Patching in Review – Week 4 of 2020

We just wrapped up the first patch week of the year, and Microsoft is keeping things interesting with a newly announced IE zero-day vulnerability, but with no patch. According to Microsoft’s advisory, there are limited active attacks against CVE-2020-0674 where a malicious website could allow an attacker access to the system. For a temporary, but risky fix, Microsoft has provided a workaround within the advisory jscript would need to be restricted on the endpoint.

This might be the end of Windows 7 servicing, but Microsoft left us with a final present. It appears the final security update is breaking desktop wallpaper of all things, leaving a black background instead. Currently there’s no word whether Microsoft will provide a non-security fix, or if the unlucky users are stuck with this bug on their unsupported OS.

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!

• Week 1
• Week 2
• Week 3
• Week 5

Security Releases

Snagit was the only security release from our vendors this week with a single vulnerability. Version 2018.2.5 covers CVE-2019-5100 where their third-party BMP library could be used to execute arbitrary code on the system.

Third-Party Updates

Even though we took a break this week in security releases, this non-security list is more than enough. See the summary of our additional patches for the week below.