Microsoft has averaged roughly 90 common vulnerabilities and exposures (CVE) fixes per month over the past five months. With everyone working from home and apparently focused on bug fixes, I expect this large CVE fixing trend to continue. Despite these record CVE numbers, the actual number of updates have been down; we haven’t seen Exchange or SQL Server updates in a while.
The hot topic of conversation over the last two weeks has been the release of out-of-band security updates for CVE-2020-1425 and CVE-2020-1427, both of which address a memory issue within the Microsoft Windows Codecs Library.
While Microsoft does security updates out-of-band from time to time, the points of contention were these updates were only available from the Microsoft Store and were released with very limited information. The fact that CVE-2020-1425 is rated critical with limited availability through the store has many people wondering why this is the case. This is an unusual release for Microsoft. Keep your eyes open on Tuesday to see if these CVEs show up in the cumulative monthly update.
We’ll see another set of updates for Windows 10 version 2004 and Windows Server version 2004. It’s now been over a full month since the May 27 release of this ‘new’ operating system. As with all operating system releases you’ll want to stay on top of these updates because a larger number of security fixes, as well as important stability updates, are made over the first couple of months.
If you are experiencing any particular issues as you roll out this new operating system you should check out the known issues page for the latest information. You may find a fix is already available or will soon be on the way.
Continue to be diligent with your vulnerability management and system updates as we move deeper into the summer. It’s been kind of quiet in the news regarding new publicly reported exploits, but old vulnerabilities remain and new variants on ransomware and other malicious software continue to surface – Try2Cry being a good example. Here’s what’s been released recently and what to expect next week.
July 2020 Patch Tuesday forecast
- Expect to see a larger number of Microsoft updates this month. We are due for a new set of .NET updates and, as I mentioned above, we are overdue for a SQL server or Exchange server update.
- Servicing stack updates (SSUs) and Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 are expected in the group release as usual.
- The Oracle Critical Product Update (CPU) aligns with patch Tuesday once again this quarter. Don’t forget your Java update and other OpenJDK-based products such as Amazon Correto, AdoptOpenJDK, and others which will follow close behind.
- After the surprise Adobe Flash release last month, could we see another? Unlikely, but be on the lookout. The last major security update for Acrobat and Reader was in early May so look for a security release this week.
- Apple released their security updates for iTunes and iCloud back in late May and have been releasing roughly every other month. We may not see a release on Tuesday but be on the lookout later this month.
- Google released a security update for Chrome 84 this week.
- Mozilla provided minor security updates this week for Firefox 78, and major updates for Firefox ESR 68 and Thunderbird 68 the last week of June. We may see a minor update for these applications next week.