Patch Tuesday Highlights – August 2020

0 Likes
over 1 year ago

The past month has brought with it the Dog Days of Summer (in the Northern Hemisphere), and Patch Tuesday continues to bring the heat with Microsoft releasing updates for over 120 vulnerabilities and surpassing the 100 fixed-vulnerabilities mark for the fifth straight month. Here’s our callout of updates and issues we think you’ll want to be aware of.

Interesting Fact

This month’s Patch Tuesday (August 11th) fell on the final Dog Day of Summer. Here’s a few more Dog Day facts for you:

  • The Dog Days run from July 3rd through August 11th which are typically considered the hottest, most oppressive days of the summer.
  • Despite common lore, the term Dog Days does not come from the idea that the hot days are “not fit for a dog” or cause dogs to “go mad”.
  • The expression actually comes from the fact that the sun occupies the same area of the sky as Sirius during this time. Sirius is the brightest star visible from Earth and part of the constellation Canis Major, the Greater Dog. Sirius is also referred to as the Dog Star.

There you have it. Thanks to the great staff of the Farmers' Almanac, the online version of course, for providing this month’s Patch Tuesday\Dog Days of Summer interesting fact.

Newsworthy Events

  • The FBI issued Private Industry Notification (PIN) about Windows 7 / Windows Server 2008 end of life urging companies to update. This ZDNet article provides a good summary.
  • Microsoft removed all Windows downloads signed with SHA-1 certificates from the Microsoft Download Center as of August 3, 2020 because of threat actors ability to bypass the security standard. This can affect patching of older OS versions such as Windows 7 unless you have previously applied one of the updates that enables the OS to support SHA-2 signed downloads. Another reason to move as quickly as possible from older OSes like Windows 7 and Windows Server 2008 or make sure that you continue to patch any that you still have in use.
  • In response to CVE-2020-1472, Microsoft has released a two-phased approach to enforcing secure RPC when using the Netlogon secure channel between member computers and Active Directory domain controllers. You’ll want to read more about it here.
  • Two vulnerabilities, CVE-2020-1464 and CVE-2020-1380, have been exploited in the wild. CVE-2020-1464 exists across all operating system versions and is resolved by the monthly OS security update. CVE-2020-1380 exists in Internet Explorer and is resolved by the IE update or the OS cumulative update.

Quick Take

  • August Patch Tuesday resolves 120 Microsoft CVEs. This is the fifth month in a row with updates that fix at least 100 vulnerabilities.
  • Adobe Acrobat\Reader and Apple iCloud have critical updates resolving 26 and 20 CVEs respectively.
  • Google Chrome, Mozilla Firefox, Mozilla Thunderbird, and Microsoft Edge released updates between the July and August Patch Tuesdays that fix security vulnerabilities.
  • Windows 7, Windows Server 2008, Windows 10 1809 – 2004, and Windows Server 2019 had Servicing Stack Updates this month. For all OSes, the May SSU is still the version required for installing current patches.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB4566424). It is not a prerequisite for August updates.
  • The cumulative update (KB4565349) resolves 90 new CVEs including 7 critical CVEs including exploited CVE-2020-1464 and CVE-2020-1380.
  • The Cumulative Update for .NET Framework for Windows Server 2019 for x64 (KB4570505) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Windows Server 2016 Updates

  • The cumulative update (KB4571694) resolves 63 new CVEs, including 7 critical CVE. None have public disclosures or known exploits.
  • The Cumulative Update for .NET Framework for Windows Server 2016 for x64 (KB4569746 or KB4569749) resolves a critical remote code execution vulnerability (CVE-2020-1476).

Windows 10 Updates

  • There is a new Servicing Stack Update (KB number varies by version) for versions 1809 through 2004. It is not a prerequisite for August updates.
  • The cumulative update (KB number varies by version) resolves up to 94 CVEs depending on the version including 8 critical CVEs and including exploited CVE-2020-1464 and CVE-2020-1380.
  • The Cumulative Update for .NET Framework for Windows 10 (KB number varies by version) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Windows 8.1 / Windows Server 2012 R2 Updates

  • The Security Monthly Quality Rollup (KB4571703) resolves 53 new CVEs including 6 critical CVEs and including exploited CVE-2020-1464 and CVE-2020-1380; and 3 new Internet Explorer 11 CVEs.
  • The Security Only Quality Update (KB4571723) resolves 53 new CVEs including 6 critical CVEs and including exploited CVE-2020-1464 and CVE-2020-1380.
  • The Security Update for Internet Explorer 11 (KB4571687) resolves 3 new CVEs including exploited IE 11 CVE-2020-1380. Apply it with the Security Only Quality Update (KB4571723). It is not needed with the Security Monthly Quality Rollup (KB4571703).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows 8.1 and Server 2012 R2 (KB4570502 and KB4570508) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Windows Server 2012 Updates

  • The Security Monthly Quality Rollup (KB4571736) resolves 40 new CVEs including exploited CVE-2020-1464 and CVE-2020-1380; and 3 new Internet Explorer 11 CVEs. None have public disclosures or known exploits.
  • The Security Only Quality Update (KB4571702) resolves 40 new CVEs including exploited CVE-2020-1464.
  • The Security Update for Internet Explorer 11 (KB4571687) resolves 3 new CVEs including exploited IE 11 CVE-2020-1380. Apply it with the Security Only Quality Update (KB4571702). It is not needed with the Security Monthly Quality Rollup (KB4571736).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2012 (KB4570501 and KB4570507) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • There is a new Servicing Stack Update (KB4570673). It is not a prerequisite for August updates.
  • The Security Monthly Quality Rollup (KB4571729) resolves 53 new CVEs including 4 critical CVEs and including exploited CVE-2020-1464 and CVE-2020-1380; and 3 new Internet Explorer 11 CVEs.
  • The Security Only Quality Update (KB4571719) resolves 53 new CVEs including 4 critical CVEs and including exploited CVE-2020-1464.
  • The Security Update for Internet Explorer 11 (KB4571687) resolves 3 new CVEs including exploited IE 11 CVE-2020-1380. Apply it with the Security Only Quality Update (KB4571719). It is not needed with the Security Monthly Quality Rollup (KB4571729).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows 7 / Windows Server 2008 R2 (KB4570500 and KB4570506) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • There is a new Servicing Stack Update (KB4572374). It is not a prerequisite for August updates.
  • The Security Monthly Quality Rollup (KB4571730) resolves 31 new CVEs including 3 critical CVEs and including exploited CVE-2020-1464; and 2 new Internet Explorer 9 CVEs.
  • The Security Only Quality Update (KB4571746) resolves 31 new CVEs including 3 critical CVEs and including exploited CVE-2020-1464.
  • The Security Update for Internet Explorer 9 (KB4571687) resolves 2 new CVEs. Apply it with the Security Only Quality Update (KB4571746). It is not needed with the Security Monthly Quality Rollup (KB4571730).
  • The Security Only Update (or Security and Quality Rollup) for .NET Framework for Windows Server 2008 (KB4570503 and KB4570509) resolves a critical remote code execution vulnerability (CVE-2020-1476) and an elevation of privilege vulnerability (CVE-2020-1046).

Microsoft SharePoint Server

  • The monthly Security Updates resolve 10 CVEs across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits. None are Critical severity.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

  • The Security Update resolves up to 13 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

  • Each channel update resolves up to 13 new CVEs depending on the version. None have public disclosures or known exploits. The maximum severity is Critical.

Google Chrome

  • 84.0.4147.125 update resolves 14 new CVEs. None have public disclosures or known exploits. One is Critical severity.

Mozilla Firefox

  • Firefox 79.0, Firefox ESR 69.11.0, and Firefox ESR 75.1.0 resolves 10 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Mozilla Thunderbird

  • Thunderbird 78.1.0 resolves 10 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Microsoft Edge

  • Firefox 84.0.522.59 resolves 14 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Adobe Acrobat and Reader

  • APSB20-48: Security Update for Adobe Acrobat and Reader resolves fixes 26 critical and important vulnerabilities.

Apple iCloud

Labels:

Patch Management
Configuration Management
Comment List
Anonymous
Related Discussions
Recommended