• February 2020 Patch Tuesday foibles

    …. and… we’re off.

    The Microsoft Update Catalog lists 151 separate patches. An enormous 99 different CVEs = individual security holes.

    The Knowledge Base article for the Win10 1903 and 1909 patches does NOT list any fixes to the very-buggy “optional non-security C/D Week” patch. I’d be most interested in hearing about the long-standing Win10 1909 File Explorer Search bugs.

    I don’t see a patch for Win7, in spite of the “Stretch”ed black wallpaper fix Preview released last week. No word on whether the manual-download-only fix is still clobbering boot files.

    Dustin Childs’s report for ZDI covers all the bases. Worthy of note:

    • That Internet Explorer JScript vulnerability, CVE 2020-0674, ADV200001 which Microsoft first talked about three weeks ago, is getting fixed. Except not for Win7, apparently, unless you pay for the patch. Microsoft lists it as being under active attack. Apparently it isn’t pressing enough to warrant an out-of-band patch, though, so those of you guarding state secrets and whistleblowers should probably worry about it sooner rather than later. The rest of us? I’ll wait until I see a widespread attack — or 0patch verifies that it’s plugged the problem.
    • The CVE 2020-0674 security hole is the only one listed as “Exploited.”

    Martin Brinkmann just posted his all-inclusive list. Five Win7 security holes that are only patched for Extended Support customers. The same five are fixed for Win8.1. Looks like Win10 versions 1803, 1809, 1903 and 1909 are all getting the same patches.

    Microsoft has released patches for every version of Win10 (except version 1511), back to the original 1507, whether they’re supported or not.

    The “classic” version of Edge is being patched, too, with 7 security holes filled. The Chromium based version of Edge was patched on Feb. 7. I’m surprised – there doesn’t seem to be a definitive statement about it – but it looks like the only fixed security holes in Chredge stem from the underlying Chromium engine.

    There are new Servicing Stack Updates for Win7/Server 2008 R2 and for Server 2008. Wonder if those were re-issued because of the deleted boot files? There’s another SSU for Win10 1903 and 1909.

    I expect we’ll hear much more about a pan-Win10 patch, KB 4524244, Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020. Childs seems to have missed it, although Brinkmann includes it. The description:

    Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.

    Seems very specific to one UEFI boot manager. I wonder which one?