The first Patch Tuesday of the decade has arrived with a bang. There’s been a lot of buzz regarding essential updates that were set to be released this January, and sure enough, the vendors have delivered! We’ve consolidated all the important fixes and more so that you can get off to a great start in diligently patching and safeguarding your systems this year. Before getting into the gritty details, here’s a quick overview of Patch Tuesday.
What is Patch Tuesday?
Microsoft regularly releases security and non-security updates to address vulnerabilities in its software, as well as upgrades for its applications and operating systems (OSs). Patch Tuesday is the specific day that all the relevant updates for Windows OS and other components and applications are officially posted on the Microsoft Bulletin.
When is Patch Tuesday?
Patch Tuesday is coined as such because it falls on the second Tuesday of every month. Microsoft released the first Patch Tuesday updates in October 2003, and they have faithfully upheld this tradition ever since.
Highlights of Patch Tuesday January 2020
The first Patch Tuesday of the year comes with fixes for 50 vulnerabilities. Out of these, 8 are rated Critical and 41 are rated Important.
Patch for the vulnerability in CRYPT32.DLL rated Important
The much anticipated patch for the spoofing vulnerability in the usermode cryptographic library CRYPT32.DLL, which affects Windows 10 machines, has been rated Important as it has not been used in active cyberattacks yet. The CVE ID of this vulnerability is CVE-2020-0601. If unpatched, this vulnerability could allow attackers to create a code-signing certificate, making a malicious executable look like it’s from a trusted source. This could easily pave the way for ransomware and malware being trusted and installed on endpoints.
Vulnerabilities in Remote Desktop Protocol (RDP) software patched
In keeping with trends of vulnerabilities in RDP-related software, this Patch Tuesday also fixes five vulnerabilities in Remote Desktop Gateway Server, Remote Desktop Client, and Remote Desktop Web Access. The CVE IDs are as follows: CVE-2020-0609, CVE-2020-0610, CVE-2020-0611, CVE-2020-0612, and CVE-2020-0637.
Patch Tuesday updates for Microsoft products
Microsoft Patch Tuesday January 2020 includes updates for many Microsoft and third-party software and components.
The release includes security updates for the following software:
- Microsoft Windows
- Internet Explorer
- Microsoft Office
- Microsoft Office Services and Web Apps
- ASP.NET Core
- .NET Core
- .NET Framework
- OneDrive for Android
- Microsoft Dynamics
The third-party updates that have been released cover:
- Git 2.25.0
- Seafile 7.0.5
- Aimp 4.60.2170
- TeXstudio 2.12.20
- PDF24 Creator 9.0.2
- Geneious Prime 2020.0.5
- Wise Folder Hider 4.3.2
- Personal Backup 6.1.0.
- MySQL Workbench CE 8.0.19
- Cerberus FTP Server 11.0.6
- Google Drive 3.48.8668.1933
- MYSQL Connector/C++ 8.0.19
- MySQL Connector/ODBC 8.0.19
- MYSQL Connector/NET 8.0.19
- Adobe Flash Player PPAPI 220.127.116.114
- Adobe Flash Player Plugin 18.104.22.1684
- Adobe Flash Player ActiveX 22.214.171.1244
- KeePass Password Safe Classic Edition 1.38
- Java 8 Update 241
- Java SE Development Kit (x64) (13.0.2)
- Java SE Development Kit (x64) (11.0.6)
- Java SE Development Kit 8 Update 241
- Simply Fortran 3.8
As widely publicized, this will be the last Patch Tuesday with free updates for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Windows 7 is hitting its end of life, so it’s crucial to either upgrade to Windows 10 or purchase Extended Security Updates from Microsoft.
Best practices to handle Microsoft Patch Tuesday updates for January 2020
Patching and updating all your endpoints might seem like an impossible task, but there are best practices you can follow to streamline the patching process:
- Prioritize patching for Critical vulnerabilities first. The eight Critical vulnerabilities this Patch Tuesday are CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, CVE-2020-0609, CVE-2020-0610, CVE-2020-0611, CVE-2020-0640, and CVE-2020-0646.
- Automate all other Important and Moderate updates after that.
- Schedule updates to go out during non-business hours for optimal user convenience and conservation of bandwidth.
- Create a test group to verify the stability of Patch Tuesday updates before mass deployment to systems and servers in your network.
- Decline less critical updates and dispatch them only after the important issues have been addressed.
- Postpone or schedule reboots for critical machines and servers.
- Run patch reports to ensure network endpoints are up-to-date with the latest patches.
Still think patching is a complex process? Don’t worry, we’ve got it sorted out for you.
ManageEngine offers two solutions that help you automate all the best practices mentioned above from one central console: Desktop Central and Patch Manager Plus. You can try both solutions free for 30 days and keep more than 750 applications up-to-date, including over 300 third-party applications.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: