Newsletter Archives

  • MS-DEFCON 3: Get the October patches installed

    We’re seeing some funny business with the ancillary patches this month, but the mainstream Windows cumulative updates and Office patches look good to go.

    Big question is whether you want to upgrade from Win10 version 1909 to version 2004. I have a few observations. Bottom line: Susan Bradley has upgraded her 1909 machines to 2004. I’m still sitting on a fence. Really, there’s exactly nothing in 2004 that most people will want.

    Step-by-step details in Computerworld Woody on Windows.

  • Where we stand with the October patches

    The run-of-the-mill cumulative updates had all the usual problems. But the other patches were a bit odd.

    I’m still amazed that the cumulative updates went out with a hard bug in an HP app, but HP has fixed its wayward ways.

    And we still don’t have the announced security fix for Microsoft Dynamics 365 Commerce.

    Winter – and version 20H2 – are coming.

    Details in Computerworld Woody on Windows.

  • Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

    Back in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)

    Now comes word that we have another identified security hole in that same HEVC codecs,


    This warning isn’t for everybody. Per MS,

    Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

    So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through Windows Update the Microsoft Store. There’s a lengthy discussion of versions in the KB article.

    The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.

    There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.

    Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:

    The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.


  • October patched security holes are getting hit hard

    Here’s where the threats stand as of early Thursday morning:

    CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but it just triggers a bluescreen. US Cyber Command tweets “CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely.” But Kevin Beaumont says, “I wouldn’t panic about the IPv6 thing personally, just keep calm and patch as usual.” Kevin reports that he’s seen a fake exploit.

    CVE-2020-16951 and CVE-2020-16952 SharePoint Server security holes have a new proof of concept, but the holes only occur on SharePoint Server 2016 and 2019. If you’re running either of those Server versions, get patched, but everybody else is immune.

    CVE-2020-16947 Outlook 2016/Office 2019/Microsoft 365 vulnerability – which can crawl in via Outlook if you simply preview an infected email – doesn’t have any outstanding proof of concepts, as best I can tell.

    Bottom line: I don’t see any reason to install this month’s patches just yet, unless you’re running SharePoint Server 2016 or 2019.

  • Microsoft re-releases buggy July .NET Security Only patches

    Microsoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion different KBs. Okay, I overspoke. Maybe half a gazillion.

    The bug? Ahem:

    After you apply this update, some applications experience a TypeInitializationException exception when they try to deserialize System.Data.DataSet or System.Data.DataTable instances from the XML within a SQL CLR stored procedure.

    You had to ask.

    Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.

    UPDATE: @PKCano has the gory details – including KB numbers for the re-released Security Only patches for Win7 and Server 2008 R2 – posted here.

  • Running SharePoint Server? Better get this security hole plugged soon.

    Very few of you are running SharePoint Servers, but for those of you who do, this is an important heads-up. From AttackerKB:

    On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6…

    An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.

    Affected products

      • Microsoft SharePoint Foundation 2013 Service Pack 1

      • Microsoft SharePoint Enterprise Server 2016

      • Microsoft SharePoint Server 2019

    Full details on the Rapid7 site.

    Thx, Patch Lady.

  • October 2020 Microsoft Patch Tuesday updates are rolling out

    The patches have been released.

    There are 365 new entries for October, 2020 Patch Tuesday in the Microsoft Update Catalog.

    There are 1838 vulnerabilities listed in the Microsoft Security Response Center for October.

    Dustin Childs just posted his usual in-depth analysis on the Zero Day Initiative blog:

    • Adobe released one patch for October to fix a single vulnerability in Flash.
    • Microsoft released patches to correct 87 CVEs. Of these, 11 are Critical, 75 listed as Important, and one as Moderate.

    None of the bugs are listed as being under attack at the present, but 6 are listed as publicly known at the time of release.

    KB 4580325 — 2020-10 Security Update for Adobe Flash Player on Win8.1 and Win10. The Flash Player update for Win7 should be downloaded from Adobe.

    According to Sergiu Gatlin at BleepingComputer Windows 10 now blocks some third-party drivers from installation

    Microsoft says that Windows 10 and Windows Server users will be blocked from installing incorrectly formatted third-party drivers after deploying this month’s cumulative updates.

    “When installing a third-party driver, you might receive the error, ‘Windows can’t verify the publisher of this driver software’,” Microsoft says.

    “You might also see the error, ‘No signature was present in the subject’ when attempting to view the signature properties using Windows Explorer.”

    This issue is caused by improperly formatted driver catalog files that trigger the errors during the driver validation process as Microsoft explains.

    Starting with the October 2020 updates, Windows requires DER-encoded PKCS#7 content to be valid and correctly embedded in catalog files.

    “Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690,” Microsoft adds.

    Users who encounter these errors while attempting to install a third-party driver are advised to ask their driver vendor or device manufacturer (OEM) for an updated and correctly signed driver.

    Affected Windows platforms include client (from Windows 8.1 up to Windows 004) and server versions (from Windows Server 2012 R2 up to Windows Server, version 2004).

    Martin Brinkman has his usual thorough rundown on

    A reminder if you are on Windows 10 v1809 or v1903. It is time to think about moving to a later version. V1809 reaches EOS on 2020-11-10 and v1903 on 2020-12-08.

  • MS-DEFCON 2: Incoming! Pause Windows and Office patches

    October Patch Tuesday is just around the corner.

    Now’s a good time to make sure you have “Pause” set on your Win10 machines (or that you turn off Automatic Update on your Win7 and 8.1 machines).

    Full step-by-step details in Computerworld Woody on Windows.

  • October 2020 Office non-Security Updates have been released

    The October 2020 Office non-Security updates have been released Tuesday, October 6, 2020. They are not included in the DEFCON-4 approval for the September 2020 patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

    Remember, Susan’s patching sequence and  recommendations are based on a business environment that has IT support and may have time constraints on the updating process. Consumer patching should be more cautious due to limited technical and mechanical resources. The latter is the reason for the AskWoody DEFCON system.

    Office 2016
    Update for Microsoft Office 2016 (KB4475584)
    Update for Microsoft Project 2016 (KB4484502)
    Update for Microsoft Visio 2016 (KB4484333)
    Update for Skype for Business 2016 (KB4486669)

    There were no non-security listings for Office 2007 (which is out of support), for Office 2010 which will reach End of Support 10/13/2020, or for Office 2013 .

    Updates are for the .msi version (persistent). Office 365 and C2R are not included.

    Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).