Patch Tuesday – April 2020
Global working-from-home routines haven’t slowed down Microsoft and its ability to help close up vulnerabilities in their products. This April Patch Tuesday (WFH-edition), Microsoft has knocked 113 vulnerabilities out of the park. It’s not the highest we’ve seen, but it is still an impressive spread of fixes coming in this month with a fair number resolving SharePoint and Office vulnerabilities along with the standard Operating System patches.
In case you’re wondering what happened with the Adobe Font Manager Library advisory (ADV200006) that popped up mid-March, it’s being fixed this month and is now acknowledged as two separate vulnerabilities (CVE-2020-1020 and CVE-2020-0938). As of writing, there doesn’t seem to be more details on the uniqueness of the two CVEs but Microsoft continues to acknowledge them as “Exploitation Less Likely”. Another anomaly creeping in from a previous Patch Tuesday is CVE-2020-0689. Patches for this Secure Boot Security Feature Bypass vulnerability was pulled mid-cycle last month and has yet to receive a new fix. Luckily, this vulnerability is marked as less likely to be exploited.
While looking for a theme for this Patch Tuesday, I was reminded constantly of the importance of good Security Hygiene. 15 CVEs require an individual to navigate to a specially-crafted webpage. Prioritizing the operating system vulnerabilities, as typical, will be key here, as they resolve 9 of those 15 CVEs (and more!)
Some of the troubles behind this month’s massive 70+ patch drop is less about the vulnerabilities resolved, but the complexity of managing patching across organizations where assets may be currently distributed at home. The silver lining behind this is that our approach is still the same. Operating system patches should be prioritized with IE-Cumulative (if Monthly Rollups aren’t chosen) patches which is a great start as it will greatly reduce your attack service for new (and old) vulnerabilities. Then an understanding of your environment will be needed as you move into which Office products to patch up next. Take a breather this month as Exchange and SQL Server vulnerabilities are nowhere to be found.