Patch Tuesday for January 2020

Patch Tuesday Webinar
Wednesday, January 15, 2020
Hosted by: Chris Goettl & Todd Schell
Dial in: 1-877-668-4490 (US)
Event ID: 285 138 143

Copyright©2019Ivanti.Allrightsreserved
Agenda
January 2020 Patch Tuesday Overview
In the News
Bulletins
Q & A
1
2
3
4

 Overview

 In the News

In The News . . .
 NSA Reported Crypto Vulnerability Could be Quite Serious
 https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-
patch-tuesday/
 https://www.wired.com/story/nsa-windows-10-vulnerability-disclosure/
 Another CPU Voltage Vulnerability! PlunderVolt!!! Sounds scary…
 https://thehackernews.com/2019/12/intel-sgx-voltage-attack.html
 Last week Firefox patches Critical 0-day!
 https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-
critical-zeroday-thats-being-Firefoactively-exploited/

Vulnerability of Interest
 CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability
 A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic
Curve Cryptography (ECC) certificates.
 An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign
a malicious executable, making it appear the file was from a trusted, legitimate source. The
user would have no way of knowing the file was malicious, because the digital signature
would appear to be from a trusted provider.
 A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and
decrypt confidential information on user connections to the affected software.
 The security update addresses the vulnerability by ensuring that Windows CryptoAPI
completely validates ECC certificates.
Source: Microsoft

Vulnerability of Interest
 CVE-2020-0620 Microsoft Cryptographic Services Elevation of Privilege
Vulnerability
 An elevation of privilege vulnerability exists when Microsoft Cryptographic Services
improperly handles files. An attacker could exploit the vulnerability to overwrite or modify a
protected file leading to a privilege escalation.
 To exploit the vulnerability, an attacker would first require execution on the victim system.
 The security update addresses the vulnerability by addressing how Microsoft Cryptographic
Services handles files.
Source: Microsoft

Vulnerabilities of Interest
 CVE-2020-0609 Windows Remote Desktop Gateway (RD Gateway)
Remote Code Execution Vulnerability
 A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD
Gateway) when an unauthenticated attacker connects to the target system using RDP and
sends specially crafted requests. This vulnerability is pre-authentication and requires no user
interaction. An attacker who successfully exploited this vulnerability could execute arbitrary
code on the target system. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights.
 To exploit this vulnerability, an attacker would need to send a specially crafted request to the
target systems RD Gateway via RDP.
 The update addresses the vulnerability by correcting how RD Gateway handles connection
requests.
 Additional RDP vulnerabilities: CVE-2020-0610, CVE-2020-0611, CVE-2020-0612
Source: Microsoft

Windows 7 and Server 2008/2008 R2 End-of-Life
 End-of-Life is here! Final update on January 14, 2020
 https://www.bleepingcomputer.com/news/microsoft/new-update-lets-windows-
users-test-extended-security-updates/
 https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-
Extended-Security-Updates-for-eligible-Windows/ba-p/917807
 https://forums.ivanti.com/s/article/Custom-Patch-Support-for-Microsoft-s-
Windows-7-and-Server-2008-2008-R2-Extended-Support

 If you have or plan to engage Microsoft for an ESU
 Lifecycle FAQ-Extended Security Updates
 Are your systems ready for ESU updates?
 https://support.microsoft.com/en-us/help/4528069/update-for-
eligible-windows-7-and-server-2008-r2-devices-can-get-esu
 Are you needing custom content from Ivanti to support these
updates?
 We have a custom content feed for our EPM Patch and ISEC
solutions.
 Not getting ESU support, but expecting to keep running these systems
anyway? See next slide for our recommendations on mitigation options.

 Mitigation Options for Win 7/Server 2008/2008 R2 without ESU support:
 Virtualize those workloads
 Lock down the VDI system to only run the specific app in question
 Application Control to lock down and only allow the specific use
case needed
 Remove direct internet connectivity from these systems.
 Segment these systems from other parts of the network
 Layer on additional security controls:
 Reduce privileges
 Application Control
 NextGen AV and EDR

Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates (SSU)
 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001
 4 new SSUs this month
 Development Tool and Other Updates
 ASP.NET Core 2.1, 3.0, 3.1
 .NET Core 3.0, 3.1
Source: Microsoft

Oracle CPU Released Yesterday!
 Java SE resolved 12 CVEs
 All could be remotely executed without authentication
 None require user interaction
 Highest CVSS is 8.1 with three 7.5s
 Remember for Java 11 and later you update the JDK and the developer of the
app has to build and redistribute the application to apply the security updates
 Ivanti is releasing these updates today Wed January 15.

Internet Explorer 10 End-of-Life
 IE 11 stands alone starting February 1, 2020
 https://support.microsoft.com/en-us/help/4488955/support-ending-for-internet-
explorer-10
 https://support.microsoft.com/en-us/help/17454/lifecycle-faq-internet-explorer
Source: Microsoft

Windows 10 Lifecycle Awareness
 Windows 10 Branch Support
Source: Microsoft

Windows 10 Lifecycle Awareness (cont)
 Enterprise LTSB/LTSC Support
 Complete Lifecycle Fact Sheet
 https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Source: Microsoft

Weekly Patch BLOG
 Latest Patch Releases
 Microsoft and Third-party
 Security and non-Security
 CVE Analysis
 Security Events of Interest
 Host: Brian Secrist
 https://www.ivanti.com/blog/
topics/patch-tuesday

Patch Content Announcement System
Announcements Now Posted on Community Forum Pages
 https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
 Subscribe to receive email for the desired product(s)

 Bulletins

MS20-01-W10: Windows 10 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 10 Versions 1607, 1703, 1709, 1803, 1809,
1903, 1909, Server 2016, Server 2019, Server 1709, Server 1803, IE 11 and Microsoft
Edge
 Description: This bulletin references 9 KB articles. See KBs for the list of changes.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing, Denial of
Service, Elevation of Privilege and Information Disclosure
 Fixes 37 Vulnerabilities: No CVEs are known exploited or publicly disclosed. See
Details column of Security Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slides

Janaury Known Issues for Windows 10
 KB 4534306 – Windows 10
 [File Rename] Certain operations, such as rename, that you perform on files or folders that are
on a Cluster Shared Volume (CSV) may fail with the error,
“STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the
operation on a CSV owner node from a process that doesn’t have administrator privilege.
Workaround: Perform the operation from a process that has administrator privilege or perform
the operation from a node that doesn’t have CSV ownership. Microsoft is working on a
resolution.
 KB 4534271 – Windows 10, Version 1607 and Server 2016
 [Min Password] After installing KB4467684, the cluster service may fail to start with the error
“2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is
configured with greater than 14 characters. Workaround: Set the domain default "Minimum
Password Length" policy to less than or equal to 14 characters. Microsoft is working on a
resolution.
 [File Rename]

January Known Issues for Windows 10 (cont)
 KB 4534276 – Windows 10, Version 1709
 [File Rename]
 [User OOBE] When setting up a new Windows device during the Out of Box Experience
(OOBE), you might be unable to create a local user when using Input Method Editor (IME). This
issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Workaround: Set the keyboard language to English during user creation or use a Microsoft
Account to complete OOBE. You can set the keyboard language back to your preferred
language after user creation. See this KB for more details. Microsoft is working on a resolution.
 KB 4534293 – Windows 10, Version 1803
 [File Rename]
 [User OOBE]

January Known Issues for Windows 10 (cont)
 KB 4534273 – Windows 10, Version 1809, Server 2019 All Versions
 [Asian Packs] After installing KB 4493509, devices with some Asian language packs installed
may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.“
Workaround: Uninstall and reinstall any recently added language packs or select Check for
Updates and install the April 2019 Cumulative Update. See KB for more recovery details.
Microsoft is working on a resolution.
 [File Rename]
 [User OOBE]

MS20-01-IE: Security Updates for Internet Explorer
 Affected Products: Microsoft Internet Explorer 9,10,11
 Description: The fixes that are included in the cumulative Security Update for Internet
Explorer are also included in the January 2020 Security Monthly Quality Rollup.
Installing either the Security Update for Internet Explorer or the Security Monthly
Quality Rollup installs the fixes that are in the cumulative update. This bulletin
references 11 KB articles.
 Impact: Remote Code Execution
 Fixes 1 Vulnerability: CVE-2020-0640
 Restart Required: Requires browser restart
 Known Issues: None reported

MS20-01-MR7: Monthly Rollup for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7, Server 2008 R2, and IE
 Description: This security update includes improvements and fixes that were a part of
update KB 4525251 (released November 19, 2019). Bulletin is based on KB 4534310.
Security updates to the Microsoft Scripting Engine, Windows Input and Composition,
Windows Storage and Filesystems, and Windows Server.
 Impact: Remote Code Execution, Elevation of Privilege, and Information Disclosure
 Fixes 19 + 1 IE Vulnerabilities: No CVEs are publicly disclosed or known exploited.
See the Security Update Guide for the complete list of CVEs.
 Known Issues: None reported. Check KB for SSU and SHA-2 requirements.

MS20-01-SO7: Security-only Update for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7 SP1, Server 2008 R2 SP1
 Description: Bulletin is based on KB 4534314. Security updates to Windows Input and
Composition, Windows Storage and Filesystems, and Windows Server.
 Fixes 19 Vulnerabilities: No CVEs are publicly disclosed or known exploited. See
the Security Update Guide for the complete list of CVEs.

MS20-01-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Server 2012 and IE
Windows Media, Windows Storage and Filesystems, and Windows Server.
 Known Issues: [File Rename]

MS20-01-SO8: Security-only Update for Server 2012
 Affected Products: Microsoft Server 2012
Composition, Windows Virtualization, Windows Kernel, Windows Peripherals, and
Windows Server.

MS20-01-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
Windows Media, Windows Storage and Filesystems, and Windows Server.

MS20-01-SO81: Security-only Update for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2
Composition, Windows Media, Windows Storage and Filesystems, and Windows
Server.

MS20-01-MRNET: Monthly Rollup for Microsoft .Net
 Affected Products: Microsoft Windows .Net Framework 3.0 through 4.8
 Description: This security update addresses a vulnerability where the Microsoft .NET
Framework fails to validate input properly and allows remote code injection and
execution. This bulletin references 14 KB articles.
 Fixes 3 Vulnerabilities: CVE-2020-0605, CVE-2020-0606, CVE-2020-0646
 Restart Required: Does not require a system restart after you apply it unless files
that are being updated are locked or are being used.

MS20-01-SONET: Security-only Update for Microsoft .Net
 Affected Products: Microsoft Windows .Net Framework 3.0 through 4.8
 Description: This security update addresses a vulnerability where the Microsoft .NET
Framework fails to validate input properly and allows remote code injection and
execution. This bulletin references 14 KB articles.
 Fixes 3 Vulnerabilities: CVE-2020-0605, CVE-2020-0606, CVE-2020-0646
 Restart Required: Does not require a system restart after you apply it unless files
that are being updated are locked or are being used.

MS20-01-MR2K8: Monthly Rollup for Windows Server 2008
 Maximum Severity: Moderate
 Affected Products: Microsoft Windows Server 2008 and IE 9
and Windows Storage and Filesystems.
 Fixes 16 + 1 (IE 9) Vulnerabilities: No CVEs are publicly disclosed or known
exploited. See the Security Update Guide for the complete list of CVEs.

MS20-01-SO2K8: Security-only Update for Windows Server 2008
 Maximum Severity: Important
 Affected Products: Microsoft Windows Server 2008
 Description: This bulletin is based on KB 4534312. Security updates to Windows
Input and Composition and Windows Storage and Filesystems.

MS20-01-OFF: Security Updates for Microsoft Office
 Affected Products: Excel 2010-2016, Office 2010-2016, Office 2016 and 2019 for
Mac, Office Online Server
 Description: This security update resolves vulnerabilities in several Microsoft Office
applications. This bulletin references 7 KB articles plus release notes for MacOS.
 Impact: Remote Code Execution and Spoofing
 Fixes 4 Vulnerabilities: CVE-2020-0647, CVE-2020-0650, CVE-2020-0651, CVE-
2020-0652
 Restart Required: Requires application restart

MS20-01-O365: Security Updates for Office 365 ProPlus and
Office 2019
 Affected Products: Office 365 ProPlus, Office 2019
 Description: This month’s update resolved various bugs and performance issues in
Microsoft Office 365 and Office 2019 applications. Information on Office 365 ProPlus
updates is available at https://docs.microsoft.com/en-us/officeupdates/release-notes-
office365-proplus
2020-0653
 Restart Required: Requires application restart

Between Patch Tuesday’s
New Product Support: Git for Windows
Security Updates: Apple iCloud (1), Apple iTunes (1), Adobe Acrobat (1), Citrix
Reciever (1), DropBox (2), Evernote (1), Firefox (2), Firefox ESR (2), FileZilla (3), GIT for
Windows (2), GOM Player (1), GoodSync (6), Google Chrome (2), GoToMeeting (1),
LibreOffice (1), Nitro Pro (2), Node.JS (8), Opera (3), Oracle VirtualBox (1), Power BI
Desktop (1), Plex Media Server (2), PeaZip (1), Skype (2), Slack (1), Snagit (1), Splunk
Forwarder (2), Tableau Desktop (7), Tableau Prep (1), Tableau Reader (1), Thunderbird
(4), Tomcat (3), TeamViewer (1), VMWare Horizon Client (1), Wireshark (1), WinRAR (1)
Non-Security Updates: AIMP (2), Bandicut (1), Google Backup and Sync (1),
IrfanView (1), BlueJeans (1), KeePass Classic (1), Microsoft (22), PDF-Xchange PRO (2),
Paint.net (1), Plex Media Player (2), PSPad (1), R for Windows (1), TreeSize Free (1),
XnView (1), Zoom Client (1), Zoom Outlook Plugin (2)

Third Party CVE Information
 Nitro Pro Enterprise 13.9.1.155
 NITROE-200109, QNITROE1391155
2019-5048, CVE-2019-5050, CVE-2019-5053
 Nitro Pro 13.9.1.155
 NITRO-200109, QNITRO1391155
2019-5048, CVE-2019-5050, CVE-2019-5053
 Firefox 72.0.1
 FF-200108, QFF7201
 Fixes 1 Vulnerabilities: CVE-2019-17026

Third Party CVE Information (cont)
 Firefox ESR 68.4.1
 FFE-200108, QFFE6841
2019-17021, CVE-2019-17022, CVE-2019-17024, CVE-2019-17026
 Firefox ESR 68.4.0
 FFE-200107, QFFE6840
 Fixes 6 Vulnerabilities: CVE-2019-17015,CVE-2019-17016,CVE-2019-17017,CVE-
2019-17021,CVE-2019-17022,CVE-2019-17024
 Firefox 72.0
 FF-200107, QFF720
 Fixes 11 Vulnerabilities: CVE-2019-17015, CVE-2019-17016, CVE-2019-
17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-
17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-
17025

 GIT for windows 2.24.1
 GIT-002, QGIT2241
2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-
2019-19604
 Thunderbird 60.9.0
 TB19-6090, QTB6090
2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11752
 Google Chrome 79.0.3945.88
 CHROME-269, QGC790394588
 Fixes 1 Vulnerability: CVE-2019-13767

 Apple iCloud 7.16.0.15
 ICLOUD-023, QICLOUD716015
2019-8848, CVE-2019-15903
 Apple iTunes 12.10.3.1
 AI19-008, QAI121031
2019-8848, CVE-2019-15903

Patch Tuesday for January 2020

More Related Content

What's hot (20)

Similar to Patch Tuesday for January 2020 (20)

More from Ivanti (20)

Recently uploaded (20)

Patch Tuesday for January 2020

Editor's Notes