April 2020 Patch Tuesday forecast: Uncertainty reigns, but patching endures through pandemic
I should have reserved the title from last month’s article – Let’s put the madness behind us for this month. Of course, it has a completely different meaning now in the wake of the COVID-19 pandemic chaos. The biggest change and challenge for most of us is managing and securing an IT environment while working from home.
Extending the edge of the corporate network through VPNs has taxed many environments, placing greater reliance on collaboration and communication tools. And with that, vulnerabilities have surfaced, and in some cases, exploitation has occurred. Let’s look at some important events since last patch Tuesday.
The cyber threat of COVID-19
COVID-19 has been not only a threat in a physical sense, but also generated one of the larger cybersecurity threats in recent memory. Attackers have built on the public’s need for the latest, global COVID-19 information by creating widespread phishing attacks. These phishing attacks often contain downloaders which exploit known vulnerabilities.
Many of these attacks are posing as the World Health Organization, National Institutes of Health, or other trusted sources for information. During this crisis it remains a priority to make employees aware of these attacks and to continue to apply the software updates needed to protect your systems.
Attacks on collaboration software
I mentioned recent attacks on collaboration software, with Zoom unfortunately being the leader in the news. Several vulnerabilities concerning passwords and privilege escalation have been discovered in this widely used application, and the overall security of the product has been questioned by many.
Attackers have been able to interrupt live sessions. In this time of working from home, the need for regular interaction to accomplish our jobs is more important than ever, and we need to trust the tools we are using. Zoom has been responding rapidly, providing updates to combat this recent wave of attacks.
Windows SMBv3 vulnerability
Two days after March Patch Tuesday Microsoft released an update for the Windows SMBv3 vulnerability associated with CVE-2020-0796.
This vulnerability exists in Windows 10 1903 and 1909 and garnered a lot of attention because it received the highest Common Vulnerability Scoring System (CVSS) score of 10. It does not require user authentication and could be used to propagate a worm. Please make sure you’ve applied this update.
Windows 10
Microsoft delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 from April 14 until October 13. Per Microsoft, this will remove at least one burden for those who were in the process of updating to a new edition. Of course, this means that both Windows 10 1709 and 1803 will reach end-of-support within a month of each other – 1803 ends November 10 so plan accordingly!
While on the subject of Windows 10, the release of Windows 10 2004 may be happening soon and there is cause for concern with so many people working from home. There is no control over the update being applied on a system running Home edition, so for employees, or their children doing schoolwork, this update could be very disruptive. Watch for more information from Microsoft and let your employees know what to expect.
The IT world is changing rapidly and as we’ve seen with Zoom, Microsoft and others, both policies and patch releases are being adapted to address the situation. The entire work-from-home scenario is forcing vendors to continuously assess the security state of their applications, so I anticipate we will see more releases addressing a smaller number of vulnerabilities as they are discovered and fixed.
April 2020 Patch Tuesday forecast
- Microsoft should provide their regular updates across the board for the latest Windows 10 workstations and servers as well as the usual applications, i.e. Office, SharePoint, etc. Be on the lookout for a fix to the font vulnerability reported in Advisory 20006, Type 1 Font Parsing Remote Code Execution Vulnerability.
- Mozilla provided security updates this week for Firefox, Firefox ESR and Thunderbird. We may not see anything from them next week.
- Likewise, Google released a security update for Chrome this week, so I don’t expect to see anything on Patch Tuesday.
- There are no pre-announcements for Adobe Acrobat, Reader, or Flash but I wouldn’t rule out an update next week.
We should have a smaller set of updates than usual released next week. But with the rising number of attacks coupled with the chaos surrounding the COVID-19 pandemic, it is more important than ever to protect our work-from-home employees. Once again, patch endures.