Microsoft Windows updates - April 2020
Issue
On April 14, 2020, Microsoft released their monthly patches for Windows Operating Systems and applications.
The SecureAuth Product Security Team has reviewed the announced critical patches and determined that none of the announced vulnerabilities should be a high risk to the SecureAuth® Identity Platform (formerly SecureAuth IdP) as long as customers follow good security practices which include, but are not limited to:
Only authorized administrators should be permitted access to the Identity Platform server console or remote administrative services.
The Identity Platform should not be used to view any documents that are not verified from trusted sources, and the SecureAuth Product Security Team does not recommend viewing any documents on the Identity Platform server.
General web browsing should not be performed from the Identity Platform. Only visiting known, trusted web sites, such as secureauth.com or Microsoft.com, should be allowed and those visits directly from the Identity Platform should be minimized.
Recommendation
It is the recommendation of SecureAuth that the patches do not need to be applied immediately and customers can wait until further testing and analysis of the potential impacts to the server are better known throughout the security and Microsoft Communities.
Identity Platform Version | OS Version |
|---|---|
9.x |
|
19.07.x |
|
Summary
The April 2020 Microsoft Windows Patches identified 9 critical vulnerabilities and subsequent patches for all versions of Windows Server 2012 R2 and newer.
The 9 patches involved the following Windows components:
Microsoft Graphics Components
Hyper-V
Adobe Type Manager Library
Windows Media Foundation
Microsoft Windows Codecs Libraries
None of the above components are directly related to the functionality of the SecureAuth Identity Platform and typically are only exploitable when a user is tricked into opening a malicious document or visiting a malicious web site.
Due to the nature of the Identity Platform server, it should never be used to open documents, visit websites other than to download authorized support or patch files, or be used for general web surfing.
CVE Number(s) | Component Impacted | Impact to Identity Platform |
|---|---|---|
CVE-2020-0907 CVE-2020-0687 | Microsoft Graphics Components | None if good security practices are followed |
CVE-2020-0910 | Windows Hyper-V | None, Identity Platform does not use Hyper-V |
CVE-2020-0938 CVE-2020-1020 | Adobe Font Manager Library | None if good security practices are followed |
CVE-2020-0948 CVE-2020-0949 CVE-2020-0950 | Media Foundation | None if good security practices are followed |
CVE-2020-0965 | Microsoft Windows Codecs Library | None if good security practices are followed |
References
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0948
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0949
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0950
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0965
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020