Tim Lovegrove
Security Analyst
Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. This one is jam packed with information and more patches than ever, so lets get started…
Microsoft
With 23 critical vulnerabilities across a number of systems, this month’s Patch Tuesday drop is going to take a bit of planning from Sysadmins and server application owners. With critical updates for Exchange, SharePoint and Dynamics 365, there will need to be some planned downtime for some major business systems in the coming weeks.
First up, SharePoint is the target of 7 major bugs, including a Critical remote code execution vulnerability (CVE-2020-1210), whereby a file loaded with malicious content in the markup can give the attacker the ability to run code in the context of the underlying server farm account. This account should only be a domain member (rather than admin) but will have additional privileges on the underlying system, including SQL and potentially service-level permissions. This gives the attacker the potential for data exfiltration and options for privilege escalation. It’s also common to see misconfigurations where these accounts are made Domain Admins, leading to much higher levels of access.
SharePoint can be a pain to update, so take the opportunity to ensure all outstanding service packs and any other updates are installed (including the often-missed Office components) while you have the downtime scheduled.
On a similar front, Exchange is also updated to resolve a remote code execution bug that can be triggered by sending a crafted email to a recipient on the server, and in the process gaining system-level code execution access. The bug affects Exchange Server 2016 and 2019 and once again will likely need some carefully scheduled downtime.
Active Directory integrated DNS is the target of several bugs that allow remote code execution at System account level. Once again these are triggered by sending a malformed request to the server, which mishandles the object in memory and allows arbitrary code to be run. While these are serious bugs, we would apply the rule that if you can reach an AD DNS server to run this exploit you have a bigger problem already, in the form of a serious misconfiguration or a compromised host. In most circumstances this can be patched in your normal cycle but give special consideration to any DNS servers that may live in DMZ’s or have other functions in your network that may expose them to higher risk of attack.
On top of these, there’s a large amount of general updates for Workstations and Servers, covering a variety of underlying products including browser scripting engines, codecs and other components. It could be a substantial update window this month, and we’ve seen circumstances where desktops and laptops take several rounds of installing & rebooting to finish off their updates recently. As always, support your users through the updates and monitor the success of the deployments
Adobe
Adobe keep things simple with just a single update to Flash this month with no security fixes. The official end-of-life date for Flash is slated as the 31st December 2020, just 3 months away, and while it’s now deprecated across most browsers, there are no doubt a few custom applications and sites out there that rely on it still.