Newsletter Archives

• October patched security holes are getting hit hard

  Posted on October 15, 2020 at 07:25 CDT by woody • Comment in the Forums

  Here’s where the threats stand as of early Thursday morning:

  CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but it just triggers a bluescreen. US Cyber Command tweets “CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely.” But Kevin Beaumont says, “I wouldn’t panic about the IPv6 thing personally, just keep calm and patch as usual.” Kevin reports that he’s seen a fake exploit.

  CVE-2020-16951 and CVE-2020-16952 SharePoint Server security holes have a new proof of concept, but the holes only occur on SharePoint Server 2016 and 2019. If you’re running either of those Server versions, get patched, but everybody else is immune.

  CVE-2020-16947 Outlook 2016/Office 2019/Microsoft 365 vulnerability – which can crawl in via Outlook if you simply preview an infected email – doesn’t have any outstanding proof of concepts, as best I can tell.

  Bottom line: I don’t see any reason to install this month’s patches just yet, unless you’re running SharePoint Server 2016 or 2019.

  Windows Patches/Security October 2020 Black Tuesday

• Microsoft experiments with pushing Office progressive web apps onto Win10 machines – without your permission

  Posted on October 14, 2020 at 19:12 CDT by woody • Comment in the Forums

  I like PWAs, but this is no way to get the ball rolling. (There’s a good discussion of Progressive Web Apps on Wikipedia.)

  Microsoft has PWA versions of five apps: Word, Excel, PowerPoint, Outlook and OneNote. You can manually install the PWA versions of those apps on your Win10 machine by using Edge (navigate to the app in the Windows Store, click Settings, Apps, Install this site as an app). You end up with Start menu entries for each. Click on one of the Start entries, and the web-based version of the app appears, inside a minimal browser shell.

  Mayank Parmar over on Windows Latest noticed:

  Microsoft now appears to be experimenting with a new feature that will add [the PWA version of] Office apps to your Windows 10 device without your permission.

  The rollout isn’t happening on all machines. Says Parmar:

  Over the weekend, Microsoft updated the Chromium Edge (Stable) for Windows 10 to quietly install four Office web apps on some devices. This ‘feature’ appears to be rolling out to select testers in the Windows Insider program, but it could also show up on non-Insider machines.

  Günter Born calls them “Windows 10 behavior as a malware?” He’s got a good point – although, to be fair, it looks like the only machines being targeted right now are actively in the Insider Program.

  Lawrence Abrams at BleepingComputer says:

  Those who do not wish to have these PWAs installed can uninstall them directly in Microsoft Edge through the edge://apps URL or via the Programs and Features Settings page [in Windows 10].

  Surprise!

  Windows News Edge, Office PWA

• Microsoft re-releases buggy July .NET Security Only patches

  Posted on October 13, 2020 at 21:17 CDT by woody • Comment in the Forums

  Microsoft just announced that it has re-issued the buggy July .NET Security Only patches identified as CVE–2020-1147, and covering a gazillion different KBs. Okay, I overspoke. Maybe half a gazillion.

  The bug? Ahem:

  After you apply this update, some applications experience a TypeInitializationException exception when they try to deserialize System.Data.DataSet or System.Data.DataTable instances from the XML within a SQL CLR stored procedure.

  You had to ask.

  Anyway, if you see a .NET patch from July suddenly appear in October, you need to install it, and now you know why.

  UPDATE: @PKCano has the gory details – including KB numbers for the re-released Security Only patches for Win7 and Server 2008 R2 – posted here.

  Windows Patches/Security .NET patches, CVE–2020-1147, July 2020 Black Tuesday, October 2020 Black Tuesday

• What you need to know about today’s Apple event

  Posted on October 13, 2020 at 20:50 CDT by woody • Comment in the Forums

  From Nathan Parker:

  Apple hosted a virtual event on October 13. This was one of the most exciting Apple events I have watched. Here is the bottom line of the major product announcements:

  HomePod mini: Smaller circular design, 360 degree audio, S5 chip (Apple Watch chip, not an A Series chip), Computational Audio optimizes each audio when played, new Intercom support arriving to all Apple devices, stronger emphasis on being a home assistant, Emphasis on privacy, $99 (versus $299 for the larger HomePod).

  iPhone 12: Now includes 5G, New design similar to iPhone 4 and 5, iPhone mini option (6.1” vs 6.4” display on the larger iPhone 12), Ceramic Shield offers better protection (including better spill and splash resistance), New colors, A14 Bionic chip, OLED comes to iPhone 12, Dual Cameras with Night Mode, Night Mode Selfies, Deep Fusion, Smart HDR 3 and Portrait Mode, , Night Mode Time Lapse, Record and Edit Video in Dolby Vision, Support for MagSafe Accessories (magnetic chargers, cases, wallets, etc), Faster Wireless Charging

  iPhone 12 Pro: Includes everything on the iPhone 12 with 6.1” and 6.7” Display options, Smaller bezels, Four colors including Pacific Blue (stainless steel bands instead of aluminum), LiDAR sensors, Four Cameras with expanded Night Mode, ProRAW Support (the ability to shoot RAW on a phone camera), HDR Video Recording

  A few additional things to know:

  • iPhone 12 mmWave support is limited to the US
  • Apple is including three months of Apple Arcade in addition to a free year of Apple TV+
  • iPhone 12 models no longer come with EarPods and Power Adapter, do include USB C Cable (this extends to future iPhone 11, XR, and SE purchases)
  • iOS 14.1 and iPadOS 14.1 was also released today, watchOS 7.0.2 was released recently as well
  Apple Apple October announcements

• Running SharePoint Server? Better get this security hole plugged soon.

  Posted on October 13, 2020 at 20:44 CDT by woody • Comment in the Forums

  Very few of you are running SharePoint Servers, but for those of you who do, this is an important heads-up. From AttackerKB:

  On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6…

  An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.

  Affected products

  • • Microsoft SharePoint Foundation 2013 Service Pack 1

    • Microsoft SharePoint Enterprise Server 2016

    • Microsoft SharePoint Server 2019

  Full details on the Rapid7 site.

  Thx, Patch Lady.

  Windows Patches/Security October 2020 Black Tuesday

• How to block Win10 version 20H2

  Posted on October 12, 2020 at 06:39 CDT by woody • Comment in the Forums

  Microsoft’s ready to push that puppy out the update chute. You don’t want it until it’s been thoroughly tested, and tested again.

  Susan Bradley and I have teamed up to take you step-by-step through the process for blocking Win10 version 20H2 until you’re good ‘n ready to install it.

  Details in this Computerworld How-To.

  Windows 10 Releases Win10 20H2

• MS-DEFCON 2: Incoming! Pause Windows and Office patches

  Posted on October 11, 2020 at 22:56 CDT by woody • Comment in the Forums

  October Patch Tuesday is just around the corner.

  Now’s a good time to make sure you have “Pause” set on your Win10 machines (or that you turn off Automatic Update on your Win7 and 8.1 machines).

  Full step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security MS-DEFCON 2, October 2020 Black Tuesday

• Patch Lady – End of support coming for many Windows versions

  Posted on October 10, 2020 at 21:21 CDT by woody • Comment in the Forums

  From Patch Lady:

  Just a kind reminder…. there are some end of life(s) coming up for several versions:

  If you are running enterprise, education or IoT Enterprise, 1709 drops off support after this Tuesday.

  If you are running Home, Pro, Pro education you need to be moving off 1809 after 11-10-2020 and if you are 1903 you need to be right behind them and will be dropping out of support on December 8, 2020

  Enterprise, Education and IoT Enterprise also drops out of support 12-8-2020.

  Windows 10 Releases Windows EOL
• « Older Entries

  Newer Entries »