October patched security holes are getting hit hard

Topic

New Reply

Here’s where the threats stand as of early Thursday morning: CVE-2020-16898: “Bad Neighbor” or “Ping of Death” has a proof of concept available, but i
[See the full post at: October patched security holes are getting hit hard]

2 users thanked author for this post.

jburk07, Fred

Reply | Quote

Replies

Two proofs of concept and an “exploitation less likely” doesn’t sound like “getting hit hard”.

Reply | Quote

Try reading it with your tongue in your cheek.

cheers, Paul

2 users thanked author for this post.

SueW, Moonbear

Reply | Quote

I wasn’t expecting a sarcastic headline not supported by more realistic content.

Seems more like clickbait.

Reply | Quote

It’s a fairly normal approach from Woody, he is less than amused by the hype surrounding patches.

cheers, Paul

1 user thanked author for this post.

woody

Reply | Quote

[Susan Bradley]

https://www.zerodayinitiative.com/blog/2020/10/13/the-october-2020-security-update-review

“-       CVE-2020-16947 – Microsoft Outlook Remote Code Execution Vulnerability
This vulnerability was reported through the ZDI program, and it could allow code execution on affected versions of Outlook just by viewing a specially crafted e-mail. The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted. The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer. Although Microsoft gives this an XI rating of 2, we have a working proof-of-concept. Patch this one quickly.”

Susan Bradley Patch Lady/Prudent patcher

• This reply was modified 4 years, 7 months ago by Susan Bradley.

Reply | Quote

I’m confused.   Is the patch for this MS Outlook coming from MS Office (I have 2016 Retail C2R) or is it included in the October Windows 10 Update?

Windows 11 Pro v24H2 and Windows 10 Pro x64 v22H2

Reply | Quote

Office: Release notes for Microsoft Office security updates

Reply | Quote

OK thanks.  This shows the Security fix for Outlook 2016 Retail C2R is in the Current Channel, version 2009, Build 13231.20390, dated October 13, 2020.

Susan – have you cleared this Build as OK for installation?  (I keep Office auto upgrades set to off until ready to upgrade).

Windows 11 Pro v24H2 and Windows 10 Pro x64 v22H2

Reply | Quote

Yes it’s in the click to run patches,  I’m not quite ready to give the go-ahead.  In the patchwatch that will be out this weekend I’m recommending to either patch or disable preview pane.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

How do us Click to run office 2016 folks patch this? Just turn on updating on the account page and then click update now to suck down everything waiting for us? Is that what Susan is suggesting we do?

Reply | Quote

[dph853]

This is why it is so important for Susan to be very clear when she gives advice to apply a specific patch to correct a bug in MS office. Many do not have the ability to select which patches get installed and which do not. Statements such as the one above above “Patch this one quickly” cause all sorts of confusion unless the advice to patch is accompanied by instructions on how to accomplish the goal on the various flavors of MS Office especially Click-to-run versions. In this case it appears to be better for C2R users to disable the email preview screen rather than installing all available waiting updates all at once at this point in time which is the only available option for C2R Office users.

• This reply was modified 4 years, 7 months ago by dph853.

Reply | Quote

installed these updates and brough W10 to W10Pro 1909-18363.1139
still rather good and alive here

* _ ... _ *

1 user thanked author for this post.

jburk07

Reply | Quote

Venkat over on Techdows is reporting that there are issues with Octobers kb4579311 alongside the known MSFT published issues with this update.

Windows Update fails to install KB4579311 with an error for some users
Manual download and install from Microsoft Catalog update, also triggering an error
The update is causing sign-in and freezing issues. Desktop turns to black after startup. USB network printer problems also reported.
Explorer crashes in a loop after login and becomes unresponsive, sometimes.

Windows - commercial by definition and now function...

1 user thanked author for this post.

woody

Reply | Quote

Sounds like typical cumulative update problems, although the KB4579311 one looks different….

Reply | Quote

I installed all updates today using MS Update Catalog. KB 4577671 took forever to download and install. I had to turn off my antivirus because the install got stuck about a quarter of the way into the install.

Windows update only offered me KB 4020357 which I hid using wsushowhide. A special “thank you” to Woody for the warning not to install it

I ran Belarc Advisor and it indicated that all necessary patches are now installed. Winver shows Version 1909 (OS Build 18363.1139). Just finished running Macrium Reflect. I’m tired but pleased to be done with this month’s ordeal.

CAS

1 user thanked author for this post.

jburk07

Reply | Quote

Did you install the SSU KB4577670?

Reply | Quote

It was the first one I installed before any others, PK.

Reply | Quote