The first Patch Tuesday of the decade has arrived with a bang. There’s been a lot of buzz regarding essential updates that were set to be released this January, and sure enough, the vendors have delivered! We’ve consolidated all the important fixes and more so that you can get off to a great start in diligently patching and safeguarding your systems this year. Before getting into the gritty details, here’s a quick overview of Patch Tuesday.

What is Patch Tuesday?

Microsoft regularly releases security and non-security updates to address vulnerabilities in its software, as well as upgrades for its applications and operating systems (OSs). Patch Tuesday is the specific day that all the relevant updates for Windows OS and other components and applications are officially posted on the Microsoft Bulletin.

When is Patch Tuesday?

Patch Tuesday is coined as such because it falls on the second Tuesday of every month. Microsoft released the first Patch Tuesday updates in October 2003, and they have faithfully upheld this tradition ever since.

Highlights of Patch Tuesday January 2020

 The first Patch Tuesday of the year comes with fixes for 50 vulnerabilities. Out of these, eight are rated Critical and 41 are rated Important. 

Patch for the vulnerability in CRYPT32.DLL rated Important 

The much anticipated patch for the spoofing vulnerability in the usermode cryptographic library CRYPT32.DLL, which affects Windows 10 machines, has been rated Important as it has not been used in active cyberattacks yet. The CVE ID of this vulnerability is CVE-2020-0601. If unpatched, this vulnerability could allow attackers to create a code-signing certificate, making a malicious executable look like it’s from a trusted source. This could easily pave the way for ransomware and malware being trusted and installed on endpoints.

Vulnerabilities in Remote Desktop Protocol (RDP) software patched

In keeping with trends of vulnerabilities in RDP-related software, this Patch Tuesday also fixes five vulnerabilities in Remote Desktop Gateway Server, Remote Desktop Client, and Remote Desktop Web Access. The CVE IDs are as follows: CVE-2020-0609CVE-2020-0610CVE-2020-0611CVE-2020-0612, and CVE-2020-0637.

Patch Tuesday updates for Microsoft products

Microsoft Patch Tuesday January 2020 includes updates for many Microsoft and third-party software and components.

The release includes security updates for the following software:

  • Microsoft Windows

  • Internet Explorer

  • Microsoft Office

  • Microsoft Office Services and Web Apps

  • ASP.NET Core

  • .NET Core

  • .NET Framework

  • OneDrive for Android

  • Microsoft Dynamics

 The third-party updates that have been released cover:

  • Git 2.25.0

  • Seafile 7.0.5

  • Aimp 4.60.2170

  • TeXstudio 2.12.20

  • PDF24 Creator 9.0.2

  • Geneious Prime 2020.0.5

  • Wise Folder Hider 4.3.2

  • Personal Backup 6.1.0.

  • MySQL Workbench CE 8.0.19

  • Cerberus FTP Server 11.0.6

  • Google Drive 3.48.8668.1933

  • MYSQL Connector/C++ 8.0.19

  • MySQL Connector/ODBC 8.0.19

  • MYSQL Connector/NET 8.0.19

  • Adobe Flash Player PPAPI 32.0.0.314

  • Adobe Flash Player Plugin 32.0.0.314

  • Adobe Flash Player ActiveX 32.0.0.314

  • KeePass Password Safe Classic Edition 1.38

  • Java 8 Update 241

  • Java SE Development Kit (x64) (13.0.2)

  • Java SE Development Kit (x64) (11.0.6)

  • Java SE Development Kit 8 Update 241

  • Simply Fortran 3.8

 Notable announcements

As widely publicized, this will be the last Patch Tuesday with free updates for Windows 7, Windows Server 2008, and Windows Server 2008 R2. Windows 7 is hitting its end of life, so it’s crucial to either upgrade to Windows 10 or purchase Extended Security Updates from Microsoft.

Best practices to handle Microsoft Patch Tuesday updates for January 2020

Patching and updating all your endpoints might seem like an impossible task, but there are best practices you can follow to streamline the patching process:

  • Prioritize patching for Critical vulnerabilities first. The eight Critical vulnerabilities this Patch Tuesday are CVE-2020-0603CVE-2020-0605CVE-2020-0606CVE-2020-0609CVE-2020-0610CVE-2020-0611CVE-2020-0640, and CVE-2020-0646.

  • Automate all other Important and Moderate updates after that.

  • Schedule updates to go out during non-business hours for optimal user convenience and conservation of bandwidth.

  • Create a test group to verify the stability of Patch Tuesday updates before mass deployment to systems and servers in your network.

  • Decline less critical updates and dispatch them only after the important issues have been addressed.

  • Postpone or schedule reboots for critical machines and servers.

  • Run patch reports to ensure network endpoints are up-to-date with the latest patches.

Still think patching is a complex process? Don’t worry, we’ve got it sorted out for you.

ManageEngine offers two solutions that help you automate all the best practices mentioned above from one central console: Desktop Central and Patch Manager Plus. You can try both solutions free for 30 days and keep more than 750 applications up-to-date, including over 300 third-party applications.

Want to learn more? Join our Patch Tuesday January 2020 webinar, where we’ll take a closer look at this month’s updates, analyze the Critical vulnerabilities, and discuss the impact of ignoring them. Register now!

 

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. TRAN QUOC NAM

    Hi, how to find corresponding CVEs on DesktopCentral? Under Patch Management tab, I can’t find any item showing CVEs.

  2. Alex Molina

    As feedback, I think it will be nice to mention which of them are the 8 updates rated Critical. The post says 8 Critical and 41 Important. Out of this post, I get 2 are critical, Crypt32.dll and RDP. Can you clarify please? Thank you in advance! Alex

    • Karthika Surendran

      Hi Alex,
      The 8 vulnerabilities that have been rated ‘Critical’ by Microsoft are as follows

      CVE-2020-0603 – ASP.NET Core Remote Code Execution Vulnerability
      CVE-2020-0605 – .NET Framework Remote Code Execution Vulnerability
      CVE-2020-0606 – .NET Framework Remote Code Execution Vulnerability
      CVE-2020-0609 – Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
      CVE-2020-0610 – Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
      CVE-2020-0611 – Remote Desktop Client Remote Code Execution Vulnerability
      CVE-2020-0640 – Internet Explorer Memory Corruption Vulnerability
      CVE-2020-0646 – .NET Framework Remote Code Execution Injection Vulnerability

      Crypt32.dll vulnerability – CVE-2020-0601 – has only been rated ‘Important’ by Microsoft as it has not been exploited yet.

      We will be having a detailed discussion on Patch Tuesday updates in our upcoming free Patch Tuesday webinar Join us for a complete breakdown on the updates!

  3. Frederick Poirier

    Usually, how long it take after patch are available from Microsoft to be available inside Patch Manager Plus?

    • Karthika Surendran

      Hi Frederick,

      The estimated time for the patches to become available in Patch Manager Plus is as follows,

      Third Party updates – within 6 Hours from release
      Security Updates – within 12 hours from release
      Non Security updates – within 24 hours from release

      After this time interval, if you sync your patch DB, the updates will be available in your database. Hope this answers your question!.
      Feel free to reach out to our support at patchmanagerplus-support@manageengine.com, incase of any other queries.