News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Running a SQL Server? Heads up! You need to install this month’s patches quickly

    Posted on February 18th, 2020 at 07:25 woody Comment on the AskWoody Lounge

    I just saw a notification that the SQL Server security hole known as CVE-2020-0618 has been cracked. Per Kevin Beaumont:

    Ah bums, there’s an exploit for CVE-2020-0618 (Feb 2020 SQL vuln). The good news: it’s not yet point and click. The bad news: it will be, this will be a big enterprise vuln.

    CVSS score 9.7, very easy to exploit but depends on SQL Reporting Services being installed. Some ICS solutions install it, as does Microsoft EPM (Project Server). I’ll keep thread updated if I see any scanning in the wild.

    One thing if it helps people, although the MS advisory says it only impacts SQL Server 2012+, it appears to also impact SQL Server 2008 too (which is out of support).

    He points to Jin Wook Kim’s Proof of Concept code on Github. In the comments, you can find reference to the original PoC on MDSec.co.uk.

    If you aren’t running a SQL Server, or don’t know SQL Server from a hole in the ground, no need to sweat it. But if your company has SQL Server, somebody better let the admins know.

  • Microsoft pulls KB 4524244, the infamous UEFI patch, from the Catalog

    Posted on February 15th, 2020 at 07:28 woody Comment on the AskWoody Lounge

    The count of “2020-02” patches in the Catalog went down by eight overnight.

    One of them is KB 4524244, the UEFI patch that we’ve all been wondering about. As I said on Feb. 12 in Computerworld,

    The UEFI mystery of KB 4524244

    Microsoft seems to have a specific UEFI manufacturer in its sites. KB 4524244, the “Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020” is being offered, independently of the usual Cumulative Updates, on all versions of Windows 10.

    By the way, if you think Win10 version 1909 was immune from the KB 4524244 malaise, think again. Microsoft forgot to include 1909 on its master list, but KB 4524244 is included in the 1909 MS Update Catalog listing and in the WSUS listing. (Thx, PKCano.) The KB article – even its title – is clearly wrong.

    According to PKCano, one of the UEFI patches, KB 4502496, still appears in Windows Update – but it isn’t in the Catalog. Likely its appearance in Windows Update is a phantom, and in fact it won’t be installed. Do you have better info?
    Update: KB 4502496 has also been pulled.

    The KB article has been updated to say:

    Another Microsoft Friday night massacre? On a three day (US) weekend?

     

    ——

    Patch lady edit:  Spotted this interaction on twitter  —   So now I know that it was a Kaspersky bootloader

    Brian in Pittsburgh (@arekfurt)
    This has gone surprisingly little attention. Microsoft signed a Kaspersky bootloader that could be used to bypass Secure Boot on any PC (!), then revoked it last Tuesday (that was what took two reboots if you had Cred Guard enabled). Now there are in turn issues with that fix.

     

    Alex Ionescu
    @aionescu
    1. Sign Kaspersky UEFI Rootkit (oops, “loader”) even though this wasn’t what the program was meant for, putting *everyone* at risk thanks to the DB policy.
    2. Finally release revocation (thanks

    ) 3. Pull back the release and indicate you won’t offer it anymore…

  • February Win10 1903 and 1909 cumulative update, KB 4532693, causing desktops to disappear

    Posted on February 13th, 2020 at 08:07 woody Comment on the AskWoody Lounge

    Excellent overnight analysis from Lawrence Abrams and a surprising observation from Günter Born point at a possible smoking gun.

    Microsoft should be paying you to beta test their buggy patches.

    Details in Computerworld Woody on Windows.

    If you installed this month’s patch (NOT recommended – see MS-DEFCON 2 above) or know someone who did and got bit by this specific bug, please let me know if they’re using Avira or AVG antivirus and, if possible, which version.

  • Ongoing list of problems with the February 2020 Patch Tuesday patches

    Posted on February 12th, 2020 at 10:47 woody Comment on the AskWoody Lounge

    It’s a bumper crop — not only 99 separately identified security holes getting plugged, but a whole lot of unexpected fixes.

    • Win7 free patches (including, unexpectedly, a new Malicious Software Removal Tool)
    • Win7 paid patches (Microsoft tossed in a ringer to clog up the works)
    • A Win10 UEFI patch directed at a specific manufacturer – but which one?
    • A horrible, Chicken Little “exploited” IE JScript security hole

    And a whole lot more.

    Still much, much too early to see if there any big bugs.

    Full story in Computerworld Woody on Windows. Add your favorite bugs here!

  • February 2020 Patch Tuesday foibles

    Posted on February 11th, 2020 at 12:08 woody Comment on the AskWoody Lounge

    …. and… we’re off.

    The Microsoft Update Catalog lists 151 separate patches. An enormous 99 different CVEs = individual security holes.

    The Knowledge Base article for the Win10 1903 and 1909 patches does NOT list any fixes to the very-buggy “optional non-security C/D Week” patch. I’d be most interested in hearing about the long-standing Win10 1909 File Explorer Search bugs.

    I don’t see a patch for Win7, in spite of the “Stretch”ed black wallpaper fix Preview released last week. No word on whether the manual-download-only fix is still clobbering boot files.

    Dustin Childs’s report for ZDI covers all the bases. Worthy of note:

    • That Internet Explorer JScript vulnerability, CVE 2020-0674, ADV200001 which Microsoft first talked about three weeks ago, is getting fixed. Except not for Win7, apparently, unless you pay for the patch. Microsoft lists it as being under active attack. Apparently it isn’t pressing enough to warrant an out-of-band patch, though, so those of you guarding state secrets and whistleblowers should probably worry about it sooner rather than later. The rest of us? I’ll wait until I see a widespread attack — or 0patch verifies that it’s plugged the problem.
    • The CVE 2020-0674 security hole is the only one listed as “Exploited.”

    Martin Brinkmann just posted his all-inclusive list. Five Win7 security holes that are only patched for Extended Support customers. The same five are fixed for Win8.1. Looks like Win10 versions 1803, 1809, 1903 and 1909 are all getting the same patches.

    Microsoft has released patches for every version of Win10 (except version 1511), back to the original 1507, whether they’re supported or not.

    The “classic” version of Edge is being patched, too, with 7 security holes filled. The Chromium based version of Edge was patched on Feb. 7. I’m surprised – there doesn’t seem to be a definitive statement about it – but it looks like the only fixed security holes in Chredge stem from the underlying Chromium engine.

    There are new Servicing Stack Updates for Win7/Server 2008 R2 and for Server 2008. Wonder if those were re-issued because of the deleted boot files? There’s another SSU for Win10 1903 and 1909.

    I expect we’ll hear much more about a pan-Win10 patch, KB 4524244, Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020. Childs seems to have missed it, although Brinkmann includes it. The description:

    Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.

    Seems very specific to one UEFI boot manager. I wonder which one?

  • MS-DEFCON 2: Make sure Windows is locked down in preparation for the Feb 2020 patches

    Posted on February 10th, 2020 at 13:41 woody Comment on the AskWoody Lounge

    If you’re running Win10 version 1903 or 1909 and followed my instructions last month, you’re in good shape – you have Pause Update in effect for several more weeks.

    On the other hand… you really should check and make sure everything’s ready for tomorrow’s onslaught.

    Step-by-step instructions in Computerworld Woody on Windows.

    We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.