July 2020 Patch Tuesday

Topic

New Reply

Here’s what we know about this month’s Patch Tuesday crop. Big news: There’s a bug in Windows DNS Server that’s a “wormable” Remote Code Execution vul
[See the full post at: July 2020 Patch Tuesday]

5 users thanked author for this post.

abbodi86, Elly, Mr. Natural, geekdom, Microfix

Reply | Quote

Replies

AKB 2000003 has been updated for Group B Win7 (ESU) and Win8.1 on July 14, 2020.

There are Security-only and IE11 Cumulative Updates for those with Win7 ESU subscriptions.
July Rollup KB4565524 Download 32-bit or 64-bit for those with Win7 ESU subscriptions.
You must have June Servicing Stack KB4562030 previously installed to receive these updates)

There is also a new  July Servicing Stack KB4565354. Download 32-bit or 64-bit for those with Win7 ESU subscriptions.

UPDATE: For those of you attempting to install Win7 updates for .NET 4.5.2 and later (patches with the .exe extension), the workaround currently does not work.  See post #2280539

The ESU_LOCK workaround is removed and no longer working

There is a revised Licensing Preparation Package KB4538483 dated 5/5/2020 for Win7 ESU subscriptions, if you need it.

**********

There is a new  July Servicing Stack KB4566425  Download 32-bit or 64-bit for Win8.1

8 users thanked author for this post.

Fred, 7ProSP1, abbodi86, SueW, Elly, NetDef, woody, Microfix

Reply | Quote

I have a quick question that might help other Win7 users, if I’ve been using the update script from the forum can I switch to 0patch pro? Or would I have to uninstall any updates?

I haven’t installed any updates the last 3 months, not the .net ones either.

Reply | Quote

Check the 0patch site for their requirements.
I think you have to be up-to-date with updates as of Win7 EOS.

Reply | Quote

Due to it’s nature 0patch patches a given module only if it has a security vulnerability (and they actually having/willing to make) a micropatch for it. It won’t bother with modules already vendor patched, so you can use the combination of 0patch and ESU as well (which is advisable since 0patch does not patch everything, only what they determine as highly critical, see https://0patch.com/patches.html).

Reply | Quote

Did this update remove Notepad? It completely disappeared after I installed it.

Reply | Quote

see here answer by Zeakros.

Windows - commercial by definition and now function...

Reply | Quote

I did have Notepad enabled on Windows 10 2004, but after I installed the July patch, Notepad went poof, even after selecting it again from optional features.

Reply | Quote

Okay Notepad is still there, but for some reason it unpinned itself from my task bar and doesn’t show up in Windows Search anymore.

1 user thanked author for this post.

woody

Reply | Quote

Bizarre!

Good reason to delay updating, eh?

3 users thanked author for this post.

wavy, Elly, Microfix

Reply | Quote

I’d suggest moving to NotePad++. Much better program with a lot more options and capabilities. IMHO.

HTH 😎

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

Fred

Reply | Quote

https://techdows.com/2020/07/notepad-is-missing-windows-10-19041-388.html

Reply | Quote

also reported on Softpedia news on July 15:
https://news.softpedia.com/news/windows-10-cumulative-update-kb4565503-silently-deletes-some-apps-530540.shtml

KB4565503 seemed to not only remove Notepad, but also MS Paint (classic) & Wordpad for some 2004 users

Reply | Quote

Another side effect of changing CU design to be service-pack alike since version 1903

Reply | Quote

new .NET patches this July as well such as KB4566466 & KB4566517 for Win7 & .NET 3.5 to .NET 4.8

1 user thanked author for this post.

woody

Reply | Quote

Windows 1909 TestBeta
July 14, 2020

2020-07 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4565633)

2020-07 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4565483)

Installed updates from Windows Update:

• KB4565483 installed first, and it’s a hog, folks, a p-i-g hog.
• KB4565633 installed next.

Rebooted as prompted and no errors.

 

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

woody

Reply | Quote

the Win10 v1903 home OS on my bro’s HP Spectre x360 15 laptop automatically (and silently) downloaded & installed the KB4565483 cumulative update. manually restarted the laptop and found no problems with it. his HP Spectre laptop (which he bought in late May 2020) actually came with the 1903 version and not the 1909 version.

so far it’s running smoothly even with the KB4565483 update – neither 1909 nor 2004 have been offered for his HP laptop yet.

Reply | Quote

SSU for W10 v1809 KB4558997 (still in support, extended to November)
Also .NET (3.51 – 4.8) security updates for Win7 ESU through to W10

Windows - commercial by definition and now function...

Reply | Quote

My small team has just finished evaluating the DNS server vulnerability and patch for Windows Server 2012 R2, Server 2016 and Server 2019 running DNS services (in all our cases these are also Domain Controllers.)

Of special note;  Microsoft has also released a patch for this vulnerability for Windows Server 2012 (not R2) edition today.  I am uncertain if this will be offered via WU but as of now it IS available in the catalog at https://www.catalog.update.microsoft.com/Search.aspx?q=KB4565535

We are currently scheduling image level backups (cold metal restorable) for tonight and will install the July 2020 updates on them in the wee hours of tomorrow morning.

Consider this particular one a Priority One, Urgent.

~ Group "Weekend" ~

2 users thanked author for this post.

Mr. Natural, woody

Reply | Quote

[CraigS26]

My first Pro Update (after PC World $39.95 Retail Pro Upgrade) & with multi-Macrium Images I chose to Update.  1909 July CU  KB4565483 and the 3.5/4.8 Net Frmwk — both Preceded by the SSU. A simple Ethernet HP desktop, I continue flawless WU’s since Feb ’19.

All is well so far.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

• This reply was modified 4 years, 9 months ago by CraigS26.

Reply | Quote

[cmar6]

“If you’re running a Windows DNS Server, you need to install CVE-2020-”

How do we know if we are running Windows DNS Server?

In my TCP/I v.4 properties, I see “Obtain IP Address automatically” and also “Obtain DNS server automatically” without any reference to “Windows DNS server”.

• This reply was modified 4 years, 9 months ago by cmar6.

Reply | Quote

Are you runninfg a Server or just an ordinary Win10 PC? If it’s just an ordinary PC, you don’t need it.

Reply | Quote

Hi PK:

I’m running just an ordinary PC, no server. However, I was spooked when I saw that in Windows I had “Automatically get DNS servers” on my systems. That is supposed to default to the router’s DNS server. And when I looked at the router’s Primary and Secondary DNS server’s, they were in fact Microsoft’s Public Domain DNS server.

So I would like to do nothing. Even though I’m using–by default in the router’s settings–MS Windows DNS server, if I’m not running a server on my systems, then are my router’s setting’s irrelevant?

Reply | Quote

Don’t worry about it if you are running an ordinary PC. Your router has nothing to do with it.

1 user thanked author for this post.

cmar6

Reply | Quote

So I’m assuming if you have Server 2008 R2 without Extended Support, then no DNS update for you?

I tried running the update file from the catalog, and it threw an error saying “Windows Module Installer must be updated before you can install”.

Figured this flaw was serious enough that Microsoft would give the update to everybody, but doesn’t seem so.

Guess I’ll do the reg update then…

 

Reply | Quote

Read through this topic. If Server 2008 R2 is based on Win7, it may help you. Ask any of your questions there.

2 users thanked author for this post.

Lori, cmar6

Reply | Quote

Win 8.1 Monthly Rollup, Servicing Stack and .Net Rollup (KB4566519) all installed without issue (Macrium image created first). All telemetry tasks/services are still disabled and everything appears to be working normally.

1 user thanked author for this post.

abbodi86

Reply | Quote

Another Windows 10 2004 ‘Crash Test Dummy’ here (with Macrium Reflect backups to fall back on if needed, of course).

July updates installed with no apparent problems so far. I will continue to test.

The Defragment and Optimize Drives “amnesia bug” hasn’t been fixed yet. But, I’ll assume with the huge number of “security issues” that need to be addressed every month this is probably near the bottom of the list of things to do (maybe by the time 2009… or 2010… or whenever the next ‘big’ W10 update is released?).

Oh, and it would be nice if MS didn’t recreate and reenable the 2 scheduled tasks and turn on the 3 services for ‘Credge’ updates when I do the monthly Windows Updates.

I disabled and deleted the scheduled tasks and disabled the related services after I installed Credge and I just reenable the services when I want to check for Credge updates and then disable the services again until next time (the 2 scheduled tasks have never recreated and reenabled themselves until I’ve just done this month’s updates).

I also ran my .reg file to stop Credge from ‘preloading’ into memory at Windows startup because I’m sure that would have also been reenabled. I also do that after every Credge update. “Ooohh, look – our fabulous Credge browser starts a full half a second faster than our nearest competitor”. Meh…

Would also be nice if MS didn’t reenable Windows Defender’s Real Time Protection (and Tamper and Ransomware protection) after the monthly updates as well. I always have all of this temporarily disabled while I do updates  – not just Windows Updates but also browser updates, etc. and also when I make Macrium images.

Not sure if that’s really necessary nowadays but I’m a old school guy from back in the days where disabling antivirus real time protection was recommended while doing backups and updates, etc.

 

Reply | Quote

[Berserker79]

Just to report the following patches have been released for 1809:

– KB4558998 = 2020-07 Cumulative update for Windows 10 Version 1809 (there is also a new SSU KB4558997)

– KB4566516 = 2020-07 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10 Version 1809

– the infamous KB4023057 is back = 2020-06 Update to Windows 10 Version 1809 for update reliability

• This reply was modified 4 years, 9 months ago by Berserker79. Reason: added .NET update to list

Reply | Quote

The article recommends installing the patch ASAP if you run a DNS server. As you rightly say, it’s likely these are Domain Controllers. Because of their importance, is it really right to be recommending the install of those patches as opposed to prioritising the simple registry hack that will mitigate it – at least until the patches have received more testing?

Patching seems way more risky when the mitigation is so simple and requires no reboot (just a restart of the DNS service)

Reply | Quote

Read here for more DNS Server Security Hole information and questions with answers:

https://www.askwoody.com/forums/topic/faq-the-windows-dns-server-security-hole-cve-2020-1350-from-a-normal-users-perspective/

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Ah, the “don’t trust it” (the workaround) is purely because he says he doesn’t trust admins to get it right in large estates… so human error in doing the mitigation, not that the mitigation doesn’t work.

Fair comment, but misleading initial statement. The workaround is fine. Whether you apply it properly in your environment… that’s another thing

Reply | Quote

geekdom wrote:

Read here for more DNS Server Security Hole information and questions with answers:

https://www.askwoody.com/forums/topic/faq-the-windows-dns-server-security-hole-cve-2020-1350-from-a-normal-users-perspective/

Thanks for the link. I see the “do not trust the workaround”, but it’s without qualification, just a feeling from someone not in Microsoft and without access to the code.

Reply | Quote

Microsoft Forum patch report here:

https://answers.microsoft.com/en-us/windows/forum/all/cumulative-updates-july-14th-2020/efd89faa-cb15-4a15-9692-960866afeb94

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Anyone else having issue with Outlook not opening after July updates.

I am running Outlook 2019

It opened last night no problem after updates but will not open today even in safe mode.

Reply | Quote

@arbrich I work for an MSP and a bunch of clients’ Outlook are crashing this morning. This would be due to click-to-run updates for Office 365 clients which are enabled by default and not something we can control through our RMM patching, so it definitely seems to be an issue with the July updates that just dropped yesterday. Rolling back to a previous version seems to fix it.

1 user thanked author for this post.

SueW

Reply | Quote

You mean roll back windows updates or Office updates or both ?

Reply | Quote

We are having issues with Outlook 365 crashing today on multiple machines, assuming bugs in the most current patch?

Reply | Quote

10 Clients having Outlook issues today. Any fix yet?

 

Brad

Reply | Quote

https://downdetector.com/status/outlook/ is reporting issues with outlook and steadily rising.

If you have an Outlook issue, please use main blog
Thanks

Windows - commercial by definition and now function...

Reply | Quote

Yep.. following a reddit thread on the issue:

 

https://www.reddit.com/r/sysadmin/comments/hrq0mn/outlook_immediately_crashing_on_open_after/

Reply | Quote

Using previous versions works. Rolled back to a few hours ago on on one system, tested OK. Have about 20 systems showing same issue, thanks Office updates!

Reply | Quote

What is best way to rollback Office updates for OFFICE 365 and also for Office 2019 Pro Plus ?

Thanks

 

Reply | Quote

Light weight user. Not a lot of software loaded.
W10 32Bit, W10 HP 64Bit, W10Pro 64Bit. All updated. Good-2-Go !
https://www.flickr.com/photos/762_photo/50078227663/

Reply | Quote

This time I got burned. Thankfully I had run Macrium previously, so I was able to restore to that point. I’ll call it a learning experience 🙂

Reply | Quote

What update did you attempt to install?

What was the error?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

DRW wrote:

This time I got burned. Thankfully I had run Macrium previously, so I was able to restore to that point. I’ll call it a learning experience

The Askwoody MS-DEFCON at the top of EVERY page is there to serve a purpose, it’s not for decoration. At least you had a backup image to restore from..imagine if you didn’t 😐

Windows - commercial by definition and now function...

Reply | Quote

Is anyone, other than me, having problems with C2R Word 2016 after the July MS-Office updates? Now, when I log in to my machine (Win10/Pro), Word automatically opens up. This is a new phenomenon. I’ve checked C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and that folder is empty. I’ve checked for the problem in the TaskManager and I’ve checked the TaskScheduler, but the automatic startup doesn’t seem to be emanating from there. I’ve done a Google search and the same thing happened in 2017 and was said to be to a problem with the update for Word.

The Product Activation page at the bottom for ‘About Word’ says that it’s running 2006 13001.20384 (released July 14) and clicking on the About Word icon brings up a screen that says 16.13001.20266 (released June 30). [These two build numbers are always different for some reason.]

I have C2R 2019 Word on another laptop and that edition of Word does not automatically come up when logging into that machine.

Both machines are up-to-date with the June patches, as of July 13.

I have a sense that the problem is with the 2016 C2R Word update and would like to know if others are having the same problem.

Reply | Quote

See if your answer is here

https://www.askwoody.com/forums/topic/word-opens-on-its-own-when-computer-starts/

1 user thanked author for this post.

Reply | Quote

I checked out your link.    Word had been closed in the previous session by clicking on the X.  Maybe, it was hanging in the background, but I saw no evidence of this in TaskManager.

Word was not opening multiple times upon login, only once, so I tried the simplest solution (first post).

1. Open Word
2. Open to TaskManager>Details> Find WINWORD.EXE, right-click, choose ‘End Task’, answer ‘End process’, close Task Manager.
3. Close all other apps.
4. Shut down
5. Power-up

Word does not open automatically now in the next login, not even if I open WORD again in the next login and close by clicking on the X, then shut down, and power up again. In other words, ‘End Task’ via the Task Manager seems to stop it forever after from automatically opening upon login (unless you forget to close it before shut-down).

We’ll see if the solution is really ‘forever after’, though.

1 user thanked author for this post.

Elly

Reply | Quote

Win 10 1909 64 bit.  Downloaded SSU update KB4565554 and July CU KB4565483 from MS Update Catalog, both standalone installed OK, two PCs stable for 3 days.

 

Reply | Quote

Heads up.

The preview patches have arrived in the Windows Update queue.

2020-07 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4562900) which got installed as soon as I pressed check for updates.

2020-07 Cumulative Update Preview for Windows 10 Version 1909 for x64-based Systems (KB4559004) which is an Optional Update waiting to be installed. (It won’t be installed.)

 

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Patch C :

Windows 10 version 1909 or 1903 KB4559004 (18363.997 / 18362.997)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4559004

Windows 10 version 1809 KB4559003 (17763.1369)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4559003

Reply | Quote

Demystifying Windows 10 Feature Update Blocks
https://www.asquaredozen.com/2020/07/26/demystifying-windows-10-feature-update-blocks/

1 user thanked author for this post.

woody

Reply | Quote

numike wrote:

Demystifying Windows 10 Feature Update Blocks
https://www.asquaredozen.com/2020/07/26/demystifying-windows-10-feature-update-blocks/

Thanks.

You should post the link on Windows 10 2004 forum as a new topic.

Reply | Quote

I tried to post this yesterday (7/31/2020), but it got blocked by WordFence.

TL;DR It’s possible the July .NET update, KB4565633, breaks the “daily” Windows Update scan task in the Task Scheduler.

I had a little weirdness this month. I’m running Win 10 Pro 1909. I have a quality update deferral of 15 days set and a feature update deferral of 90 days set (they’re via Windows Update Advanced Options).  I also have GPOs set to prevent Windows Update from downloading drivers and to have Windows Update notify that updates are available for download.

On 7/29 at 7:31 AM, Windows Update did its “daily” check for updates; found KB4565633, the .NET update for July (not the preview); and said it was available for download. Windows Update did not show KB4565483, the July CU for 1909.

I don’t remember the exact time I first looked at Windows Update. Sometime later in the day, I opened an “elevated” PowerShell window. Using the Get-WUList cmdlet from the PSWindowsUpdate module I have installed, it told me that both the .NET update and the CU were available. Apparently, Microsoft pushed the .NET update before the CU and my automatic Windows Update scan just happened to run so that the 15 day deferral limit was over for the .NET update but not for the CU. That’s not the weirdness; that’s just serendipity.

Anyway, via Windows Update, I downloaded and installed the .NET update at 4:42 PM on 7/29 and dutifully rebooted the PC. There were no apparent issues from that, but I didn’t use the PC the rest of the day after that reboot. I should probably note that I use the sleep command when I’m done using the PC for the day and only reboot/shutdown as needed.

The weirdness starts on 7/30. I knew the CU was available so, after I logged in, I opened Windows Update expecting to see it available for download. It wasn’t there. Further, the last scan was still the one from 7/29 at 7:31 AM. I know Windows Update scans “daily”; it’s roughly every 24 hours, but there’s some randomness. I thought maybe the scan just hadn’t run yet. I checked several time through the day but, as far as Windows Update was concerned, the “daily” scan never ran on 7/30.

When I logged in this morning (7/31), Windows Update was still showing the last scan was 7/29 at 7:31 AM. I opened up the Task Scheduler and found the Windows Update task. The history showed the task had run this morning. The history said the task had completed successfully, but the last part of the history said “sc.exe” had a return code of 2147943456.

Scrolling back through the history to 7/30, I found the same result. Looking at the task’s entry in the main window, there was no “Next Run Time” set. I admit to a little bemusement that the Task Scheduler thought it successfully completed a task that didn’t run properly. Anyway, I couldn’t find anything useful during a quick Google search for sc.exe and the return code. I decided to run the Windows Update troubleshooter, but it found no problems.

I didn’t want to click the “Check for Updates” button in Windows Update, so I turned back to PowerShell and used the Get-WUList cmdlet from the PSWindowsUpdate module to see if it would show me the CU. To my surprise, it did. I don’t know why Get-WUList worked but the scheduled task didn’t. The PSWindowsUpdate module is using the same services/programs Windows uses for Windows Updates. The only thing I can think of is the module is directly calling those services/programs and not using the sc.exe program. Since I was seeing the July CU in PowerShell, I decided to use the Get-WUInstall cmdlet from the PSWindowsUpdate module to try and install it. This worked and the PC rebooted without issue. What’s more, shortly after I rebooted, an automatic Windows Update scan ran successfully and found no updates. (More serendipity; I just happened to open Windows Update as the scan was running.) The Task Scheduler shows a “Next Run Entry” for tomorrow morning.

I have no idea how the “daily” Windows Update scan task “automagically” fixed itself, but it did. Since I hadn’t done any other updating (no application changes, no driver updates, etc.) after installing the .NET update on 7/29, I suspect something didn’t go quite right with that installation. Whether it’s a problem with the actual .NET update or it was just some transient glitch in Windows Update, I don’t know. As far as I can tell, the actual updates for .NET installed correctly. It’s hard to be certain because I don’t really know what programs on my system actually use .NET. I have opened a large number of my applications and none have failed.

I have also run a number of diagnostics using dism and sfc since installing the CU this morning. They all report no problems with the PC. At this point, I’m pretty sure things are back to normal here.

Addendum: since I’m actually posting this on Saturday, 8/1/2020, I’ve looked in Windows Update this morning and the daily scan has run and shows no available updates, as it should.

1 user thanked author for this post.

Fred

Reply | Quote

Thank you. Using the sleep function I too noticed unwanted pc activity and a secret .Net update lately.It looks like all is pushing the pc to version 2004+.

* _ ... _ *

Reply | Quote

the sc.exe schedule tasj is not the one directly responsible for the daily or scheduled scans
it’s merely insure the WU service starts daily, and the service itself checks its trigger timers and schedule span

you can see some of those trigger info with this command
powercfg /waketimers
sc qtriggerinfo wuauserv

or convert WU trace logs to normal text log using powershell cmdlet Get-WindowsUpdateLog

the triggers and schedule scans are also affected by server-side Assessment, represented by registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment]

by the way, code 2147943456 = 0x80070420 = An instance of the service is already running
so it’s not really an error

i highly doubt if .NET update has anything to do with this weirdness 🙂

2 users thanked author for this post.

Fred, Elly

Reply | Quote