Welcome to the August 2020 Patch Tuesday plop

Willkommen, bienvenue, welcome!
Fremde, étranger, stranger
Glücklich zu sehen, je suis enchanté, happy to see you
Bleibe, reste, stay

Patch Tuesday is upon us. Here’s a quick look at what’s coming down the pike (updated in real-enough time):

• 261 separately downloadable patches. It’s a big one.
• They fix 120 separately identified security holes (CVEs). I believe that’s a record.
• Cumulative updates for all recent versions of Win10, including KB 4566782  for Win10 version 2004 and KB 4565351 for Win10 1903 and 1909 (once again the same patch for both versions).

Great quote from Dustin Childs:

This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.

There are two “actively exploited” zero-days (notes from Childs):

• CVE-2020-1464 – Windows Spoofing Vulnerability This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks.
• CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability
  This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved.

Expect to hear lots of wailing from the blogosphere about those two security holes. “Microsoft advises hundreds of millions of Windows users to patch Right Now.” Meh. The first one is only rated “Important,” not “Critical,” which means it’s mighty obscure and likely to stay so for quite some time. As for the second one, if you’re still using Internet Explorer, you already have a sign out that says, “Kick me.”

That said, I’m deeply trouble by Mozilla’s announcement that it’s laying off 250 employees. See Catalin Cimpanu’s analysis on ZDNet.

There’s also KB 4569751 the Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 and Windows Server 1903 RTM and Windows 10, version 1909 and Windows Server, version 1909 . Odd. On the main .NET update page, this one’s listed (in the left column) as a Preview. Not likely, but it’s hard to say.

And I see Servicing Stack Update, uh, updates all over the place.

There’s a codec security hole, again, CVE-2020-1585, that’s being plugged via the Windows Store, again. Looks like you could only get the buggy codec from the Store, thus the unconventional (but increasingly more common) distribution route.

Martin Brinkmann has his usual thorough list on ghacks.net.