May 2020 Patch Tuesday forecast: Time for a break?

It’s been a hectic month for everyone worldwide, but we may get a small break in the action this patch Tuesday. The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management.

COVID-19 exploitation

Threat actor activity around COVID-19 exploitation increased dramatically in April. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity. This advisory provides a detailed summary of several attacks and valuable links to actions you can take for mitigation.

The number of reported COVID-themed attacks, particularly phishing, have risen more than 475 percent according to this blog from BitDefender Labs and that was in March. Coupled with this rising threat is the challenge of managing a now dispersed work force on previously unused remote and BYOD devices, resulting in a higher risk of a security breach.

IT departments are stretched to the limit, ‘keeping the lights on’ for many businesses and they have little time to deal with the added complexities of deploying regular security updates to these devices.

Oracle

Oracle released their Critical Patch Updates (CPU) last month which happened to coincide with April Patch Tuesday (it is usually the week after). They had 399 updates across their entire product line. These included updates for Java 7, 8, 11, and 14. A total of 15 vulnerabilities were addressed with CVE-2020-2803 having the highest base CVSS 3.0 score at 8.3.

If you are running the Java JRE in your environment, please update your 7 or 8 versions. If you are developing applications with Java, get the latest 11 or 14 updates to ensure these vulnerabilities are addressed. The next Oracle CPU is scheduled for July.

Microsoft

One break last month came from Microsoft when they delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13, 2020 and the SharePoint 2010 Family – SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010 – to April 13, 2021. There was a sigh of relief from a few people.

Also last month, Microsoft addressed 113 CVEs in the patch Tuesday release, which included fixes to font vulnerabilities CVE-2020-1020 and CVE-2020-0938 associated with Advisory 20006. With record numbers of CVEs being fixed each month and the growing threat actor activity, it is more important than ever to keep your systems up-to-date with these latest releases.

May 2020 Patch Tuesday forecast

• Microsoft should release a.NET update this month in addition to the usual OS and application set. We’ll see if the high number of resolved CVEs continues.
• Expect new servicing stack updates (SSUs) for select operating systems this month; most have been getting periodic updates.
• The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released on Patch Tuesday as usual. Also be aware that Microsoft released an updated licensing preparation package this week under KB 4538483.
• We should see Windows 10 2004, the May release as it is being called, either next Tuesday or soon thereafter.
• Google released a security update for Chrome 81 this week.
• Similarly, Mozilla provided security updates this week for Firefox 76, Firefox ESR 68, and Thunderbird 68.
• The last security updates for Adobe Acrobat and Reader were in March; we may see an update this month, but Adobe has been releasing major security updates quarterly, so this is more likely to occur in June.

The adage says we should soon see May flowers. With most of the third-party vendors releasing their security updates this week we should have a light patch Tuesday coming. Take some time and smell those roses. After this past month we’ve all earned it.