News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

    Posted on October 15th, 2020 at 22:58 woody Comment on the AskWoody Lounge

    Back in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)

    Now comes word that we have another identified security hole in that same HEVC codecs,

    CVE-2020-17022

    This warning isn’t for everybody. Per MS,

    Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

    So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through Windows Update the Microsoft Store. There’s a lengthy discussion of versions in the KB article.

    The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.

    There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.

    Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:

    The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.

    Golly.

  • October patched security holes are getting hit hard

    Posted on October 15th, 2020 at 07:25 woody Comment on the AskWoody Lounge

    Here’s where the threats stand as of early Thursday morning:

    CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but it just triggers a bluescreen. US Cyber Command tweets “CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely.” But Kevin Beaumont says, “I wouldn’t panic about the IPv6 thing personally, just keep calm and patch as usual.” Kevin reports that he’s seen a fake exploit.

    CVE-2020-16951 and CVE-2020-16952 SharePoint Server security holes have a new proof of concept, but the holes only occur on SharePoint Server 2016 and 2019. If you’re running either of those Server versions, get patched, but everybody else is immune.

    CVE-2020-16947 Outlook 2016/Office 2019/Microsoft 365 vulnerability – which can crawl in via Outlook if you simply preview an infected email – doesn’t have any outstanding proof of concepts, as best I can tell.

    Bottom line: I don’t see any reason to install this month’s patches just yet, unless you’re running SharePoint Server 2016 or 2019.

  • Microsoft re-releases buggy July .NET Security Only patches

    Posted on October 13th, 2020 at 21:17 woody Comment on the AskWoody Lounge

    Microsoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion different KBs. Okay, I overspoke. Maybe half a gazillion.

    The bug? Ahem:

    After you apply this update, some applications experience a TypeInitializationException exception when they try to deserialize System.Data.DataSet or System.Data.DataTable instances from the XML within a SQL CLR stored procedure.

    You had to ask.

    Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.

    UPDATE: @PKCano has the gory details – including KB numbers for the re-released Security Only patches for Win7 and Server 2008 R2 – posted here.

  • Running SharePoint Server? Better get this security hole plugged soon.

    Posted on October 13th, 2020 at 20:44 woody Comment on the AskWoody Lounge

    Very few of you are running SharePoint Servers, but for those of you who do, this is an important heads-up. From AttackerKB:

    On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6…

    An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.

    Affected products

      • Microsoft SharePoint Foundation 2013 Service Pack 1

      • Microsoft SharePoint Enterprise Server 2016

      • Microsoft SharePoint Server 2019

    Full details on the Rapid7 site.

    Thx, Patch Lady.

  • October 2020 Microsoft Patch Tuesday updates are rolling out

    Posted on October 13th, 2020 at 12:06 PKCano Comment on the AskWoody Lounge

    The patches have been released.

    There are 365 new entries for October, 2020 Patch Tuesday in the Microsoft Update Catalog.

    There are 1838 vulnerabilities listed in the Microsoft Security Response Center for October.

    Dustin Childs just posted his usual in-depth analysis on the Zero Day Initiative blog:

    • Adobe released one patch for October to fix a single vulnerability in Flash.
    • Microsoft released patches to correct 87 CVEs. Of these, 11 are Critical, 75 listed as Important, and one as Moderate.

    None of the bugs are listed as being under attack at the present, but 6 are listed as publicly known at the time of release.

    KB 4580325 — 2020-10 Security Update for Adobe Flash Player on Win8.1 and Win10. The Flash Player update for Win7 should be downloaded from Adobe.

    According to Sergiu Gatlin at BleepingComputer Windows 10 now blocks some third-party drivers from installation

    Microsoft says that Windows 10 and Windows Server users will be blocked from installing incorrectly formatted third-party drivers after deploying this month’s cumulative updates.

    “When installing a third-party driver, you might receive the error, ‘Windows can’t verify the publisher of this driver software’,” Microsoft says.

    “You might also see the error, ‘No signature was present in the subject’ when attempting to view the signature properties using Windows Explorer.”

    This issue is caused by improperly formatted driver catalog files that trigger the errors during the driver validation process as Microsoft explains.

    Starting with the October 2020 updates, Windows requires DER-encoded PKCS#7 content to be valid and correctly embedded in catalog files.

    “Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690,” Microsoft adds.

    Users who encounter these errors while attempting to install a third-party driver are advised to ask their driver vendor or device manufacturer (OEM) for an updated and correctly signed driver.

    Affected Windows platforms include client (from Windows 8.1 up to Windows 004) and server versions (from Windows Server 2012 R2 up to Windows Server, version 2004).

    Martin Brinkman has his usual thorough rundown on Ghacks.net.

    A reminder if you are on Windows 10 v1809 or v1903. It is time to think about moving to a later version. V1809 reaches EOS on 2020-11-10 and v1903 on 2020-12-08.

  • MS-DEFCON 2: Incoming! Pause Windows and Office patches

    Posted on October 11th, 2020 at 22:56 woody Comment on the AskWoody Lounge

    October Patch Tuesday is just around the corner.

    Now’s a good time to make sure you have “Pause” set on your Win10 machines (or that you turn off Automatic Update on your Win7 and 8.1 machines).

    Full step-by-step details in Computerworld Woody on Windows.

  • MS-DEFCON 4: Get the September 2020 patches installed

    Posted on October 2nd, 2020 at 09:25 woody Comment on the AskWoody Lounge

    If you’re running SQL Server 2019, surprise!, Microsoft yanked the old cumulative update and replaced it with a working one last night.

    In general, it looks like a pretty healthy bunch of patches, with the usual (undocumented) problems: the “temporary profile” bug; stealthy installation of KB 4023057; odd miscellaneous blue screens and interface bleeps.

    I still won’t install version 2004 on my production machines, even though about one-third of all Win10 users have swallowed that pill. There’s nothing in version 2004 that warrants even the slightest bit of sweat off your brow.

    So I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

    Full story in Computerworld Woody on Windows.

  • Microsoft drops KB 4577063, the “optional, non-security, E Week” patch for Win10 version 2004

    Posted on October 1st, 2020 at 13:55 woody Comment on the AskWoody Lounge

    At least they made it before F Week.

    Microsoft just pushed 48 separately identified bug fixes in KB 4577063, the E Week optional, non-security patch for Win10 version 2004.

    Looks like the Linux-under-Windows bug has been fixed, as has an uncommon bug that makes Windows appear as if your internet connection dropped. Details at BleepingComputer.

    No, you don’t want it. Wait for Patch Tuesday.

    There’s also a .NET preview for version 2004, KB 4576945.

    Looks like they fixed the Linux bug. I don’t see anything else that’s particularly interesting. Do you?