Patch Tuesday Highlights – June 2020

1 Likes

The sheer number of patches released on Patch Tuesday – the second Tuesday of each month when Microsoft releases its scheduled updates – can make it difficult to digest and process what impacts your environment and what you should focus on.

To help you with that, we are starting our Patch Tuesday Highlights series. Each month, we’ll post an article highlighting some of the more newsworthy events you should be aware of and summarizing the month’s patch releases.

This is the first of the monthly installments, so let us know what you think, from content to format.

Interesting Fact

In a report published by the RAND Corporation titled Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits, authors Lillian Ablon and Andy Bogart present the following about exploited vulnerabilities:

  • 50% of exploits occur within 14-28 days of patch availability
  • 22 days is the median time to develop a functional exploit
  • The average life expectancy for an exploited vulnerability is 7 years

As desktop IT administrators, what can we draw from this?  First, we should keep our patch maintenance window as small as possible, preferably at least monthly. Second, exploits hang around for a long time, so we need to have processes in place that allow us to easily track the status of both current and past vulnerabilities on devices in our organization.

ZENworks 2020 introduced vulnerability tracking and remediation through CVE IDs. If you aren’t using it or would like a refresher, see the following articles:

  • WannaCry? Not anymore. Software vulnerability tracking debuts in #ZENworks2020!
  • Emerging threat? No problem. Track it, remediate it, repeat as necessary.
  • One way? No way! View software vulnerabilities your way in #ZENworks2020!

Newsworthy Events

  • The Cybersecurity and Infrastructure Security Agency (CISA) released a US-CERT advisory for a previously patched SMBv3 vulnerability that has now been exploited. The vulnerability applies to Windows 10 1903 and newer. Updates starting with March 2020 onward resolve the vulnerability.
  • Microsoft released Windows 10 version 2004. We recommend that you review the known issues before rolling it out.
  • Microsoft renamed Office 365 ProPlus to Microsoft 365 Apps for Enterprise.
  • Microsoft is also changing their Microsoft 365 Apps update channel names to Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. ZENworks Patch Management patches adopted the channel names in June and will reflect the Office 365 to Microsoft 365 name change starting in July.

Quick Take

  • June Patch Tuesday resolved 129 Microsoft CVEs. This is the highest number of CVEs ever resolved by Microsoft in one month.
  • 11 of the 129 CVEs involved critical remote code-execution flaws that were patched in Windows, SharePoint server, Windows Shell, VBScript, and other products.
  • None of the 129 CVEs had public disclosures or known exploits.
  • Updating the operating systems and browsers takes care of the majority of the vulnerabilities.
  • US-CERT advisory for March CVE-2020-0796 (SMBv3) warning that there are active exploits of this vulnerability. Applies to Windows 10 1903 or newer. The March update onward resolves this vulnerability.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB4562562). It is not a prerequisite for June updates.
  • The cumulative update (KB4561608) resolves 93 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Adobe Flash player (KB4561600) resolves a critical remote code execution vulnerability (CVE-2020-9633) and should be applied.

Windows Server 2016 Updates

  • There is a new Servicing Stack Update (KB4562261). It is not a prerequisite for June updates.
  • The cumulative update (KB4561616) resolves 70 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Adobe Flash player (KB4561600) resolves a critical remote code execution vulnerability (CVE-2020-9633) and should be applied.

Windows 10 Updates

  • There is a new Servicing Stack Update (KB number varies by version) for versions 1507 through 2004. It is not a prerequisite for June updates.
  • The cumulative update (KB number varies by version) resolves up to 105 CVEs depending on the version. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Adobe Flash player (KB4561600) resolves a critical remote code execution vulnerability (CVE-2020-9633) and should be applied.

Windows 8.1 / Windows Server 2012 R2 Updates

  • There is a new Servicing Stack Update (KB4562253). It is not a prerequisite for June updates.
  • The Security Monthly Quality Rollup (KB4561666) resolves 37 new CVEs and also 8 new Internet Explorer 11 CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Only Quality Update (KB4561673) resolves 37 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Internet Explorer 11 (KB4561603) resolves 8 new CVEs. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4561673). It is not needed with the Security Monthly Quality Rollup (KB4561666).
  • The Security Update for Adobe Flash player (KB4561600) resolves a critical remote code execution vulnerability (CVE-2020-9633) and should be applied.

Windows Server 2012 Updates

  • There is a new Servicing Stack Update (KB4562252). It is not a prerequisite for June updates.
  • The Security Monthly Quality Rollup (KB4561612) resolves 36 new CVEs and also 9 new Internet Explorer 11 CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Only Quality Update (KB4561674) resolves 36 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Internet Explorer 11 (KB4561603) resolves 8 new CVEs. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4561674). It is not needed with the Security Monthly Quality Rollup (KB4561612).
  • The Security Update for Adobe Flash player (KB4561600) resolves a critical remote code execution vulnerability (CVE-2020-9633) and should be applied.

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • There is a new Servicing Stack Update (KB4562030). It is not a prerequisite for June updates.
  • The Security Monthly Quality Rollup (KB4561643) resolves 30 new CVEs and also 8 new Internet Explorer 11 CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Only Quality Update (KB4561669) resolves 30 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Internet Explorer 11 (KB4561603) resolves 8 new CVEs. None have public disclosures or known exploits. Apply it with the Security Only Quality Update (KB4561669). It is not needed with the Security Monthly Quality Rollup (KB4561643).

Windows Server 2008 Extended Security Updates

  • These can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • There is a new Servicing Stack Update (KB4562031). It is not a prerequisite for June updates.
  • The Security Monthly Quality Rollup (KB4561670) resolves 26 new CVEs and also 7 new Internet Explorer 9 CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Only Quality Update (KB4561645) resolves 26 new CVEs. None have public disclosures or known exploits. The update resolves at least one Critical CVE.
  • The Security Update for Internet Explorer 9 (KB4561603) resolves 7 new CVEs. None have public disclosures or known exploits.Apply it with the Security Only Quality Update (KB4561645). It is not needed with the Security Monthly Quality Rollup (KB4561670).

Microsoft SharePoint Server

  • The monthly Security Update resolves 12 CVEs including one critical vulnerability. None have public disclosures or known exploits. None are Critical severity.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

  • The Security Update resolves up to 6 new CVEs depending on the version. None have public disclosures or known exploits. None are Critical severity.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

  • Each channel update resolves 5 new CVEs depending on the version. None have public disclosures or known exploits. None are Critical severity.

Google Chrome

  • 83.0.4103.97 update resolves 4 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Mozilla Firefox

  • Firefox 68.9.0 ESR resolves 4 new CVEs. None have public disclosures or known exploits. None are Critical severity.
  • Firefox 77.0 resolves 8 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Microsoft Edge

  • Edge 83.0.478.45 resolves 4 new CVEs. None have public disclosures or known exploits. None are Critical severity.

Adobe

  • The APSB20-30 Adobe Flash Player 32.0.0.387 update resolves a critical remote code execution vulnerability (CVE-2020-9633). You should apply it if you aren’t applying the operating system update that fixes it or the browser (IE, Edge, Chrome) that fixes it.

Darrin VandenBos (@DarrinVandenBos)
Product Manager, Endpoint Management

Labels:

Patch Management
Configuration Management
Comment List
Anonymous
Parents Comment Children
No Data
Related Discussions
Recommended