February Patch Tuesday 2020
99 CVEs were resolved by Microsoft this month. That surpasses the 2019 August release of 93 CVEs resolved. Hmm 99. This could be fun. 99 bottles of beer… 99 CVEs to Patch? Unlike the song where you need to take each bottle down and pass it around, the good news here is many of these CVEs can be resolved by applying just a few Microsoft updates. Most of these are in the OS this month. On average your OS updates will resolve around 50 CVEs. The exception is Windows 10, which along with IE and Edge, will resolve 88 CVEs. What is more important to talk about is which of these 99 CVEs are most critical to resolve and what products you need to update to plug those holes. Along with Microsoft, Adobe and Mozilla also have security updates this month.
There is one zero-day in the mix (CVE-2020-0674), which was first identified last month in a security advisory (ADV200001). Five of the CVEs (including the zero-day) have been publicly disclosed, meaning that enough information has been made publicly available to give threat actors a head start on figuring out how to exploit them. By updating the operating system or browsers with a couple of patches per system you can take the teeth out of the majority of the risk this month.
The really good news in all of this is 99 CVEs really doesn’t mean a whole lot of extra work for admins this month. The normal updates still apply. OS, browsers, and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange Admins do get a bit of extra work this month as both of those products are included in the updates released.
February 2020 marks the first security updates for the new Edge Chromium browser edition! That’s right, there are now two editions of Edge—the HTML version built into the Windows 10 OS and the new Chromium edition that you can install if you choose.
Another notable, we will call it discrepancy, this month is the extended support releases. Windows 7, Server 2008 and 2008 R2 ESU updates are still being documented publicly and are listed in the standard WSUS catalog. This is likely to cause some confusion. Does this mean everyone has access? No, you do need an ESU with Microsoft in order to meet the specific criteria for the free options that Microsoft has outlined in the Windows 7 ESU FAQ. Also of note, there is an ESU License Preparation Patch which states the following:
“This update provides the complete set of licensing changes to enable installation of the ESU MAK add-on key, which is one of the steps to prepare for installation of Extended Security Updates. (For the full set of steps, please see KB4522133). A reboot is required after installing this update.”
This additional licensing preparation patch means there are four things you need to review on your ESU targets to ensure you will be able to patch without issue. You need to ensure the SHA-2 support updates are applied, that you meet Service Stack Update pre-requisites, that you have pushed this new licensing preparation patch to the systems, and that you have your ESU license key in place.
On the third party front:
Adobe has resolved 17 CVEs for Adobe Reader and Acrobat (APSB20-05) and one CVE for Flash Player (APSB20-06). This is the first security update for Flash Player for 2020 and also the first since September 2019. The Adobe Acrobat Reader update includes 12 Critical CVEs and the Flash Player CVE is also Critical. We recommend prioritizing these two updates this month. Microsoft’s release of Flash Player covers the latest editions of Windows. The Flash Player update is only supported on Windows 8.1 and Server 2012 and later.
Mozilla has released updates for Firefox, Firefox ESR and Thunderbird and is resolving 6, 5 and 7 CVEs respectively. The two Firefox updates are rated as a High severity and the Thunderbird update as Moderate by Mozilla’s severity rating. So while these updates are not urgent, you will want to get them rolled out in your normal monthly maintenance.