Blog Archives

MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused

Posted on July 13th, 2020 at 03:19 woody Comment on the AskWoody Lounge

Once more around the ol’ Windows karmic wheel….

Tomorrow’s Patch Tuesday. Today’s the day you should double-check and make sure you have Windows Update paused until the end of July or so.

Details and step-by-step instructions in Computerworld Woody on Windows.

Windows Patches/Security July 2020 Black Tuesday, MS-DEFCON 2
Patch lady – don’t forget I need your feedback!

Posted on July 10th, 2020 at 14:52 Susan Bradley Comment on the AskWoody Lounge

Consumer Patching Survey

Business Patching Survey

Don’t forget – I need your feedback on windows and office updating. I’ll be closing it down after next week and tallying up the survey responses but it’s not too late to tell me (and Microsoft) what you think!

Windows Patches/Security Patch Lady Posts
MS-DEFCON 3: Time to get the June patches installed

Posted on July 8th, 2020 at 08:19 woody Comment on the AskWoody Lounge

Looks like the patching scene has stabilized sufficiently to go ahead with the June patches.

Some of the bugs have been ironed out. Others can be fixed if you know what happened, and how to get the antidotes installed.

I’m moving to MS-DEFCON 3: Get Windows and Office patches installed, but watch out for the bugs.

(No, that doesn’t include yesterday’s Office non-security patches. Nobody needs those. They’ll come back around soon enough.)

Step-by-step details in Computerworld Woody on Windows.

Windows Patches/Security June 2020 Black Tuesday, MS-DEFCON 3
Having problems with OneDrive Files on Demand? “OneDrive cannot connect to Windows.” The bug isn’t just in Win10 version 2004

Posted on July 4th, 2020 at 09:01 woody Comment on the AskWoody Lounge

On Thursday, Microsoft posted a warning entitled Issues using OneDrive Files On-Demand on some devices after updating to Windows 10, version 2004.

Long and short of it:

some older devices or devices with certain older apps installed that use legacy file system filter drivers might be unable to connect to OneDrive via the OneDrive app. Affected devices might not be able to download new Files On-Demand or open previously synced/downloaded files.

@WStjdavis2768 hit the same bug last week. Martin Brinkmann wrote about the bug yesterday.

Here’s the cute part: I’m seeing reports that the bug isn’t limited to Win10 version 2004. Other, older versions of Windows apparently trigger the same error.

I have no idea why. Do you?

Windows Patches/Security OneDrive
Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

Posted on July 4th, 2020 at 07:50 woody Comment on the AskWoody Lounge

In my monthly patch roundup, I kvetched about the bizarre (unprecedented?) security patches MS decided to distribute through the Microsoft Store. The approach to distributing the cures for CVE-2020-1425 and CVE-2020-1457 make no sense.

The Store may be the worst possible place to hide security patches except, maybe, individual emails. And the documentation for these guys rates among the worst in Microsoft’s history. Believe me, that’s saying something.

When the patches were first released on Tuesday, there was no – zero – description of the reason for the patches. Then, on Wednesday, somebody decided to enlighten us a bit and posted this:

Is Windows vulnerable in the default configuration?

No. Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

How do I get the updated Windows Media Codec?

Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.

Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

Why are these security updates offered to affected clients via the Microsoft Store and not Windows Update?

These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store.

The distribution method is riddled with all sorts of obvious holes – I mean, anybody with any sort of updating experience should’ve been able to compile a list of a half dozen ways that this could go wrong.

Then came the outright errors.

First, @abbodi86 pointed out that the first point isn’t complete (I’m giving MS the benefit of the doubt here):

The optional HEVC codec exists by default in Windows Client editions since version 1809, except N and LTSC editions.

Now, Karl Webster-Ebbinghaus has tweeted that the second and fourth points aren’t exactly right either:

CVE-2020-1425 / CVE-2020-1457 might (silently) fail with “access denied”

Günter Born on Borncity talks about the conundrum.

Yet another unholy mess.

Windows Patches/Security CVE-2020-1425, CVE-2020-1457, June 2020 Black Tuesday
June 2020 patch overview: Three different ways MS is fixing its bugs this month

Posted on July 1st, 2020 at 14:21 woody Comment on the AskWoody Lounge

June was a very strange month for Windows patching:
- A traditionally botched patch with a manual-download-only Out of Band fix
- A botched Windows patch that knocked out Outlook Click-to-Run, fixed by a fix for Outlook
- A couple of patches distributed via the Windows Store
But at least Microsoft figures Win10 version 2004 is ready for Surface computers.

Many details in Computerworld Woody on Windows.

UPDATE: The KB article was updated last night with answers to several of the questions posed in the article. Highlights:
- Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.
- These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store.
- You can check the version of the installed package. For example, click on Settings, Apps & Features and slect HEVC, Advanced Options. You will see the version there. The secure versions are 1.0.31822.0, 1.0.31823.0 and later.
ANOTHER UPDATE: @abbodi86 has a correction to the KB FAQ:
- The optional HEVC codec exists by default in Windows Client editions since version 1809, except N and LTSC editions.
That’s quite a discrepancy – especially because it basically invalidates MS’s approach to distributing the fix via the Microsoft Store.

Windows Patches/Security June 2020 Black Tuesday
Win10 codec security hole

Posted on June 30th, 2020 at 17:18 woody Comment on the AskWoody Lounge

This one’s more interesting than the typical Windows zero-day.

MS just published a Security Update for CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability:

A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

(It looks like the bad codec is a piece of Windows that decompresses a video file.)

It’s listed as not exploited, not yet disclosed. So it’s a real security hole, but it hasn’t been exploited yet – so it isn’t a zero-day.

Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

Nothing to see here, folks.

Windows Patches/Security Codec
Win10 version 2004 deferrals gone from the user interface – but there’s a little-known Registry key that’ll keep new versions off your machine

Posted on June 26th, 2020 at 08:12 woody Comment on the AskWoody Lounge

This one’s a gem.

As you can see in the next two blog posts, Microsoft has officially taken away the “defer quality updates” and “defer feature updates” settings from the Win10 user interface. You can futz around with Group Policy entries in Pro, Education and Enterprise versions, if you want to dive in, but it’s no longer easy to keep Microsoft from offering version upgrades.

Except.

Except there’s a little-known Registry key called TargetReleaseVersionInfo that’ll keep your Pro, Education or Enterprise PC locked on to the version of your choice — at least, until Microsoft pulls the plug on that version. @abbodi86 leads the way.

Details in Computerworld Woody on Windows.

Windows 10 Releases, Windows Patches/Security TargetReleaseVersionInfo
« Older Entries

Newer Entries »

Welcome to our unique respite from the madness.

It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.