Daily Archives: October 15, 2020

• Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

  Posted on October 15, 2020 at 22:58 CDT by woody • Comment in the Forums

  Back in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)

  Now comes word that we have another identified security hole in that same HEVC codecs,

  CVE-2020-17022

  This warning isn’t for everybody. Per MS,

  Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

  So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through Windows Update the Microsoft Store. There’s a lengthy discussion of versions in the KB article.

  The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.

  There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.

  Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:

  The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.

  Golly.

  Windows Patches/Security October 2020 Black Tuesday

• Win10 version 2004 systemwide password “amnesia” – a fix?

  Posted on October 15, 2020 at 18:12 CDT by woody • Comment in the Forums

  I wrote about this unusual – but very frustrating – bug a month ago:

  The upgrade to 2004 applies fine but I keep getting prompted for passwords to sign into applications, google, facebook, outlook, and others. It seems the credential manager is not remembering passwords with a local admin account. It will for a while but the password is getting wiped out.

  @WarningU2 has found a workaround that involves running a specific (and formidable) PowerShell command.

  The bug’s still there. But it looks like this one command makes things work again.

  Windows 10 Releases Password Amnesia, Win10 2004 bugs

• October patched security holes are getting hit hard

  Posted on October 15, 2020 at 07:25 CDT by woody • Comment in the Forums

  Here’s where the threats stand as of early Thursday morning:

  CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but it just triggers a bluescreen. US Cyber Command tweets “CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely.” But Kevin Beaumont says, “I wouldn’t panic about the IPv6 thing personally, just keep calm and patch as usual.” Kevin reports that he’s seen a fake exploit.

  CVE-2020-16951 and CVE-2020-16952 SharePoint Server security holes have a new proof of concept, but the holes only occur on SharePoint Server 2016 and 2019. If you’re running either of those Server versions, get patched, but everybody else is immune.

  CVE-2020-16947 Outlook 2016/Office 2019/Microsoft 365 vulnerability – which can crawl in via Outlook if you simply preview an infected email – doesn’t have any outstanding proof of concepts, as best I can tell.

  Bottom line: I don’t see any reason to install this month’s patches just yet, unless you’re running SharePoint Server 2016 or 2019.

  Windows Patches/Security October 2020 Black Tuesday