icetray - Fotolia
Just when things couldn't get worse, the hits keep on coming for Windows administrators.
At a time when the coronavirus pandemic is straining resources and stretching administrators' nerves, the next avalanche of security updates landed on April Patch Tuesday. Microsoft delivered fixes for 113 vulnerabilities, including three zero-days with varying levels of severity on both supported and unsupported Windows systems. The total number of vulnerabilities repaired this month was just two shy of March's epic release.
Out of the 113 bugs repaired on April Patch Tuesday, 19 are rated critical. Microsoft products that received fixes include Windows, both Edge browsers (HTML- and Chromium-based), Internet Explorer, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac systems.
The heightened urgency to patch quickly due to multiple zero-days will test the mettle of administrators, many of whom have been working tirelessly to help users work remotely with little time to prepare.
"That's a nice recipe for disaster," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.
He noted that all the zero-days affect the Windows 7 and Server 2008/2008 R2 OSes, which all reached end-of-life in January but have patches available for customers that can afford to subscribe to the Extended Security Updates program. Goettl said he noticed a pattern with this crop of Microsoft updates.
"It looks like the [zero-day] exploits are happening, in most of these cases, on the older platforms. So it's very likely these are targeting Windows 7 and Server 2008 platforms, especially trying to take advantage of people's inability to patch," he said.
Three zero-days affect Windows systems
Two bugs (CVE-2020-0938 and CVE-2020-1020) in the Adobe Font Manager Library affect all supported Windows OSes on both the client and server side, leaving unpatched systems vulnerable to remote code execution attacks. A user could trigger the exploit several ways, including opening a malicious file or examining a document via the File Explorer preview pane.
Windows 10 systems have built-in protections that would limit the attacker to the AppContainer sandbox where they would not be able to do much damage, Goettl noted.
The other zero-day (CVE-2020-1027) is an elevation-of-privilege vulnerability in the Windows kernel rated important that affects all supported Windows versions. To take advantage of the flaw, the attacker would need local credentials to run a malicious file. The patch changes how the Windows kernel handles objects in memory.
Other noteworthy April Patch Tuesday fixes
Initially reported by Microsoft as another zero-day but revised shortly thereafter, CVE-2020-0968 describes a remote code execution flaw in the Internet Explorer scripting engine. The bug is rated critical for Windows client systems and moderate for Windows Server OSes due to built-in protections.
The attacker can target a user a few different ways -- through a website with user-contributed ads or content or via a document specially crafted with the IE scripting engine and using ActiveX to run malicious code -- but the damage is limited to the privilege level of the user of the unpatched system.
"This one is able to be mitigated if the user has less than full admin rights," Goettl said. "In those cases, [the attacker] would get full control of the box, but then they would have to exploit something else to gain full administrative access."
Hyper-V shops will want to address a remote-code flaw (CVE-2020-0910) rated critical for Windows 10 and Windows Server 2019 systems. This bug lets an attacker with credentials on a guest OS run code on the Hyper-V host.
CVE-2020-0935 is a publicly disclosed vulnerability in the OneDrive for Windows application rated important that could let an attacker run a malicious application to take control of the targeted system. OneDrive has its own updating system so customers with machines connected to the Internet should have the fix, but IT workers will need to perform manual updates on systems that have been air-gapped.
Report: Hundreds of thousands of Exchange systems remain vulnerable
Exchange Server is a notoriously complex messaging platform to manage. It's one of the most important communication tools for just about every company, which means downtime is not an option. When you combine these factors, it's no surprise that many Exchange Server systems do not get the patching attention they deserve.
Cybersecurity services company Rapid7 highlighted this issue with a recent report that shows more than 350,000 Exchange Server systems were still susceptible to a flaw that Microsoft corrected in February.
CVE-2020-0688 is a remote code execution vulnerability that only requires an attacker to have the credentials of an Exchange user account -- not even an administrator -- to overtake the Exchange Server system and possibly Active Directory.
Rapid7 claimed its researchers uncovered even more troubling news.
"There are over 31,000 Exchange 2010 servers that have not been updated since 2012. There are nearly 800 Exchange 2010 servers that have never been updated," Rapid7's Tom Sellers wrote in the blog.
Many IT workers use a staggered deployment to roll out Microsoft updates in stages as one way to limit issues with a faulty update. Many organizations can spare several Windows client and server systems for testing, but it's rare to see a similar non-production environment for an Exchange Server system.
"Exchange updates are complex and take a long time," Goettl said. "And because of the way some companies have customized their email services, Exchange can be very sensitive [to updates] as well. You can't duplicate your Exchange environment very easily."
Microsoft offers VPN help in wake of pandemic
With more remote users connected to VPN due to the coronavirus pandemic, rolling out this month's Patch Tuesday updates could slow access across the network to other resources for end users.
Most organizations were caught unprepared by the sudden surge of remote users. With enough time and money, IT could alleviate potential congestion through traffic shaping or upgraded infrastructure to increase network speeds. Other organizations can avoid problems with limited bandwidth over VPN by using a third-party patching offering or Microsoft Intune to route security updates directly from Microsoft to the end user's machine. But some organizations that use Microsoft Endpoint Configuration Manager -- formerly System Center Configuration Manager -- do not have that functionality, which limits their options.
Microsoft engineer Stefan Röll wrote a blog to help these customers with a tutorial to set up a VPN split tunnel configuration. This type of arrangement helps avoid network overload.
"Managing your [d]evices (especially security updates and software installations) is necessary and will become challenging as the majority of your work force will be connected to the corporate network via VPN. Depending on the number of clients even a couple of 100MB security updates will quickly add up to several [gigabytes] or [terabytes] that [need] to be pushed out over your VPN network. Without further consideration you can quickly overload your VPN connection causing other applications to degrade in performance or to completely fail," Röll wrote.