It’s that time of the month when IT admins are glued to their systems again. Why? March Patch Tuesday is here. Microsoft has patched 115 CVEs. Of these, 26 are listed as Critical, 88 as Important, and one as Moderate in severity. Here’s a quick overview of Patch Tuesday, followed by a rundown on March Patch Tuesday 2020 releases.  

Patch Tuesday: What it is and how does it work?

Patch Tuesday, which typically falls on the second Tuesday of every month, is the day Microsoft releases patches and security updates for it’s operating systems and applications. In order to save time and make the update process simple and predictable for admins, Microsoft bundles smaller fixes into a larger update and rolls that out on Patch Tuesday. This helps IT professionals to make plans to test and streamline their patch deployment.  

March Patch Tuesday lineup

The March 2020 Patch Tuesday release consists of security updates for:

  • Microsoft Windows

  • Microsoft Edge (both HTML and Chromium based)

  • ChakraCore

  • Internet Explorer

  • Microsoft Exchange Server

  • Microsoft Office and Microsoft Office Services and Web Apps

  • Azure DevOps

  • Windows Defender

  • Visual Studio

  • Open Source Software

  • Azure

  • Microsoft Dynamics

Updates worth noting

Of the 26 critical vulnerabilities fixed in March Patch Tuesday, 17 are for browser and scripting engines, four are for Media Foundation, two are for GDI+, and the remaining three are for the LNK file extension (affecting all LNK files), Microsoft Word, and Dynamics Business. Microsoft also issued patches for Remote Code Execution (RCE) vulnerabilities in Microsoft Word (CVE-2020-0852), Application Inspector (CVE-2020-0872), and Dynamics 365 Business Central ( CVE-2020-0905). 

Zero-days and public disclosures

Fortunately, there’s no trace of publicly known or actively exploited bugs this month. Phew, what a relief! Looks like March Patch Tuesday has been a huge respite after the madness of February 2020 Patch Tuesday that brought with it botched updates and zero-day Internet Explorer (IE) patches.

Third-party releases:

This month’s release includes two advisories from Mozilla, one for Firefox 74 and one for Firefox ESR 68.6, with six CVEs rated as high. Here’s a detailed list of all the CVEs affecting Mozilla Firefox. Oddly, tech giant Adobe has no releases for March Patch Tuesday. Most likely, we can expect Adobe patches to be released sometime in the middle of March.

Servicing Stack Updates

Once again, Microsoft has pushed Servicing Stack Updates (SSUs) for all supported versions of Windows. What are SSUs? They’re updates to the update component of Windows, and you need them to push the latest security updates. Microsoft marks SSUs as critical, yet they don’t resolve vulnerabilities.

Generally, Microsoft releases SSUs a couple of months before they begin releasing security updates that require the latest SSU, but you’re better off testing and pushing SSUs to your systems as soon as possible to avoid issues with future Patch Tuesdays. For a complete list of the latest SSUs for each operating system, refer to ADV990001.

Best practices to make best use of Microsoft Patch Tuesday

Every Patch Tuesday, Microsoft announces patches for vulnerabilities, and customers aren’t the only ones tuned in to these announcements—attackers are listening, too. Knowing which vulnerabilities are out there speeds up the process of developing an exploit, making the time after Patch Tuesday releases a vulnerable time for organizations and end users alike.

This is why it’s essential to patch flaws as quickly as possible. Here are some best practices you can follow to handle the March Patch Tuesday updates skillfully.

  • Subscribe to the ManageEngine PitStop to get complete details on all the CVEs patched regularly by Microsoft and third-party vendors.

  • Ensure actively exploited and publicly disclosed vulnerabilities are patched first.

  • After that, patch the Critical vulnerabilities, then the Important ones, followed by the Moderate vulnerabilities.

  • Schedule updates to go out during non-business hours to prevent disruption of user productivity.

  • Look out for security updates released outside of Patch Tuesday, as they are often fixes for critical vulnerabilities.

  • Test! Test! Test! Untested patches can break or introduce unprecedented issues when deployed. We highly recommend testing all patches to verify the stability of Patch Tuesday updates before rolling them out to production machines.

  • Decline less critical problematic patches, and deal with them after the important issues have been addressed.

  • Postpone or schedule reboots for critical machines and servers during weekends to prevent downtime.

  • Run patch reports to ensure network endpoints are up-to-date with the latest patches.

What if I told you there’s a way to automate this entire process? ManageEngine offers two solutions that does exactly that from one central console: Desktop Central and Patch Manager Plus. You can start a 30-day free trial, and keep more than 750 applications (plus over 300 third-party applications) up to date.

Ready to learn more? Tune into our March Patch Tuesday webinar, where our experts discuss which vulnerabilities to focus on first, strategies for safe testing, and other fail-safe measures should things go south. You’ll even have the chance to ask our experts your own patch management questions. Sign up now!