Microsoft re-releases buggy July .NET Security Only patches

Topic

New Reply

Microsoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion differ
[See the full post at: Microsoft re-releases buggy July .NET Security Only patches]

2 users thanked author for this post.

rontpxz81, abbodi86

Reply | Quote

Replies

Please re-read the logic of your post.

Reply | Quote

Nothing wrong with a bit of tongue in cheek commentary. 

cheers, Paul

1 user thanked author for this post.

woody

Reply | Quote

From Microsoft.

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2019-1181
* CVE-2019-1182
* CVE-2020-1147

Revision Information:
=====================

* CVE-2019-1181

– CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181

– Version 2.0
– Reason for Revision: Revised the Security Updates table to add Microsoft Remote
Desktop for Android, Microsoft Remote Desktop for Mac, and Microsoft Remote Desktop
for Mac IoS because these apps are affected by this vulnerability. Microsoft
recommends that customers running any of these apps install the latest security
update to be fully protected from this vulnerability. Please see the FAQ section
for information on how to get these updates.
– Originally posted: August 13, 2020
– Updated: October 13, 2020
– Aggregate CVE Severity Rating: Critical

* CVE-2019-1182

– CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182

– Version 2.0
– Reason for Revision: Revised the Security Updates table to add Microsoft Remote
Desktop for Android, Microsoft Remote Desktop for Mac, and Microsoft Remote Desktop
for Mac IoS because these apps are affected by this vulnerability. Microsoft
recommends that customers running any of these apps install the latest security
update to be fully protected from this vulnerability. Please see the FAQ section
for information on how to get these updates.
– Originally posted: August 13, 2020
– Updated: October 13, 2020
– Aggregate CVE Severity Rating: Critical

* CVE-2020-1147

– CVE-2020-1147 | .NET Framework, SharePoint Server, and Visual Studio Remote Code
Execution Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1147

– Version 2.0
– Reason for Revision: To comprehensively address CVE-2020-1147, Microsoft has released
the following: October Security Updates for all affected versions of .NET Framework
installed on Windows 10; October 2020 Monthly Rollup updates AND updated versions of
the Security Only updates released in July 2020 for all affected versions of .NET
Framework installed on Windows 8.1, Windows Server 2012 R2, Windows Server 2012,
Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft strongly
recommends that customers install the updates to be fully protected from the
vulnerability. Customers who install the Security Only updates should ensure that
they re-install the updates after October 13. Customers whose systems are configured
to receive automatic updates do not need to take any further action.
– Originally posted: July 14, 2020
– Updated: October 13, 2020
– Aggregate CVE Severity Rating: Critical

**************************************************************************************

1 user thanked author for this post.

woody

Reply | Quote

Microsoft re-releases buggy July .NET Security Only patches”

So if the .net patch from July is buggy, why the recommendation to install it?

Reply | Quote

This is NOT the .Net Security & Quality Rollup issued through Windows Update.
It is a Security-only Rollup that is downloadable from the Microsoft Catalog only.

The recommendation is NOT to install the buggy July patch.
The recommendation is to install the FIXED patch re-released on Oct. 13 Patch Tuesday to correct the bugs in the July update.

Reply | Quote

[JCpharm]

Is this the  KB (4578974) .NET patch?

Win10 Pro

• This reply was modified 4 years, 7 months ago by JCpharm.

Reply | Quote

[PKCano]

The buggy .NET Security-only Rollups were KB4566466 for Win7 and KB4566468 for Win8.1 released in July.

They have been FIXED and re-released on Oct Patch Tuesday.

• This reply was modified 4 years, 7 months ago by PKCano.

1 user thanked author for this post.

JCpharm

Reply | Quote

[CraigS26]

JCpharm wrote:

Is this the KB (4578974) .NET patch?

Ref Buggy July Patch fix ….Yes for my 1909. Search showed 7/14/20 Orig Publish and latest Oct 13 ’20.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

• This reply was modified 4 years, 7 months ago by CraigS26.

Reply | Quote

Install  .NET patches or NOT install????

In Ms Bradley’s 12 Oct 2020 article “How to block the Windows 10 October 2020 Update, version 20H2, from installing”

Under step 3, she said “If you’re on version 1909 or 2004, don’t click that link. If you want to avoid installing Windows 10 version 20H2, don’t click the Download and install link. And always remember — you don’t want to click Check for updates, as this will offer up optional .NET updates on your system that you don’t want installed.”

On Oct 13, 2020 Woody posted this note: “Microsoft re-releases buggy July .NET Security Only patches” where he said “Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.”

Please advise what the .NET patch means to the average user and when should they be installed
—————————————
Win Pro 2004 OS Build 19041.508

Reply | Quote

The .NET patches in question were Security-only for Win7 and Win8.1 that were downloadable only from the MS Catalog. If you have not been downloading SOs and manually installing them, you have nothing to worry about.

However, if this was your case, for Win7 see #2304011
If you need the info about Win8.1 .NET SO patches re-released from July, let me know ans I will give you the necessary links.

The .NET patches for Win10 are Previews, not the Patch Tuesday Security .NET CUs. We don’t recommend installing Previews, so that is what Susan was referring to.

1 user thanked author for this post.

DKThompson

Reply | Quote

In the title, or immediately below the title in a subtitle/other entry one must always include the OSs affected 7, and/or 8/8.1 and/or  10/versions. But “Security Only” does give a hint that it’s 7/8/8.1 sort of issue, if I’m correct.

I’m Windows 10 Home(1909), take it all eventually, Edition after all the Pause Updates clicks  expire.

 

1 user thanked author for this post.

DKThompson

Reply | Quote

You are right about including the version numbers.

BUT, Win10 does not have Security-only patches of any kind. So you would not be seeing anything like that.

Win7/8.1 Security-only patches are never released through Windows Update. They are MS Catalog download only and manual install. So even Win7/8.1 users would not receive them unknowingly.

1 user thanked author for this post.

DKThompson

Reply | Quote

Win 10 2004: I am Paused and have a “Resume Update” button. Will the re-release show below that if needed  or if I Resume Update will that get both the re release buggy patch AND the new Oct patches? Or do I need to go to Update Catalog and download the re release. Thanks

Reply | Quote

The re-released .NET Security-only patches are for WIn7 and Win8.1 only. They are not even issued through Windows Update for these two versions. They are manual download/install only.

They are NOT for Win10. Win10 does not have Security-only anything.

1 user thanked author for this post.

J9438

Reply | Quote

PKCano wrote:

The re-released .NET Security-only patches are for WIn7 and Win8.1 only. They are not even issued through Windows Update for these two versions. They are manual download/install only.

They are NOT for Win10. Win10 does not have Security-only anything.

Also for Windows 8/2012 Server.

No matter where you go, there you are.

Reply | Quote