Published: May 12, 2020 Last Update: May 12, 2020 Author: SecureAuth Product Security Incident Response Team (psirt@secureauth.com) On May 12, 2020 Microsoft released their monthly patches for Windows Operating Systems and applications. The SecureAuth Product Security Team has reviewed the announced critical patches and determined that none of the announced vulnerabilities should be a high risk to the SecureAuth® Identity Platform (formerly SecureAuth IdP) as long as customers follow good security practices which include, but are not limited to: It is the recommendation of SecureAuth that the patches do not need to be applied immediately and customers can wait until further testing and analysis of the potential impacts to the server are better known throughout the security and Microsoft Communities. Identity Platform Version OS Version 9.x 19.07.x The May 2020 Microsoft Windows Patches identified 5 critical vulnerabilities and subsequent patches for all versions of Windows Server 2012 R2 and newer. The 5 patches involved the following Windows components: None of the above components are directly related to the functionality of the SecureAuth Identity Platform and typically are only exploitable when a user is tricked into opening a malicious document or visiting a malicious web site. Due to the nature of the Identity Platform server, it should never be used to open documents, visit websites other than to download authorized support or patch files, or be used for general web surfing. In addition to the Critical Updates, Microsoft released a number of Important Updates that could result in the ability for an attacker to escalate privileges, perform a denial of service attack, or bypass security controls. Additionally, there is a .NET Important Update that may result in a denial of service attack. The Important Updates are all part of the monthly roll-up patches for the operating systems that SecureAuth supports (Windows Server 2012R2, 2016 and 2019). The SecureAuth Team is testing these patches and will release information surrounding recommendations for implementing the Important Updates. CVE-2020-1028Issue
Recommendation
Applies To
Summary
Critical Updates
Important Updates
Patch Information
Critical Updates
CVE Number(s) Component Impacted Impact to Identity Platform CVE-2020-1153 Microsoft Graphics Components None if good security practices are followed CVE-2020-1117 Microsoft Color Management None if good security practices are followed
CVE-2020-1126
CVE-2020-1136Media Foundation None if good security practices are followed Important Updates
CVE Number(s) Component Impacted Impact to Identity Platform CVE-2020-1108 .NET Potential denial of service attack Various Various Windows Components Potential for privilege escalation, denial of service, or bypass of security controls References