Patch Tuesday in the WFH Era
Plenty of patches and a handy “decision tree” from MSFT
Microsoft has released 113 security fixes as part of Patch Tuesday (Adobe and others are all busy pushing updates today, as is Oracle under its quarterly cycle).
Among Microsoft’s patches are fixes for CVE-2020-0938, an exploited zero-day, and CVE-2020-1020, a exploited and previously publicly disclosed vulnerability.
(Also standing out, CVE-2020-0835, an elevation of privilege bug in Microsoft’s own malware defense programme, Windows Defender: details on exploitation are very thin in the update, which ranks the vulnerability “important”)
For the uninitiated, failing to patch can be bad news, particularly for “critical”-rated vulnerabilities, which are typically exploited very, very fast.
Patching Software Remotely
Today’s Patch Tuesday is the first major batch of software security fixes of the new, WFH era and an important one as a result, with some unique challenges for IT managers: i.e. how do you push patches for machines via VPN using home broadband networks, and ensure teams know that it is is happening?
Richard Melick, a senior technical product manager, at patch management specialist Automox, notes, whatever the pain of pushing out patches in this climate, they’re best not overlooked.
He said in an emailed comment “Organisations are already strained with the added stresses of the sudden shift to remote workers and the technological needs, but today’s Patch Tuesday is not one to skip.
“From increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today’s zero-day, exploited, and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponisation. Hackers are not taking time off; they are working just as hard as everyone else.
Back to Patch Tuesday: Anything to Prioritise?
Hass highlights CVE-2020-0935 — a privilege elevation vulnerability found in OneDrive for Windows due to improper handling of symbolic links file system objects that point to another file system object — as among the more interesting fixes.
(The vuln was reported by Zhiniang Peng (@edwardzpeng) of Qihoo 360 Core security and Fangming Gu (@afang5472) and is rated important).
He notes: “In this scenario, an attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status.
“Privilege escalation enables an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously. OneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, make the potential scope for this vulnerability pretty high.”
Today’s Patch Tuesday in total has fixes for:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- ChakraCore
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- Microsoft Dynamics
- Microsoft Apps for Android
- Microsoft Apps for Mac
Many fixes will require reboots. Full details from Microsoft are here.