Microsoft this week released 112 updates to its Windows, browser, development and Office platforms. But there were no zero-days or reports of publicly exploited vulnerabilities for November.
Though we return to monthly browser updates after last month's brief respite — none of this November's browser security issues are worm-able, and we have not seen anything that would require a return to an urgent browser update cycle. The Windows platform gets the most attention this time, but no single issue requires immediate deployment — though some legacy systems may require full testing for graphically intensive applications that rely on older graphic/media conversion technology. And the Microsoft Office and associated development platforms receive some lower-rated patches, with recommendations for a standard roll-out regime.
We have included a helpful infographic that this month looks a little lopsided, as all of the attention should be on the Windows components.
Key testing scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that drives our portfolio testing process. This month, our analysis of the Patch Tuesday release generated the following testing scenarios:
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues related to the latest builds from Microsoft:
You can find Microsoft’s summary of Known Issues for this release on a single page.
This month, we have a single major revision for documentation reasons released by Microsoft:
Mitigations and workarounds
Microsoft published a small number of workarounds and mitigation strategies that apply to vulnerabilities (CVE’s) addressed this month, including:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has released five updates for browser platforms, with four rated critical and the remaining update rated important by Microsoft. These browser updates are clustered into the functional groups:
One of the browser patches (CVE-2020-17052) has a recommended mitigation for this vulnerability that includes:
"To address this vulnerability, a Throttling Policy for EWSMaxSubscriptions could be defined and applied to the organization with a value of zero. This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally.”
You can read more about Microsoft’s network throttling technology and how to apply the relevant policies here. All of these browser updates address difficult-to-exploit, complex security scenarios that require user interaction to compromise the target system. Given that these vulnerabilities have not been reported as publicly exploited or disclosed, we recommend that you add these browser patches to your standard patch deployment schedule.
Microsoft has released 12 critical updates and 54 patches rated as important for this update cycle. These November Windows updates cover the following areas:
All of the critical updates relate to resolving Microsoft Camera and codec issues. Although these reported vulnerabilities require local access, full control and arbitrary code execution are possible on a compromised system. These (Codec-focused) attacks are relatively straightforward to exploit and could lead to a remote code execution (RCE) scenario with full control of the target system. Historically, the biggest issues with updates to the Windows GDI (graphics) stack was due to poor app packaging practices; vendors and/or system integrators included core system libraries (DLLs) inside their packages — making updates like this month’s GDI and Windows Kernel updates really troublesome. Fortunately, this practice has been reduced due to better vendor MSIs and better packaging practices. Before you roll out this update, make sure that your application packages are “clean” (do not include GDI.DLL or Win32K.sys) — otherwise, you may encounter difficult troubleshooting scenarios with very complex applications.
Add this update to your standard desktop update schedule.
Microsoft this month distributed 22 updates to the Microsoft Office platform (including Exchange Server and Microsoft Dynamics) that that cover the following application or feature groupings:
Twenty-one of these updates is rated as important by Microsoft with the final one (SharePoint) given a low rating. I think the reason these patched vulnerabilities are rated lower by Microsoft is that local access is required to compromise the target platform or the attack vector (method of access) is very complex. These are hard-to-exploit vulnerabilities that require user interaction. These patches affect Word, Excel, and Access, so testing internally developed applications, especially those with macros or JScript, is well advised. There is no rush; add these Office updates to your standard deployment.
Microsoft development platforms
Microsoft has released three updates for Visual Studio, all rated as important. All of these vulnerabilities require local access to the target system and are relatively difficult to exploit. In addition to the Visual Studio updates, Microsoft released 15 patches to the Azure Sphere line. The functional grouping for this month's Microsoft development platform update looks like this:
The Azure Sphere security offering is fairly new and most likely will not be a significant component of enterprise deployments. You can read more about Azure Sphere. And so just focusing on the Visual Studio updates, we recommend you add this month’s updates to your standard “Development” release schedule.
Adobe Flash Player
Microsoft has not released any updates (or kill bits) for any of the Adobe products (Flash is the first to come to mind) this month. That said, I have now seen the removal of Flash (through the automated uninstall made available through the update). Nothing bad happened. That is what you should expect, once you remove Flash from your system. Sigh.
If you got this far...
You may be interested in the patch management perspective we are currently employing. Microsoft has updated its patch release documentation with a lot of new data, all published online and accessible through APIs. We have started using this new data to create our testing “hotspots” sections that detail what patches will affect which feature or component of Windows or the intended Microsoft product.
Working with Microsoft on its patching process, we have seen just how seriously Microsoft takes getting these updates right (Hey, it’s only a billion users, right?). Our focus has been and will continue to be on, “What happens to the apps?” Next month, you will see additional data on feature-level impacts from each update and some granular detail on our experiences with each update group. You can read more about the new documentation format in this Microsoft blog post.