AskWoody

A March security patch, for CVE-2020-0796, gets a publicly available proof of concept

If you haven’t yet installed the March or April or May security patches, time to get cookin’.

Ionut Ilascu at Bleeping Computer just reported on a publicly available exploit for the SMB security hole.

Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1)… Known by various names (SMBGhost, CoronaBlue, NexternalBlue, BluesDay), the security flaw can be leveraged by an unauthenticated attacker to spread malware from one vulnerable system to another without user interaction.

I don’t see anything out in the wild yet, but it’s only a matter of time.

Yes, you do need to patch sooner or later.

Bumps on the road to the Win10 version 2004 upgrade

I see the same pattern, every time Microsoft releases a new version of Windows. This time’s even more bizarre than usual:

• Microsoft won’t install version 2004 on any of Microsoft’s latest hardware
• The “Update is on its way” message doesn’t make any sense
• Intel-based machines with Optane memory are getting crushed

And there are loads and loads (and loads!) of problem reports

Do yourself a favor. If Windows Update gives you the opportunity to “Download and install” Win10 version 2004, say a prayer for the cannon fodder (we appreciate their problem reports!) and resist the urge to click. There’s nothing in 2004 that you need right now.

Details in Computerworld Woody on Windows.

Patch Lady – issues with syncing Outlook calendar with icloud calendar after 2004

From a fellow geek… “BTW the only thing that didn’t work properly after the Windows 10 2004 update was syncing my Outlook calendar on my PC with my iCloud calendar. The “official” solution was to uninstall iCloud app from PC and then reinstall the iCloud app. Instead of uninstall/reinstall, I told Windows to repair the app. That worked.”

Seeing several reports of this issue.  If you are impacted try that work around.  It appears to be most impacting Office 365 and iCloud app interaction.

KB 4541302 – The new Chromium-based version of Edge is coming

Microsoft has started officially rolling out Chredge, the Chromium-based version of Edge, to Windows 10 version 1903 and 1909 customers… which is to say, most of us.

According to Martin Brinkmann at Ghacks, it’ll appear as

• KB4541301 — for Windows 10 version 1803 and 1809
• KB4541302 – for Windows 10 version 1903 and 1909
• KB4559309 — for all Windows 10 versions from Windows 10 version 1803 to 2004.

(I’ve seen KB 4559309 on Win10 version 2004. Not sure if that specific KB appears on earlier versions.)

Apparently it arrives as a regular Windows update – which means if you’ve Paused updates, it wont’ show up, but when you remove the Pause (or it runs out), you’ll get it.

Installation’s a bit odd — the new Edge replaces (but doesn’t remove) the old Edge, which is now called “Edge Legacy.” It’s possible to run the old Edge Legacy, if you stand on your head and squint real hard, but why would you want to? The old Edge was an also-ran for a reason. Many reasons, actually.

Reviews for the new Edge are good – although I’ll be sticking with Brave (my new preference), Firefox and Chrome for awhile.

Are Win10 version 1909 users being pushed onto version 2004?

Günter Born just published an article Windows 10 Version 2004: Forced upgrade without user consent

I’ve seen reports (some noted in Born’s article) where people claim to be upgraded to version 2004 without clicking “Download and install” — which is supposed to be the ultimate gatekeeper. I talk about it in this Computerworld article.

Color me skeptical. But I’m certainly open to being convinced that Microsoft is jumping the gun on the version 2004 rollout.

Microsoft has a lot riding on this 2004 upgrade — and circumventing its own “Download and install” block doesn’t make sense. That said, you never know what glitches may be in store.

Have you seen anything?

Thx, @EP

June 2020 Office non-Security updates have been released

The June 2020 Office non-Security updates have been released Tuesday, June 2, 2020. They are not included in the DEFCON-4 approval for the May 2020 patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

Remember, Susan’s patching sequence and  recommendations are based on a business environment that has IT support and may have time constraints on the updating process. Consumer patching should be more cautious due to limited technical and mechanical resources. The latter is the reason for the AskWoody DEFCON system.

Office 2016
Update for Microsoft Office 2016 (KB4484171)
Update for Microsoft Office 2016 (KB4484335)
Update for Microsoft Office 2016 (KB4484392)
Update for Microsoft Office 2016 (KB4484394)
Update for Microsoft OneNote 2016 (KB4484329)
Update for Microsoft Outlook 2016 (KB4484398)

Office 2013
Update for Microsoft Office 2013 (KB4484356)

Office 2010
Update for Microsoft Office 2010 (KB4484377)

There were no non-security listings for Office 2007 (which is out of support).

Updates are for the .msi version (persistent). Office 365 and C2R are not included.

Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).

MS-DEFCON 4: Get the May 2020 patches installed now

Although there have been screaming headlines about bugs in May’s patches, neither Susan nor I have detected any pattern – with two exceptions.

• We’re still seeing the “temporary profile” bug, where machines come back after installing the latest cumulative update, and the user logs into a brand new profile. As a result, their icons are all wrong, some data appears to be missing (but it isn’t), and pandemonium reigns.
• There seems to be some sort of problem with audio drivers. I haven’t figured out if it’s specifically the cumulative update, drivers that sneak in, or some combination thereof.

As usual, Windows 8.1 remains the most stable version of Windows – unless you’re running Windows 7 and paying for Extended Security Updates.

Details on safely updating your machine in Computerworld Woody on Windows.

From the article:

I’m assuming that you don’t voluntarily jump down the rabbit hole and join the unpaid beta testers working on Windows 10 version 2004 – the May 2020 Update. It’s kicking up all sorts of problems – but that’s no reason to hold off on the May patches.

We’re now at MS-DEFCON 4: There are known problems, but go ahead and patch.

Terabyte update: The hard-drive price advantage

HARDWARE

By Will Fastie

Solid-state drives (SSDs) have rapidly become the drive of choice for all types of devices, with smartphones and tablets leading the way.

Today’s laptops commonly include an SSD, and an increasing number of desktop PCs are configured with a smallish boot SSD and a larger spinning-platter, hard-disk drive (HDD) for long-term data storage. Given the ongoing changes in storage technology and cost, there’s little doubt that solid-state memory will someday replace mechanical rotating disks. The only question is when?

Read the full story in AskWoody Plus Newsletter 17.21.0 (2020-06-01).