Patch Tuesday (March 2020): Microsoft Releases 115 Security Updates, The Biggest Batch Ever Launched

Microsoft has released security updates that include 115 unique fixes for Windows, Edge, IE, Exchange Server, Office, Azure, Visual Studio, and Dynamics. Out of the 115 bug fixes, 26 are categorized as critical. If your company is running on Microsoft Windows, please take a few minutes to read this article and apply your patches as early as possible. 

Microsoft’s March 2020 Patch Tuesday, the biggest in the company’s history 

Earlier this week, Microsoft released its security updates, the monthly event also commonly known as Patch Tuesday. This time, they offered patches for 115 vulnerabilities, which turned this month’s batch of updates into the biggest in Microsoft’s history.  

26 of those updates have been rated as critical, which means that they could be exploited by cybercriminals since they allow remote control over vulnerable endpoints, without the need for user intervention.  

Fortunately, there seem to no zero-day bugs to address. Still, there are some Windows vulnerabilities that should be taken into consideration, as Brian Krebs explains on his blog. Below are some examples of the current vulnerabilities: 

• Microsoft Word (CVE-2020-0852). This vulnerability has the potential to be exploited to execute malicious code on a Windows system, simply by making the target load an email that contains a document in the Microsoft Outlook preview pane. CVE-2020-0852 is only one of the four Windows remote execution bugs found in versions of Word this month. 
• Application Inspector (CVE-2020-0872). Another vulnerability patched this month lies in a new component (called Application Inspection) that Microsoft introduced this year, a source code analyzer intended to support Windows developers in detecting certain risky features of open source applications (such as utilizing encryption, connections made to a remote party, etc.) 
• LNK Remote Code Execution Vulnerability (CVE-2020-0684). According to ZDNet, CVE-2020-0684 is the most likely to be targeted by attackers. This vulnerability could allow remote code execution if a .LNK file is processed. Basically, an intruder that abused this flaw could gain the same access privileges as the local user. This security update fixes this vulnerability by correcting the processing of shortcut LNK references. 

“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”, said Microsoft.

One of my colleagues has explained why removing admin rights closes critical vulnerabilities in your organization, so, make sure you also read her article for more details around this topic. 

The official Microsoft Security Update Guide repository lists all the fixes that are now available, so feel free to check it out.  

SMBv3 vulnerability has no fix at this time 

Microsoft has also published details around a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles some requests.  

The vulnerability exists only in a new feature that was added to Windows 10, version 1903. Older versions of Windows are not affected. 

In short, cyber attackers who manage to exploit it could be able to execute code on the targeted SMB Server or SMB Client. No active exploitation in the wild is known at this time. However, cybersecurity experts are concerned are that this vulnerability could lead to exploits like EternalBlue, which was used in the WannaCry Ransomware attacks back in 2017.  

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”, explains Microsoft. 

There are no updates currently available. However, I will edit this article as soon as a patch is released.  

Until then, you may want to take a look at the workaround below suggested by Microsoft.  

The steps proposed will not correct the vulnerability, but instead would help you block the attack vectors until the update becomes available. Even if you set up this workaround, it is still strongly recommended that you patch shortly after the patch is released. 

So, here is how you can protect your network from the SMBv3 vulnerability: 

Disable SMBv3 compression 

With the PowerShell command below, you can disable compression to block unauthorized intruders from exploiting the vulnerability against an SMBv3 Server: 

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

No reboot will be needed after you make the change. Please note that this workaround does not prevent the exploitation of SMB clients. So, to protect clients, you should follow Microsoft’s guidelines to prevent SMB traffic from lateral connections and entering or leaving the network. 

Below you can find the PowerShell command which disables the workaround (no reboot needed):  

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Block TCP port 445 at the enterprise perimeter firewall 

 “TTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.”  

Later edit 

Microsoft has released a patch that addresses the critical vulnerability in SMBv3. The fix is available as KB4551762, the update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909). Heimdal recommends you install this patch immediately.

Bottom Line 

Here at Heimdal, we always strongly encourage both home users and companies to leave no patches behind. And since we completely understand this practice can easily become a hassle, we’ve created Heimdal Patch & Asset Management, the automated patch management tool that helps you remotely deploy Windows and 3rd party software updates. 

I would also like to emphasize the fact that being able to apply updates to your remote users’ endpoints nowadays becomes critical, especially now, in the wake of the Coronavirus pandemic. As we are supporters of this ongoing work-from-home movement, we offer an extended 3-months trial to anyone who is interested to try out our remote patch management solution. Get in touch today at sales.inquiries@heimdalsecurity.com and get your complimentary licenses.