[ad_1]
Microsoft today issued software updates to connect at least 111 security holes in Windows and Windows based programs. None of the vulnerabilities were labeled publicly exploited or detailed before today, but as always if you are running Windows on any of your machines, it is time once again to prepare to get your patches.
May marks the third consecutive month that Microsoft has eliminated fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical”, meaning that those who don’t do it well can exploit them to install malware or take remote control over vulnerable systems with little or no help from users.
But focusing solely on Microsoft’s severity ratings can hide the severity of the flaws being addressed this month. Todd schell, senior product manager at security vendor Ivanti, notes that if you look at the “exploitability assessment” tied to each patch, that is, how likely is Microsoft to consider that each can and will be exploited for nefarious purposes, you have It made sense to pay so much attention to vulnerabilities that Microsoft has labeled the severity rating “Important”.
Virtually all non-critical defects in this month’s batch were rated “Important” by Microsoft.
“What is interesting and often overlooked is seven out of ten [fixes] with higher risk of exploitation are only rated as important, “Schell said.” It is not uncommon to consider critical vulnerabilities as the most concerning, but many of the vulnerabilities that do end up being exploited are classified as important versus critical. “
For example, Satnam narang Tenable points out that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains Code designed to exploit vulnerabilities. However, Microsoft rates these vulnerabilities as “Least Likely Exploitation” according to its Exploitability Index.
In contrast, three privilege elevation vulnerabilities that received a “Most Likely Exploitation” rating were also patched, Narang notes. These include a couple of “major” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows graphics component (CVE-2020-1135). Attackers use elevation of privilege vulnerabilities once they have gained access to a system to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.
Schell says that if your organization’s plan to prioritize this month’s patch deployment stops at vendor severity or even CVSS scores above a certain level, you may want to reevaluate your metrics.
“Look for other risk metrics like Public Disclosure, Exploitation (obviously) and Exploitability Assessment (Microsoft-specific) to broaden your prioritization process,” he advised.
As usually happens every month on Patch Tuesday, Adobe It has also released updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and major vulnerabilities. There are no security solutions for Adobe Flash Player at this month’s launch.
Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch bundle affect Windows 7 Operating systems, including all three zero-day flaws, this operating system no longer supports security updates (unless you are a company that takes advantage of Microsoft’s paid paid security update program, which is available for Windows 7 Professional and Windows 7 business users).
If you trust Windows 7 for everyday use, it’s time to think about upgrading to something newer. That something could be a PC with Windows 10. Or maybe you’ve always wanted that shine Mac OS computer.
If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than surfing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easier for non-Linux natives). Regardless of which system you choose, it is important to choose one that meets the needs of the owner and that provides continuous security updates.
Note that while keeping up to date on Windows patches is important, be sure to update only after you have backed up your important data and files. A reliable backup means that you are not going crazy when the buggy patch causes problems with booting the system.
Then back up your files before Install any patch. Windows 10 even has some built-in tools to help you do it, either by file / folder or by making a full, bootable copy of your hard drive in one go.
And if you want to make sure Windows has been configured to pause the update so you can back up your files and / or system before the operating system decides to reboot and install patches on its own schedule, check out this guide.
As always, if you’re experiencing technical issues or issues installing any of these patches this month, consider leaving a comment about it below; There is a better chance than even that other readers have experienced the same thing and can step in here with some helpful advice. Also, take a look at Woody Leonhard’s AskWoody blog, which keeps a reliable search for buggy Microsoft updates every month.
Further reading:
SANS Internet Storm Center breakdown by vulnerability and severity
Microsoft security update catalog
BleepingComputer on Patch Tuesday May 2020
Tags: adobe acrobat, adobe reader, CVE-2020-1054, CVE-2020-1117, CVE-2020-1126, CVE-2020-1135, CVE-2020-1143, Flash Player, Ivanti, Satnam Narang, Tenable, Todd Schell
This entry was posted on Tuesday, May 12, 2020 at 5:16 p.m. and is filed under Last Warnings, Review Time.
You can follow any comments to this post through the RSS 2.0 feed.
You can skip to the end and leave a comment. Pinging is currently not allowed.
