News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Daily Archives: October 13, 2020

  • Microsoft re-releases buggy July .NET Security Only patches

    Posted on October 13th, 2020 at 21:17 woody Comment on the AskWoody Lounge

    Microsoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion different KBs. Okay, I overspoke. Maybe half a gazillion.

    The bug? Ahem:

    After you apply this update, some applications experience a TypeInitializationException exception when they try to deserialize System.Data.DataSet or System.Data.DataTable instances from the XML within a SQL CLR stored procedure.

    You had to ask.

    Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.

    UPDATE: @PKCano has the gory details – including KB numbers for the re-released Security Only patches for Win7 and Server 2008 R2 – posted here.

  • What you need to know about today’s Apple event

    Posted on October 13th, 2020 at 20:50 woody Comment on the AskWoody Lounge

    From Nathan Parker:

    Apple hosted a virtual event on October 13. This was one of the most exciting Apple events I have watched. Here is the bottom line of the major product announcements:

    HomePod mini: Smaller circular design, 360 degree audio, S5 chip (Apple Watch chip, not an A Series chip), Computational Audio optimizes each audio when played, new Intercom support arriving to all Apple devices, stronger emphasis on being a home assistant, Emphasis on privacy, $99 (versus $299 for the larger HomePod).

    iPhone 12: Now includes 5G, New design similar to iPhone 4 and 5, iPhone mini option (6.1” vs 6.4” display on the larger iPhone 12), Ceramic Shield offers better protection (including better spill and splash resistance), New colors, A14 Bionic chip, OLED comes to iPhone 12, Dual Cameras with Night Mode, Night Mode Selfies, Deep Fusion, Smart HDR 3 and Portrait Mode, , Night Mode Time Lapse, Record and Edit Video in Dolby Vision, Support for MagSafe Accessories (magnetic chargers, cases, wallets, etc), Faster Wireless Charging

    iPhone 12 Pro: Includes everything on the iPhone 12 with 6.1” and 6.7” Display options, Smaller bezels, Four colors including Pacific Blue (stainless steel bands instead of aluminum), LiDAR sensors, Four Cameras with expanded Night Mode, ProRAW Support (the ability to shoot RAW on a phone camera), HDR Video Recording

    A few additional things to know:

    • iPhone 12 mmWave support is limited to the US
    • Apple is including three months of Apple Arcade in addition to a free year of Apple TV+
    • iPhone 12 models no longer come with EarPods and Power Adapter, do include USB C Cable (this extends to future iPhone 11, XR, and SE purchases)
    • iOS 14.1 and iPadOS 14.1 was also released today, watchOS 7.0.2 was released recently as well
  • Running SharePoint Server? Better get this security hole plugged soon.

    Posted on October 13th, 2020 at 20:44 woody Comment on the AskWoody Lounge

    Very few of you are running SharePoint Servers, but for those of you who do, this is an important heads-up. From AttackerKB:

    On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6…

    An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.

    Affected products

      • Microsoft SharePoint Foundation 2013 Service Pack 1

      • Microsoft SharePoint Enterprise Server 2016

      • Microsoft SharePoint Server 2019

    Full details on the Rapid7 site.

    Thx, Patch Lady.

  • October 2020 Microsoft Patch Tuesday updates are rolling out

    Posted on October 13th, 2020 at 12:06 PKCano Comment on the AskWoody Lounge

    The patches have been released.

    There are 365 new entries for October, 2020 Patch Tuesday in the Microsoft Update Catalog.

    There are 1838 vulnerabilities listed in the Microsoft Security Response Center for October.

    Dustin Childs just posted his usual in-depth analysis on the Zero Day Initiative blog:

    • Adobe released one patch for October to fix a single vulnerability in Flash.
    • Microsoft released patches to correct 87 CVEs. Of these, 11 are Critical, 75 listed as Important, and one as Moderate.

    None of the bugs are listed as being under attack at the present, but 6 are listed as publicly known at the time of release.

    KB 4580325 — 2020-10 Security Update for Adobe Flash Player on Win8.1 and Win10. The Flash Player update for Win7 should be downloaded from Adobe.

    According to Sergiu Gatlin at BleepingComputer Windows 10 now blocks some third-party drivers from installation

    Microsoft says that Windows 10 and Windows Server users will be blocked from installing incorrectly formatted third-party drivers after deploying this month’s cumulative updates.

    “When installing a third-party driver, you might receive the error, ‘Windows can’t verify the publisher of this driver software’,” Microsoft says.

    “You might also see the error, ‘No signature was present in the subject’ when attempting to view the signature properties using Windows Explorer.”

    This issue is caused by improperly formatted driver catalog files that trigger the errors during the driver validation process as Microsoft explains.

    Starting with the October 2020 updates, Windows requires DER-encoded PKCS#7 content to be valid and correctly embedded in catalog files.

    “Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690,” Microsoft adds.

    Users who encounter these errors while attempting to install a third-party driver are advised to ask their driver vendor or device manufacturer (OEM) for an updated and correctly signed driver.

    Affected Windows platforms include client (from Windows 8.1 up to Windows 004) and server versions (from Windows Server 2012 R2 up to Windows Server, version 2004).

    Martin Brinkman has his usual thorough rundown on Ghacks.net.

    A reminder if you are on Windows 10 v1809 or v1903. It is time to think about moving to a later version. V1809 reaches EOS on 2020-11-10 and v1903 on 2020-12-08.