|
MS-DEFCON 3:
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.
|
Blog Archives
-
Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem
Posted on October 15th, 2020 at 22:58 Comment on the AskWoody LoungeBack in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)
Now comes word that we have another identified security hole in that same HEVC codecs,
This warning isn’t for everybody. Per MS,
Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.
So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through
Windows Updatethe Microsoft Store. There’s a lengthy discussion of versions in the KB article.The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.
There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.
Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:
The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.
Golly.
-
October patched security holes are getting hit hard
Posted on October 15th, 2020 at 07:25 Comment on the AskWoody LoungeHere’s where the threats stand as of early Thursday morning:
CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but it just triggers a bluescreen. US Cyber Command tweets “CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely.” But Kevin Beaumont says, “I wouldn’t panic about the IPv6 thing personally, just keep calm and patch as usual.” Kevin reports that he’s seen a fake exploit.
CVE-2020-16951 and CVE-2020-16952 SharePoint Server security holes have a new proof of concept, but the holes only occur on SharePoint Server 2016 and 2019. If you’re running either of those Server versions, get patched, but everybody else is immune.
CVE-2020-16947 Outlook 2016/Office 2019/Microsoft 365 vulnerability – which can crawl in via Outlook if you simply preview an infected email – doesn’t have any outstanding proof of concepts, as best I can tell.
Bottom line: I don’t see any reason to install this month’s patches just yet, unless you’re running SharePoint Server 2016 or 2019.
-
Microsoft re-releases buggy July .NET Security Only patches
Posted on October 13th, 2020 at 21:17 Comment on the AskWoody LoungeMicrosoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion different KBs. Okay, I overspoke. Maybe half a gazillion.
The bug? Ahem:
After you apply this update, some applications experience a TypeInitializationException exception when they try to deserialize System.Data.DataSet or System.Data.DataTable instances from the XML within a SQL CLR stored procedure.
You had to ask.
Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.
UPDATE: @PKCano has the gory details – including KB numbers for the re-released Security Only patches for Win7 and Server 2008 R2 – posted here.
-
Running SharePoint Server? Better get this security hole plugged soon.
Posted on October 13th, 2020 at 20:44 Comment on the AskWoody LoungeVery few of you are running SharePoint Servers, but for those of you who do, this is an important heads-up. From AttackerKB:
On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s
web.configfile, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6…An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.
Affected products
-
-
Microsoft SharePoint Foundation 2013 Service Pack 1
-
Microsoft SharePoint Enterprise Server 2016
-
Microsoft SharePoint Server 2019
-
Full details on the Rapid7 site.
Thx, Patch Lady.
-
-
October 2020 Microsoft Patch Tuesday updates are rolling out
Posted on October 13th, 2020 at 12:06 Comment on the AskWoody LoungeThe patches have been released.
There are 365 new entries for October, 2020 Patch Tuesday in the Microsoft Update Catalog.
There are 1838 vulnerabilities listed in the Microsoft Security Response Center for October.
Dustin Childs just posted his usual in-depth analysis on the Zero Day Initiative blog:
- Adobe released one patch for October to fix a single vulnerability in Flash.
- Microsoft released patches to correct 87 CVEs. Of these, 11 are Critical, 75 listed as Important, and one as Moderate.
None of the bugs are listed as being under attack at the present, but 6 are listed as publicly known at the time of release.
KB 4580325 — 2020-10 Security Update for Adobe Flash Player on Win8.1 and Win10. The Flash Player update for Win7 should be downloaded from Adobe.
According to Sergiu Gatlin at BleepingComputer Windows 10 now blocks some third-party drivers from installation
Microsoft says that Windows 10 and Windows Server users will be blocked from installing incorrectly formatted third-party drivers after deploying this month’s cumulative updates.
“When installing a third-party driver, you might receive the error, ‘Windows can’t verify the publisher of this driver software’,” Microsoft says.
“You might also see the error, ‘No signature was present in the subject’ when attempting to view the signature properties using Windows Explorer.”
This issue is caused by improperly formatted driver catalog files that trigger the errors during the driver validation process as Microsoft explains.
Starting with the October 2020 updates, Windows requires DER-encoded PKCS#7 content to be valid and correctly embedded in catalog files.
“Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690,” Microsoft adds.
Users who encounter these errors while attempting to install a third-party driver are advised to ask their driver vendor or device manufacturer (OEM) for an updated and correctly signed driver.
Affected Windows platforms include client (from Windows 8.1 up to Windows 004) and server versions (from Windows Server 2012 R2 up to Windows Server, version 2004).
Martin Brinkman has his usual thorough rundown on Ghacks.net.
A reminder if you are on Windows 10 v1809 or v1903. It is time to think about moving to a later version. V1809 reaches EOS on 2020-11-10 and v1903 on 2020-12-08.
-
MS-DEFCON 2: Incoming! Pause Windows and Office patches
Posted on October 11th, 2020 at 22:56 Comment on the AskWoody LoungeOctober Patch Tuesday is just around the corner.
Now’s a good time to make sure you have “Pause” set on your Win10 machines (or that you turn off Automatic Update on your Win7 and 8.1 machines).
Full step-by-step details in Computerworld Woody on Windows.
-
MS-DEFCON 4: Get the September 2020 patches installed
Posted on October 2nd, 2020 at 09:25 Comment on the AskWoody LoungeIf you’re running SQL Server 2019, surprise!, Microsoft yanked the old cumulative update and replaced it with a working one last night.
In general, it looks like a pretty healthy bunch of patches, with the usual (undocumented) problems: the “temporary profile” bug; stealthy installation of KB 4023057; odd miscellaneous blue screens and interface bleeps.
I still won’t install version 2004 on my production machines, even though about one-third of all Win10 users have swallowed that pill. There’s nothing in version 2004 that warrants even the slightest bit of sweat off your brow.
So I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.
Full story in Computerworld Woody on Windows.
-
Microsoft drops KB 4577063, the “optional, non-security, E Week” patch for Win10 version 2004
Posted on October 1st, 2020 at 13:55 Comment on the AskWoody LoungeAt least they made it before F Week.
Microsoft just pushed 48 separately identified bug fixes in KB 4577063, the E Week optional, non-security patch for Win10 version 2004.
Looks like the Linux-under-Windows bug has been fixed, as has an uncommon bug that makes Windows appear as if your internet connection dropped. Details at BleepingComputer.
No, you don’t want it. Wait for Patch Tuesday.
There’s also a .NET preview for version 2004, KB 4576945.
Looks like they fixed the Linux bug. I don’t see anything else that’s particularly interesting. Do you?
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
EP on Pulling the trigger on Win10 Version 2004
23 minutes ago- 25 minutes ago
- 26 minutes ago
Paul T on My internet keeps Dropping out
27 minutes agocyberSAR on Internet Security Providers
28 minutes ago- 29 minutes ago
- 29 minutes ago
LHiggins on Internet Security Providers
36 minutes ago- 46 minutes ago
geekdom on MS-DEFCON 3: Get the October patches installed
57 minutes ago- 1 hour, 6 minutes ago
- 1 hour, 26 minutes ago
doriel on Patch Lady – my favorite new windows update setting
1 hour, 27 minutes agoanonymous on Pulling the trigger on Win10 Version 2004
1 hour, 43 minutes agoblueboy714 on Install Win10 Update 2004 Question
1 hour, 44 minutes agoPKCano on Install Win10 Update 2004 Question
1 hour, 47 minutes ago- 2 hours, 1 minute ago
- 2 hours, 3 minutes ago
WShlewton on Win 10 Windoows File Explorer Does Not Display Network Computers
2 hours, 5 minutes ago- 2 hours, 6 minutes ago
Kathy Stevens on Internet Security Providers
2 hours, 17 minutes agopHROZEN gHOST on MS-DEFCON 3: Get the October patches installed
2 hours, 35 minutes agoCraigS26 on Windows 10 2004/20H2 Not Being Offered Due to Conexant HD Audio Issue
2 hours, 55 minutes agoFred on Patch Lady – make sure you are protected
3 hours, Just nowagoldhammer on About that Flash-zapping patch, KB 4577586? One leeetle problem. It doesn’t remove Flash.
3 hours, 4 minutes agoGoneToPlaid on My internet keeps Dropping out
3 hours, 16 minutes ago- 3 hours, 19 minutes ago
- 3 hours, 29 minutes ago
Berserker79 on MS-DEFCON 3: Get the October patches installed
3 hours, 57 minutes ago- 4 hours, 59 minutes ago