Patch Tuesday August 2020 fixes 120 vulnerabilities and two actively exploited zero-days

Patch Tuesday

The second Tuesday of the month is upon us, and this translates to only one thing in the world of IT security: Patch Tuesday. Microsoft has released fixes to address 120 vulnerabilities, with 17 of them being Critical. With most of the workforce adopting remote work, IT admins are going to have a challenging time scheduling and installing the updates released this Patch Tuesday.

After an initial discussion about the updates released, we’ll offer our advice for devising a plan to handle patch management for remote devices.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins are well-informed and have time to gear up for the new updates.

Why is Patch Tuesday important?

The most important security updates and the patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

Highlights of August Patch Tuesday

Security updates were released for the following lineup of products:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • Microsoft ChakraCore
  • Internet Explorer
  • Microsoft Scripting Engine
  • SQL Server
  • Microsoft JET Database Engine
  • .NET Framework
  • ASP.NET Core
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft Windows Codecs Library
  • Microsoft Dynamics

Zero-day vulnerabilities and public disclosures

Microsoft has patched two zero-day vulnerabilities, both of which are being actively exploited and used in attacks. The CVE IDs are CVE-2020-1380 and CVE-2020-1464.

CVE-2020-1380 is a remote code execution vulnerability due to scripting engine memory corruption. This vulnerability is actively exploited in phishing campaigns.

The other publicly disclosed zero-day is CVE-2020-1464. This is a Windows spoofing vulnerability that enables hackers to bypass security features.

Critical and noteworthy updates

This Patch Tuesday comes with 17 Critical updates and 103 Important ones. Microsoft has also released one servicing stack update for Windows 10.

It is recommended to prioritize the Critical vulnerabilities and patch them first, followed by the other Important patches.

Non-security updates

Microsoft has released cumulative updates for Windows 10 that include the non-security updates KB4566782 and KB4565351.

Adobe and Chrome updates

Adobe released security updates for Acrobat and Reader today. Google Chrome also had a stable channel update, 84.0.4147.125, with 15 security fixes.

Best practices to handle patch management in the current work-from-home scenario

In the wake of COVID-19, most organizations have opted to completely shift to remote work. This decision poses various challenges to IT admins, especially in terms of managing and securing endpoints. Here are a few pointers to ease the process of remote patching.

  • Disable automatic updates, as one faulty patch might bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
  • Create a restore point, a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.
  • Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what has to be done from their end—for instance, that they need to connect to the VPN for three hours from 6pm to 9pm.
  • Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
  • Since most users are working from home, they might not adhere to strict timings; therefore, allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
  • Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical and security updates first. You might want to hold off on deploying feature packs and cumulative updates, as they are bulky updates and consume too much bandwidth.
  • Schedule the non-security updates, as well as security updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
  • Run patch reports to get a detailed view of the health status of your endpoints

With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.

** Optrics Inc. is a ManageEngine partner

The original article can be found here:

Leave a Reply