April 14, 2020

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.

Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Near the top of the heap is CVE-2020-1020, a remotely exploitable bug in the Adobe Font Manager library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.

The Adobe Font Manager library is the source of yet another zero-day flaw — CVE-2020-0938 — although experts at security vendor Tenable say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.

The other zero-day flaw (CVE-2020-1027) affects Windows 7 and Windows 10 systems, and earned a slightly less dire “important” rating from Microsoft because it’s an “elevation of privilege” bug that requires the attacker to be locally authenticated.

Many security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw (CVE-2020-0968) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.

Researchers at security firm Recorded Future zeroed in on CVE-2020-0796, a critical vulnerability dubbed “SMBGhost” that was rumored to exist in last month’s Patch Tuesday but for which an out-of-band patch wasn’t released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.

Recorded Future’s Allan Liska notes that one reason these past few months have seen so many patches from Microsoft is the company recently hired “SandboxEscaper,” a nickname used by the security researcher responsible for releasing more than a half-dozen zero-day flaws against Microsoft products last year.

“SandboxEscaper has made several contributions to this month’s Patch Tuesday,” Liska said. “This is great news for Microsoft and the security community at large.”

Once again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its ColdFusion, After Effects and Digital Editions software.

Speaking of buggy software platforms, Oracle has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its Java SE program. If you’ve got Java installed and you need/want to keep it installed, please make sure it’s up-to-date.

Now for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Further reading:

Qualys breakdown on April 2020 Patch Tuesday

SANS Internet Storm Center on Patch Tuesday

23 thoughts on “Microsoft Patch Tuesday, April 2020 Edition

  1. The Sunshine State

    Not only should you backup your files , but also your registry hives and also do a system restore point.

    1. JF

      … Brian also mentions:

      … “or by making a complete and bootable copy of your hard drive all at once.”

      It can be done through Windows directly, as mentioned, or by third party programs, such as Macrium Reflect (free or paid). I prefer the latter.

      1. The Sunshine State

        Or use Acronis True Image to clone to a external USB hard drive !

        1. Demagnetized Magnetician

          True Image, which I have used for years, does no work with BitLocker.

      2. JCitizen

        I prefer Macrium as well – but I won’t bother with a bootable copy, it is too much trouble to update – (unless maybe you could use a re-writable drive)

        1. JF

          I agree – bootable copy is not necessary. You can make multiple full image backups in Macrium Reflect, and you can verify them after making backups.

  2. Coronald McDonald

    Land sakes’ alive, B.K. is endorsing linux? Surely these are the end times we find ourselves in 🙂

  3. JCitizen

    When is Adobe going to be banned from PC? Or even Java as far as that goes?

    Yeah, I still got Win7, but it has been running better than ever since I bought Opatch support! I am not a shill for anyone, I just can’t update my old PC to Win10, and I can’t afford the huge support price MS wants to extend Win7. I looked at dual booting to Linux, but they seem to have made the process even more complicated since just a few years ago!

  4. Marie

    The timing could nit be worse with people working from home and even some smaller businesses that can not address IT issues sufficiently with limited resources, limited access, and recently increasing limited control over the abrupt and unplanned situation of closures and layoffs while some are racing often with no trial to open and operate newly created online stores. Hopefully that is their due diligence checklist for red flagging any vulnerabilities now present.

  5. Mark E

    Just back up your data.

    Every thing else can be downloaded and start from fresh.
    Don’t back up your system, 90% Window$ crap.

    Get an ISO of the o/s ready.

  6. Jonathan Rosenne

    All our computers have defined disk c and d, with all the data on d. We backup d, and reinstall all the software we use on c. Since our main language is Java we do not need to rely on the registry.

  7. Paul Wilder

    Linux was good but now Microsoft bought it and it’s just as bad as windows 10. They don’t make sure it works before they use the updates than; too bad too sad; it’s up to you to fix it!

    1. IJAC

      Paul Micro$ft did not buy Linux they just made it available in windows. Linux is still open source and I hope always will be. If Micro$oft got a hold of it they would surely screw it up. I’ve been using Linux Mint for about a year now and no problems. Linux is not for everyone I know that but I am very satisfied using it. I have a dual boot set up with windows 10 but I rarely boot to windows just to update it occasionally.

      1. Joe Murphy

        I thought Red Hat was purchased by IBM around 2002 or 2003. That was about the time I stopped using that version.

  8. ION

    Bezos wants a $ 10 billion federal contract for an IT infrastructure but I don’t see any Windows with the name Amazon!

  9. eric frazee

    speaking of #patchmanagement does anyone have any good suggestions for cloud-based patch management for windows computers and common 3rd party apps like adobe, browsers, java? Something including repositories? I’m pretty sure most large/med size org’s are using combinations of WSUS/SCCM that rely on things like client VPN access back to corporate data centers. Would be great to have an all-cloud solution with repo’s that doesn’t require access to corporate data centers. Heck, I’d even consider another new client on every computer

    1. IT Dood

      This is not, specifically, cloud-based, but it is something we use on premise and MAY have a cloud option: Ivanti Security Controls. We maintain MS and third-party patching with this software, and it does a phenomenal job. Get in touch with the folks at Ivanti and explain your needs, as they will likely have something. Bang for the buck, we have yet to find anything better.

    2. CW

      You can still use SCCM for patching, without requiring VPN. It’s called IBCM (internet-based client management.) Basically, the SCCM client is configured to look for patches/software updates at a location that is accessible from the internet. Meaning, the clients don’t need to be connected to the VPN to stay patched, or get the latest version of Java that an SCCM admin pushes out.

  10. Zalgo

    Well thank you Microsoft for runing my another system
    year ago while using windows 7 one of updates corupt booting up corectly.

    And now they killed of my new laptop with windows 10, olso by faulty update Well Done Microsft your updates cause more danger than help.

  11. beavis

    > Linux was good but now Microsoft bought it and it’s just as bad as windows 10.

    Don’t get high on your own supply.

Comments are closed.