Newsletter Archives

  • Ongoing list of problems with the February 2020 Patch Tuesday patches

    It’s a bumper crop — not only 99 separately identified security holes getting plugged, but a whole lot of unexpected fixes.

    • Win7 free patches (including, unexpectedly, a new Malicious Software Removal Tool)
    • Win7 paid patches (Microsoft tossed in a ringer to clog up the works)
    • A Win10 UEFI patch directed at a specific manufacturer – but which one?
    • A horrible, Chicken Little “exploited” IE JScript security hole

    And a whole lot more.

    Still much, much too early to see if there any big bugs.

    Full story in Computerworld Woody on Windows. Add your favorite bugs here!

  • February 2020 Patch Tuesday foibles

    …. and… we’re off.

    The Microsoft Update Catalog lists 151 separate patches. An enormous 99 different CVEs = individual security holes.

    The Knowledge Base article for the Win10 1903 and 1909 patches does NOT list any fixes to the very-buggy “optional non-security C/D Week” patch. I’d be most interested in hearing about the long-standing Win10 1909 File Explorer Search bugs.

    I don’t see a patch for Win7, in spite of the “Stretch”ed black wallpaper fix Preview released last week. No word on whether the manual-download-only fix is still clobbering boot files.

    Dustin Childs’s report for ZDI covers all the bases. Worthy of note:

    • That Internet Explorer JScript vulnerability, CVE 2020-0674, ADV200001 which Microsoft first talked about three weeks ago, is getting fixed. Except not for Win7, apparently, unless you pay for the patch. Microsoft lists it as being under active attack. Apparently it isn’t pressing enough to warrant an out-of-band patch, though, so those of you guarding state secrets and whistleblowers should probably worry about it sooner rather than later. The rest of us? I’ll wait until I see a widespread attack — or 0patch verifies that it’s plugged the problem.
    • The CVE 2020-0674 security hole is the only one listed as “Exploited.”

    Martin Brinkmann just posted his all-inclusive list. Five Win7 security holes that are only patched for Extended Support customers. The same five are fixed for Win8.1. Looks like Win10 versions 1803, 1809, 1903 and 1909 are all getting the same patches.

    Microsoft has released patches for every version of Win10 (except version 1511), back to the original 1507, whether they’re supported or not.

    The “classic” version of Edge is being patched, too, with 7 security holes filled. The Chromium based version of Edge was patched on Feb. 7. I’m surprised – there doesn’t seem to be a definitive statement about it – but it looks like the only fixed security holes in Chredge stem from the underlying Chromium engine.

    There are new Servicing Stack Updates for Win7/Server 2008 R2 and for Server 2008. Wonder if those were re-issued because of the deleted boot files? There’s another SSU for Win10 1903 and 1909.

    I expect we’ll hear much more about a pan-Win10 patch, KB 4524244, Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020. Childs seems to have missed it, although Brinkmann includes it. The description:

    Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.

    Seems very specific to one UEFI boot manager. I wonder which one?

  • MS-DEFCON 2: Make sure Windows is locked down in preparation for the Feb 2020 patches

    If you’re running Win10 version 1903 or 1909 and followed my instructions last month, you’re in good shape – you have Pause Update in effect for several more weeks.

    On the other hand… you really should check and make sure everything’s ready for tomorrow’s onslaught.

    Step-by-step instructions in Computerworld Woody on Windows.

    We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.