icetray - Fotolia

Mammoth March Patch Tuesday lands on Windows admins

Microsoft delivers corrections for 115 unique vulnerabilities, including 26 bugs rated critical in one of its largest Patch Tuesday releases in recent memory.

For the second month in a row, Microsoft doled out a hefty batch of fixes for its products on March Patch Tuesday, resolving 115 unique vulnerabilities that center mostly around the Windows OS and its various web browser applications.

This month's slate of fixes eclipsed the 99 vulnerabilities Microsoft addressed last month. All told, March Patch Tuesday corrected 26 critical vulnerabilities, 88 bugs rated important and one listed as moderate. Affected products include Windows, both the HTML-based and Chromium-based Edge browsers, the ChakraCore JavaScript engine, Internet Explorer, Exchange Server, Microsoft Office, Azure DevOps and Azure, Windows Defender, Visual Studio, Microsoft Dynamics and open source projects.

Despite the sheer number of flaws to address, administrators do not have to worry about any zero-day exploits or public disclosures this month. The other good news is most of the bugs are clustered in the Windows and browser products. Of the 115 vulnerabilities, 18 are in the browser and 79 are in the Windows OS.

Now that Microsoft packages its patches in a single monthly rollup rather than individual updates, administrators now have a simpler "all or nothing" choice with patch deployment. In the previous servicing model, which Microsoft ended in late 2016, administrators had the flexibility to choose which patches to apply to different systems. 

"The cumulative model plugs those gaps effectively, so that's the positive. There are fewer holes in the average environment because one thing people overlook is most of the exploits that are happening are in software that's months, if not years old," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

Chris Goettl, director of product management and security, IvantiChris Goettl

The monthly rollup contains fixes for security flaws, corrections for web browsers and quality updates. Each monthly rollup supersedes the previous month. The downside to the cumulative model is a faulty patch can disable a system, which makes administrators more likely to hold off on deployment until they can do a thorough test.

"Microsoft's cumulative model makes it more of an all-or-nothing, especially for the OS. It does force people to update it. The challenge comes into play in those cases where companies have more sensitive environments to patching where they let time be more of an element," Goettl said. 

Microsoft Outlook preview pane could be a threat launchpad

Aside from the browser and OS vulnerabilities, administrators will want to focus on a critical remote code execution vulnerability (CVE-2020-0852) in Microsoft Word which uses the Microsoft Outlook preview pane as the attack vector, Goettl said. In one scenario, an attacker could send a specially crafted document in an email to a user who, if they view the file in the Outlook preview pane, would run code at the security level of that user. 

"That [vulnerability is] a piece of low-hanging fruit for a threat actor if they can exploit the preview pane. That makes their job a lot easier," Goettl said. 

Administrators will also want to look at a moderate information disclosure vulnerability (CVE-2020-0765) in the Remote Desktop Connection Manager. There are no fixes for this bug because Microsoft no longer develops this application. Microsoft recommends users switch to a supported Microsoft Remote Desktop client version. 

In addition to the March Patch Tuesday updates, administrators should be aware that most of the supported Windows OSes on the client and server side have a servicing stack update. Microsoft does not include these with the monthly rollups and recommends installing servicing stack updates before applying the latest cumulative update. 

Vulnerability from February rears its head

Administrators of organizations that use on-premises Exchange Server for email and have a lengthy test and deploy for patching might want to pick up the pace if they haven't installed February's security updates for the messaging product. Microsoft fixed a remote-code execution bug (CVE-2020-0688) in Exchange Server in its February Patch Tuesday releases, but companies that lag in their patching efforts could find themselves in trouble if a persistent hacker finds a way to get inside their systems to launch an exploit. 

On Feb. 25, Simon Zuckerbraun, a security researcher at Trend Micro's Zero Day Initiative, posted a blog that offered deeper insights into how the vulnerability worked with an accompanying video that demonstrated how to trigger the exploit. 

"Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server," Zuckerbraun wrote. "Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will."

The same day, another security researcher, Kevin Beaumont -- who recently joined Microsoft to work on its Microsoft Threat Protection product -- tweeted about Zuckerbraun's blog and posted updates showing an uptick in threat actors scanning for susceptible internet-facing Exchange servers. 

This has caught the attention of the U.S. government. Not only did the National Security Agency issue a warning from its Twitter account on March 6, but the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) reinforced the importance of patching in a bulletin released on March Patch Tuesday.

"Although Microsoft disclosed the vulnerability and provided software patches for the various affected products in February 2020, advanced persistent threat actors are targeting unpatched servers, according to recent open source reports," CISA wrote. 

This type of vulnerability and the groundswell of attention it picked up online shows administrators not only need to be technical experts but also social media savants to pick up what's trending online to steer their patching priorities.

"Knowing things like what's actively being exploited and keeping more continuous cycle around evaluating and resolving vulnerabilities is definitely more important nowadays," Goettl said.

Dig Deeper on IT operations and infrastructure management