Microsoft's June Release Delivers 129 Security Patches
Microsoft has kept up its trend this year of releasing large bundles of security patches, with the June bunch consisting of 129 security patches.
Of that total, 11 patches were rated "Critical," while 118 were deemed "Important" in severity. The software getting patches this month include Microsoft's browsers, Windows Defender, HoloLens, the Windows App Store, System Center, Microsoft Dynamics, Visual Studio and Azure DevOps -- on top of Microsoft Office and Windows operating systems, per Microsoft's "Release Notes" description.
This June patch release is yet another hefty one from Microsoft in terms of the number of common vulnerabilities and exposures (CVEs) getting addressed, according to Dustin Childs of Trend Micro's Zero Day Initiative blog:
This is the fourth month in a row that Microsoft has released patches for more than 110 CVEs, and this is the highest number of CVEs ever released by Microsoft in a single month. This brings the total number of Microsoft patches released this year to 616 -- just 49 shy of the total number of CVEs they addressed in all of 2017.
The good news is that none of the vulnerabilities now disclosed in the June security bulletins were known to be under active attack previously.
Most of the vulnerabilities will get addressed by applying the June Windows and browser patches, noted Todd Schell, a senior product manager for security at IT solutions firm Ivanti.
"The good news is 98 of these are resolved by deploying the OS and browser updates," Schell noted, via email.
On top of its patches, Microsoft on Tuesday released security advisories for Flash in Internet Explorer and the Windows Servicing Stack. The Servicing Stack updates are always rated Critical, even though they are just updates to the Windows Update service, rather than being security fixes for software.
Windows SMB 3 Alert
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency issued an alert that proof-of-concept exploit code is now published for a Critical-rated Server Message Block (SMB) 3.1.1 vulnerability (CVE-2020-0796) in newer Windows systems that got a patch from Microsoft back in March. The alert was likely issued because systems aren't patched.
Some researchers have described this SMB 3 vulnerability as "wormable," recalling the earlier SMB 1 vulnerability exploited by WannaCry malware. In that context, Schell cited a 2017 Rand report (PDF download) describing vulnerabilities and patching. The study found that "the mean time to exploit a vulnerability is 22 days," while the "average shelf life" for a vulnerability is seven years. The stats suggest that there's a lag in patching that can leave a large time span for exploits to get carried out.
Microsoft this week published detailed information on how to configure SMB connections optimally to ensure network security. The advice includes a strategic approach to take, as outlined by Ned Pyle, a principal program manager on the Windows Server engineering team. Pyle also has been credited as a leader on Microsoft's SMB efforts.
SMB 1 even made the June patch release roster. It's there as an Important vulnerability CVE-2020-1301 that could enable remote code execution (RCE) attacks, although an exploit would require sending "a specially crafted packet to a targeted SMBv1 server." The SMB 1 vulnerability exists in all supported Windows systems. Microsoft actually didn't eliminate SMB 1 from newer Windows systems, even though this protocol is considered to be deprecated and insecure.
"If you've already disabled SMBv1, you don't need to worry about this one," Childs noted. "If you haven't already disabled SMBv1, you really should."
Childs added that Microsoft did release a patch for SMB 3 this month, but it's just for "information disclosure and Denial-of-Service (DoS) bugs."
Notable Critical CVEs
Researchers called out some of the Critical fixes in the June patch bundle.
Richard Tsang, a senior software engineer at security solutions firm Rapid7, noted the prevalence of browser issues in this month's bundle.
"Five of the 11 Critical RCEs noted this month (CVE-2020-1213, CVE-2020-1216, CVE-2020-1219, CVE-2020-1073, CVE-2020-1260) are browser based and can be heavily mitigated via good practices," Tsang indicated via email, although he added that it is "always better to patch."
Microsoft is patching an issue in how Windows systems handle cabinet (.CAB) files, which is tersely described in bulletin CVE-2020-1300. A malicious cabinet file disguised as a print driver could get used in RCE attacks. Childs indicated that "users are often conditioned into trusting printer drivers when offered one, so it would not be surprising to see this get exploited."
Microsoft is patching another .LNK vulnerability with a fix for CVE-2020-1299, representing the third such fix this year, according to Childs. It's a RCE vulnerability that could permit an attacker to gain user rights on Windows systems. The attack gets carried out by presenting "a malicious .LNK file and an associated malicious binary" to a user, via a remote file share or a removable drive, per Microsoft's security bulletin.
Windows systems also are getting patches for an Object Linking and Embedding (OLE) vulnerability (CVE-2020-1281), which could lead to RCE attacks. An attack could be initiated by getting users to open a "specially crafted file or a program," which could be on a Web page on in an email attachment. The vulnerability exists in every supported Windows system and multiple file types can be used in these kinds of attacks, noted Childs, so it should be at the top of the patch list.
Remote Work Challenges
Security solutions firms also took the occasion of this patch Tuesday moment to clang their own bells regarding the shift toward remote work since those systems need to get patched.
Organizations may be using management solutions that require a virtual private network (VPN) for distributing updates, although a VPN isn't needed with some solutions, noted Ivanti's Schell. Supporting users with low Internet speeds is another remote-work challenge for organizations, he noted.
"Monthly updates requiring hundreds of megabytes of patches (or gigabytes in some cases) become problematic as well," Schell indicated. Ivanti conducts regular patch Tuesday Web presentations (signup here).
Justin Knapp, a product marketing manager at security management solutions firm Automox, noted that applications are getting targeted increasingly with the shift to remote work. He suggested that patch solutions need to be nimble to support remote workers.
"To proactively minimize the attack surface and reduce the workload on security operations, organizations need to move away from outdated endpoint solutions and adopt a much shorter mean time to hardening that keeps their endpoints ahead of the average 7 days to weaponization of vulnerabilities," Knapp indicated, via email.
Automox conducts patch Tuesday discussions, too (signup here).
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.