12
May 20

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday

Tags: , , , , , , , , , , ,

34 comments

  1. It’s not a security fix, but Flash has been updated to v32.0.0.371 (all flavors) and there is an updated uninstaller for it as well.

    • Hey, that would be fun, wouldn’t it, if miscreants could jack up your system from the Flash Uninstaller, hah?

      • It’s available directly from Adobe as an official product, so perhaps true IF you consider Adobe itself as one of those miscreants.

  2. The Sunshine State

    Don’t forget to mention the new featured update , “20-04” on May 24

  3. The only reason I use Win 7 is for some things I have to use Windows.

    Windows 10 is a surviellance nightmare. It actively tries to invade my privacy and will reconfigure itself, and I can’t even disable Cortana.

    So either stay vulnerable or be privacy raped?

    Or perhaps you could put together an article about how to disconnect the MicroSurveillence parts as well as the We will force you things?

    I have Windows Tentacle on one small new computer because I needed a live system as a backup. It took 2+ hours to disable the crap configurations and enabled things it came with and it wasn’t the first computer I did.

  4. Windows patches don’t do anything use service pack 1 with no updates it’s better to use Linux as much as possible. if your addicted to facebook,insta,goog,amaz,uber and the rest… your mileage may very.

  5. It does not really matter which os you run, just keep it up 2 patch.
    Linux and mac also contain vulnerabilities as well as the software running on top of the os.

  6. Given that they’re all bundled into a single cumulative update, it’s unlikely anyone is going to do anything other than install all the updates in one shot, rather than deconstruct it to deploy only Critical severity updates.

  7. Larry ITwannabe

    So what exactly can’t HOME users do with a Chromebook? Almost every time an expert mentions a Chromebook, it’s usually in a subtle(or not so) derogatory fashion. I’ve been using one since 2012 & wouldn’t go back to Windoze. I read some tech folks say you can’t do “real” work with them. Just email & lite browsing.
    FWIW, there are 3 guys I listen to that have a radio call in on Saturdays(Sound Bytes) that have been involved in the industry for decades so they know their stuff. Two of the 3 have Chromebooks & love em. They say they can do almost everything they need. The 3rd is mostly a Mac guy who likes Chromebooks, but hasn’t got one yet.

    • Can’t install favourite Windows software. Genealogy, image editing, scanning, etc.

      • You forgot the big one, you cannot save locally. It is web based. Being web based, you have difficulty’s when your local web connection goes down.

    • I use chromebook with a monitor for everything. But you cant attach a wired printer nor add photoshop. Ugh. That’s only 2 times I go on my laptop on windows. I agree though, I began using chromebook because I didnt want virus risks. I have 4 extensions that I put on laptop that are automatically then configured to my chromebook. Like Gramarly, An app to keep screen lit up when not active (for crochet patterns), etc. I can do most things on chromebook. I even connected wireless earbuds last week as my chrome book has bluetooth. I feel safer.ibdo turn on and run updates on windows 10 laptop weekly & bitdefender, etc but don’t let it sync to other devices in case it messes up. I love my laptop but had onevyrs ago, got a virus and vowed to not be so vulnerable again. Great minds think alike. 4 yrs now no issues. My monitor connected to chromebook is big so I dont notice I’m using a tiny chromebook anyway!

  8. Latest updates in my windows 10 v 1803 must do it with command prompt dism online and get package of the cab file

  9. Except that Chromebooks are from the very heart of the dark side, even darker than Redmond, Google, the single worst privacy violators extant!

  10. It doesn’t cost all that much to keep Windows 7 patched, and in fact the utility I was introduced to by a fellow KOS reader, does a better job also patching ALL of my apps including ones I forgot I had. I just couldn’t afford a new computer, and Win 10 is incompatible with my old PC – God knows I tried to install it. – so I will gladly pay $25 or so bucks a year to keep my machine patched with micro patches from Opatch

    I am not a shill for them, I just want folks to know there are alternatives out there. My machine is running better now, than I ever remembered before January 14, 2020. Despite catching, and/or blocking a few malware packages since then, I’ve not been aware that my system has been compromised yet. So far they’ve been swatted down, and removed with no evident pwning of vulnerabilities. And BTW, I don’t have to reboot, and never have had a problem with any of these patches; which is more than I can say with the ones from Microsoft in the past!

  11. Personally I don’t care very much about Linux operating systems (yes I know I will get hate from the Linux fans). Of course I have to work with Linux when I setup routers. I think there is a big difference between the typical Linux OS and Linux developed by a major corporation like the Z OS used on IBM mainframes for banking. I need either Windows or MacOS for editing photos in Lightroom and Photoshop. But I do use my Chromebook a lot on the internet. It is probably a little difficult to attack the Chrome OS especially when using the guest account. And if somebody does attack it-just ‘powerwash’ it and keep right on going.

  12. if you believe you simply must check some pdf or other file you received in an email, have a paid email account and a chromebook. Sent the pdf to the email account and open up the file using the guest account on the chromebook. Not a lot of malware can affect an up to date chromebook. If you need to check out a website you have never been before, check it out with the chromebook first. I go to many of my website like news sites all the time using my chromebook. Even if the worst happened and malware could damage the chromebook, you can simply rerset the chromebook or get a new chromebook. And at leasr malware will not be on your Windows or Apple computers.

  13. The motherboard on HP Biz?Windows 7 tower went haywire, so I bought a locally assembled tower with Windows 10 installed, and Ubuntu 20.04 as the primary (partitioned) OS. At the moment, I’m using Windows for printing and storage of my own photos. All browsers except Chrome deleted or disabled. It came with AVG free, which self-updates. I have the updates postponed until the 30th of the month. Question: is it still possible–and a good idea–to create a user account, and a separate Admin account for Windows?

  14. Geez another update what they mess up this time?! , im getting hate Microsoft because that april update ruined my system, and must send my laptop to service man for repairs.

  15. Yeah, you better check askwoody.com before installing ANY update or patch; this month’s .NET patch can wreck your ESU license, among other unpleasantness.

  16. Patched and updated. No problems.

  17. The real story is that this “zero day” flaw was covered up by Microsoft, as they and the NSA used it to capture all of the data of all Americans forced home because of the corona pandemic. Perfect time to stress test and capture base data for algorithm training their new cloud AI for the military. And they can power on your wireless card, reflash its firmware. Dig into your windows tasks and privs and settings. Also, government just made it legal for fbi to view your internet history without a warrant. All on Tuesday

  18. pyramidsconsultants

    Wow, great article. Thanks for that! Keep up the great writing! pyramids

Leave a comment