News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • October patched security holes are getting hit hard

    Home Forums AskWoody blog October patched security holes are getting hit hard

    Viewing 5 reply threads
    • Author
      Posts
      • #2304451 Reply
        woody
        Da Boss

        Here’s where the threats stand as of early Thursday morning: CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but i
        [See the full post at: October patched security holes are getting hit hard]

        2 users thanked author for this post.
      • #2304473 Reply
        anonymous
        Guest

        Two proofs of concept and an “exploitation less likely” doesn’t sound like “getting hit hard”.

        • #2304475 Reply
          Paul T
          AskWoody MVP

          Try reading it with your tongue in your cheek. 🙂

          cheers, Paul

          2 users thanked author for this post.
          • #2304491 Reply
            anonymous
            Guest

            I wasn’t expecting a sarcastic headline not supported by more realistic content.

            Seems more like clickbait.

            • #2304497 Reply
              Paul T
              AskWoody MVP

              It’s a fairly normal approach from Woody, he is less than amused by the hype surrounding patches.

              cheers, Paul

              1 user thanked author for this post.
      • #2304476 Reply
        Susan Bradley
        AskWoody MVP

        https://www.zerodayinitiative.com/blog/2020/10/13/the-october-2020-security-update-review

        “-       CVE-2020-16947 – Microsoft Outlook Remote Code Execution Vulnerability
        This vulnerability was reported through the ZDI program, and it could allow code execution on affected versions of Outlook just by viewing a specially crafted e-mail. The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted. The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer. Although Microsoft gives this an XI rating of 2, we have a working proof-of-concept. Patch this one quickly.”

        Susan Bradley Patch Lady

        • #2304510 Reply
          Tex265
          AskWoody Plus

          I’m confused.   Is the patch for this MS Outlook coming from MS Office (I have 2016 Retail C2R) or is it included in the October Windows 10 Update?

          Windows 10 Pro x64 v1909 and Windows 7 Pro SP1 x64 (RIP)
          • #2304514 Reply
            anonymous
            Guest
            • #2304544 Reply
              Tex265
              AskWoody Plus

              OK thanks.  This shows the Security fix for Outlook 2016 Retail C2R is in the Current Channel, version 2009, Build 13231.20390, dated October 13, 2020.

              Susan – have you cleared this Build as OK for installation?  (I keep Office auto upgrades set to off until ready to upgrade).

              Windows 10 Pro x64 v1909 and Windows 7 Pro SP1 x64 (RIP)
              • #2304608 Reply
                Susan Bradley
                AskWoody MVP

                Yes it’s in the click to run patches,  I’m not quite ready to give the go-ahead.  In the patchwatch that will be out this weekend I’m recommending to either patch or disable preview pane.

                Susan Bradley Patch Lady

          • #2304543 Reply
            anonymous
            Guest

            How do us Click to run office 2016 folks patch this? Just turn on updating on the account page and then click update now to suck down everything waiting for us? Is that what Susan is suggesting we do?

            • #2304706 Reply
              dph853
              AskWoody Plus

              This is why it is so important for Susan to be very clear when she gives advice to apply a specific patch to correct a bug in MS office. Many do not have the ability to select which patches get installed and which do not. Statements such as the one above above “Patch this one quickly” cause all sorts of confusion unless the advice to patch is accompanied by instructions on how to accomplish the goal on the various flavors of MS Office especially Click-to-run versions. In this case it appears to be better for C2R users to disable the email preview screen rather than installing all available waiting updates all at once at this point in time which is the only available option for C2R Office users.

              • This reply was modified 1 week, 4 days ago by dph853.
      • #2304495 Reply
        Fred
        AskWoody Plus

        installed these updates and brough W10 to W10Pro 1909-18363.1139
        still rather good and alive here

        ~ ~ ~
        1 user thanked author for this post.
      • #2304911 Reply
        Microfix
        AskWoody MVP

        Venkat over on Techdows is reporting that there are issues with Octobers kb4579311 alongside the known MSFT published issues with this update.

        Windows Update fails to install KB4579311 with an error for some users
        Manual download and install from Microsoft Catalog update, also triggering an error
        The update is causing sign-in and freezing issues. Desktop turns to black after startup. USB network printer problems also reported.
        Explorer crashes in a loop after login and becomes unresponsive, sometimes.

        Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        1 user thanked author for this post.
        • #2304918 Reply
          woody
          Da Boss

          Sounds like typical cumulative update problems, although the KB4579311 one looks different….

      • #2304993 Reply
        CAS
        AskWoody Plus

        I installed all updates today using MS Update Catalog. KB 4577671 took forever to download and install. I had to turn off my antivirus because the install got stuck about a quarter of the way into the install.

        Windows update only offered me KB 4020357 which I hid using wsushowhide. A special “thank you” to Woody for the warning not to install it

        I ran Belarc Advisor and it indicated that all necessary patches are now installed. Winver shows Version 1909 (OS Build 18363.1139). Just finished running Macrium Reflect. I’m tired but pleased to be done with this month’s ordeal.

        CAS

        1 user thanked author for this post.
        • #2304996 Reply
          PKCano
          Da Boss

          Did you install the SSU KB4577670?

          • #2305167 Reply
            CAS
            AskWoody Plus

            It was the first one I installed before any others, PK.

    Viewing 5 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: October patched security holes are getting hit hard

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.