June 2020 Patch Tuesday Commentary

Microsoft resolves 129 unique common vulnerabilities and exposures in June, but there are no publicly disclosed or exploited vulnerabilities to be concerned with.

Microsoft resolves 129 unique common vulnerabilities and exposures (CVEs) this June, but there are no Publicly Disclosed or Exploited CVEs to be concerned with. This makes four months of more than 100 CVEs resolved on Patch Tuesday. The good news is 98 of these are resolved by deploying the OS and browser updates. The remaining 31 are spread across Office, SharePoint, Defender, Endpoint Protection, and dev tools like Visual Studio, ChakraCore and Azure Dev Ops. A total of 11 CVEs were rated as Critical. Adobe also released a security update for Flash Player this month! Yes, there is a single Critical CVE resolved this month in Flash Player so ensure this makes your update list for June.

An advisory from US-CERT is calling attention to CVE-2020-0796, resolved in March 2020. The CVE was publicly disclosed prior to the update released in March and there are now functional proof-of-concept code samples that can exploit the vulnerability in unpatched systems. The vulnerability was introduced in Windows 10 1903 and later systems in an updated version of SMBv3. Some mitigation options are available especially to block SMB traffic at the network perimeter. Ensuring you have the March or later OS update for Windows 10 1903 and newer systems will plug the vulnerability. Including June’s update, the last four OS updates have included this fix. This is “low hanging fruit” that could easily be resolved in most cases.

The shift to remote work is causing issues for companies trying to keep up with consistent patch deployments. Many companies are using patch management solutions that require a virtual private network (VPN) to keep updated. There are many solutions that can manage updates without the need for a VPN. Another difficulty companies are facing is user connectivity. I had a conversation with one company that is managing updates without needing to use a VPN to access the network. Their challenge is their users have low internet speeds. Monthly updates requiring hundreds of megabytes of patches (or gigabytes in some cases) become problematic as well.

The US-CERT advisory brings to mind some interesting statistics on how quickly threat actors can develop functional exploits and the average shelf life for exploits. According to a RAND report, the meantime to exploit a vulnerability is 22 days. In 2019 we got an interesting glimpse into this process as BlueKeep (CVE-2019-0708) was announced and a very public race began among security researchers to exploit the next “WannaCry.” The update for BlueKeep was released on May 14, 2019. Functional exploits were produced by multiple independent research teams by May 28, 2019, only 14 days later. Another interesting stat from the RAND report is that the average shelf life for an exploit is about seven years. You can find evidence of this in a report released by Recorded Future on the top 10 exploited vulnerabilities in 2019. Many of the vulnerabilities in the top 10 list are two to three years old, but CVE-2015-2419 and CVE-2012-0158 also made the list.

To close out this month let’s take a look at how things are going with Windows 10 2004. The latest Windows branch has been available for a month now and there are a number of known issues that have been reported. I have been watching the reports of issues from members of PatchManagement.org as they have begun distributing the new branch in their pilot groups. You can also find a comprehensive list on docs.microsoft.com showing current known and resolved issues.