updates to OLE (CVE-2020-1281 and CVE-2020-1212) and the update to the now aging COM model with CVE-2020-1311as our algorithmic testing engine picked up some issues in our application testing portfolio. Given the number and nature of updates this month, we think this update needs to be tested against a core group of applications, and then deployed in stages.
Given the large(ish) number of updates to the Windows kernel, we may see some update compatibility issues with Windows drivers (especially drivers reliant on the GDI+ sub-system and possible font related issues). Test, deploy in stages and watch for driver and font problems in your telemetry for this month’s update cycle.
Microsoft Office
There was a single critical update to Microsoft SharePoint Server and eight remaining important updates for Microsoft Office. Of these eight, six relate (again) to SharePoint server and a XSS (Cross-scripting) attack. All of these SharePoint (and the other two updates that relate to Outlook and Excel) are difficult to exploit on recent versions of Office. Add this update to your standard Office update schedule. Noting that the SharePoint update will require a reboot to the server.
Microsoft Development Platforms
I think we need to pay attention to the updates for Microsoft’s development tools for this update cycle. There are five updates released to address a relatively serious elevation of privilege vulnerability in one of Microsoft’s diagnostic tools (Diagnostics Hub Standard Collector) that runs as a local service. Microsoft has released updates related to this component before (CVE-2010-0810) and one released with Visual Studio led to reported memory issues and memory leaks. This update has one of the highest CVSS (risk) scores for development tool vulnerabilities and therefore needs to be tested and patched as a priority.
I suggest you try out Windows 10, Release 2004 (Why not?) and watch the memory usage of:
“%WinDir%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe”. If it presents over 30% processor utilization, you may have a problem. Add this update to your development update release schedule with particular attention to the collector service.
Adobe Flash Player
Microsoft has released an update rated as critical (ADV200010) to address a single vulnerability (APSB20-30) in Adobe Flash player that could lead to a remote code execution scenario. Microsoft has some good advice this month: set the “kill bits” to Adobe Flash – and disable the ability to instantiate Flash Player in any browser. To prevent Adobe Flash Player from running you can set the application (hardblock) compatibility bits in a .REG text file with the following settings:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Compatibility Flags”=dword:0000040
Once done, you can rest easy and deploy this update using your standard desktop update schedule.
