Patching in Review – May 2020
With June Patch Tuesday in full swing, let’s take a moment and look back at the last month of developments in the wonderful world of patching. Before we begin our upcoming analysis of this month’s releases, let’s reflect on the news from May. As always, be sure to join us on Wednesday, June 10, for our June Patch Tuesday analysis.
- KB4556799 for Windows 10 1903 and 1909 was littered with issues ranging from BSOD crashes and broken LTE connectivity to installation failures and audio issues. While Microsoft stated it was looking into issues mid-month, we did not see any non-security updates for the month. Here’s hoping June goes more smoothly.
- Windows 10 2004 is finally out at the end of May, but not without its concerns. Before you begin rolling out this update, keep an eye on Microsoft’s 2004 status page to see active issues (currently 10 active bugs as I write this).
- The wormable SMBv3 Windows 1903/1909 vulnerability disclosed in March 2020 under CVE-2020-0796 has confirmed reports of active exploitation according to CISA. This vulnerability, which earned the moniker “SMBGhost” or “EternalDarkness”, allows an unauthenticated attacker to execute arbitrary code on an endpoint. Given the lack of authentication and privilege necessary for a successful attack, this can spread through an unpatched network with ease.
- Reverse RDP attacks are coming back for a third round with confirmation that there still exists a vulnerability in this protocol for all versions of Windows. When exploited, an attacker can gain access to read and write to the system’s files. For background, this was initially patched in July 2019 under CVE-2019-0887, then patched again in February 2020 under CVE-2020-0655 due to a discovered bypass. Discovered by Check Point Research, although the RDP client built into Windows is fixed, the API is still vulnerable, leaving any 3rd party RDP solution exposed to this attack.
- Google Chrome took the lion’s share of CVEs for the month with a total of 33 vulnerabilities patched between two security releases under 83.0.4103.61 and 83.0.4103.97. Microsoft Edge (Chromium) also released shortly after each patch under their own advisory page.
- Firefox released Version 77 covering only 7 vulnerabilities with only two of them affecting the corresponding ESR release. Nearing the tail end of the month, Mozilla also released Thunderbird 68.9.0 to remediate the shared CVEs.