Microsoft has released 113 security fixes as part of Patch Tuesday (Adobe and others are all busy pushing updates today, as is Oracle under its quarterly cycle).

Among Microsoft’s patches are belated fixes for CVE-2020-0938, an exploited zero-day, and CVE-2020-1020, a exploited and previously publicly disclosed vulnerability; both entailing flaws in Adobe Font Manager Library. (Despite the name, MSFT’s code).

In total, Microsoft has patched 19 critical vulnerabilities this cycle, across Adobe Font Manager Library (0-days), SharePoint, Hyper-V, Scripting Engines, Media Foundation, Microsoft Graphics, Windows Codecs, and Dynamics Business Central.

Read More About Them Here: Two Critical New Windows 0Days Being Actively Exploited 

(Also standing out, CVE-2020-0835, an elevation of privilege bug in Microsoft’s own malware defense programme, Windows Defender: details on exploitation are very thin in the update, which ranks the vulnerability “important”)

For the uninitiated, failing to patch can be bad news, particularly for “critical”-rated vulnerabilities, which are typically exploited very, very fast.

Patching Software Remotely 

Today’s Patch Tuesday is the first major batch of software security fixes of the new, WFH era and an important one as a result, with some unique challenges for IT managers: i.e. how do you push patches for machines via VPN using home broadband networks, and ensure teams know that it is is happening?

Luckily enough, Microsoft’s security recently published a handy “decision tree of options” available to your organisation on precisely this front.

It spans the following scenarios:

  • No VPN
  • VPN forced tunnel: 100% of traffic goes into the VPN tunnel, including on-premise, management, Internet and all Office 365 or Microsoft 365 traffic
  • VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services. Default route (Internet and all Internet based services) goes direct
  • VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
  • VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Office 365 or Azure-routed traffic, etc.)

The most straightforward issue first, no VPN? No problem.

As Microsoft’s Rob York notes: “If you don’t have a VPN, then it’s possible to configure ConfigMgr to leverage cloud services by default, and you should consider using Intune to manage your Windows Updates deployments without the need for any on-prem infrastructure. (For those who do have VPNs, but VPNs that are routing all traffic back on premises, all update traffic will flow from the on-premises servers.)

(One useful but sometimes controversial approach is using “split-tunnelling” whereby some of the traffic runs via the VPN, but the rest defaults to the internet. Some IT times do not allow split tunneling to the internet because of current security or networking policies, but can stillconfigure the split tunnel to direct known traffic to cloud services, in this context CMG, CDP, and Microsoft Update, MSFT notes).

Read Microsoft’s Comprehensive Guide to Patching Over VPN HERE

Richard Melick, a senior technical product manager, at patch management specialist Automox, notes, whatever the pain of pushing out patches in this climate, they’re best not overlooked.

He said in an emailed comment “Organisations are already strained with the added stresses of the sudden shift to remote workers and the technological needs, but today’s Patch Tuesday is not one to skip.

“From increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today’s zero-day, exploited, and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponisation. Hackers are not taking time off; they are working just as hard as everyone else.

Back to Patch Tuesday: Anything to Prioritise?

Hass highlights CVE-2020-0935 — a privilege elevation vulnerability found in OneDrive for Windows due to improper handling of symbolic links file system objects that point to another file system object — as among the more interesting fixes.

(The vuln was reported by Zhiniang Peng (@edwardzpeng) of Qihoo 360 Core security and Fangming Gu (@afang5472) and is rated important).

He notes: “In this scenario, an attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status.

“Privilege escalation enables an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously. OneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, make the potential scope for this vulnerability pretty high.”

Today’s Patch Tuesday in total has fixes for:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Windows Defender
  • Visual Studio
  • Microsoft Dynamics
  • Microsoft Apps for Android
  • Microsoft Apps for Mac

Many fixes will require reboots. Full details from Microsoft are here.