Newsletter Archives

• Welcome to the August 2020 Patch Tuesday plop

  Posted on August 11, 2020 at 12:04 CDT by woody • Comment in the Forums

  Willkommen, bienvenue, welcome!
  Fremde, étranger, stranger
  Glücklich zu sehen, je suis enchanté, happy to see you
  Bleibe, reste, stay

  Patch Tuesday is upon us. Here’s a quick look at what’s coming down the pike (updated in real-enough time):

  • 261 separately downloadable patches. It’s a big one.
  • They fix 120 separately identified security holes (CVEs). I believe that’s a record.
  • Cumulative updates for all recent versions of Win10, including KB 4566782  for Win10 version 2004 and KB 4565351 for Win10 1903 and 1909 (once again the same patch for both versions).

  Great quote from Dustin Childs:

  This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.

  There are two “actively exploited” zero-days (notes from Childs):

  • CVE-2020-1464 – Windows Spoofing Vulnerability This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks.
  • CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability
    This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved.

  Expect to hear lots of wailing from the blogosphere about those two security holes. “Microsoft advises hundreds of millions of Windows users to patch Right Now.” Meh. The first one is only rated “Important,” not “Critical,” which means it’s mighty obscure and likely to stay so for quite some time. As for the second one, if you’re still using Internet Explorer, you already have a sign out that says, “Kick me.”

  That said, I’m deeply trouble by Mozilla’s announcement that it’s laying off 250 employees. See Catalin Cimpanu’s analysis on ZDNet.

  There’s also KB 4569751 the Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 and Windows Server 1903 RTM and Windows 10, version 1909 and Windows Server, version 1909 . Odd. On the main .NET update page, this one’s listed (in the left column) as a Preview. Not likely, but it’s hard to say.

  And I see Servicing Stack Update, uh, updates all over the place.

  There’s a codec security hole, again, CVE-2020-1585, that’s being plugged via the Windows Store, again. Looks like you could only get the buggy codec from the Store, thus the unconventional (but increasingly more common) distribution route.

  Martin Brinkmann has his usual thorough list on ghacks.net.

  Windows Patches/Security August 2020 Black Tuesday

• MS-DEFCON 2: In preparation for the August 2020 Patch Tuesday, make sure automatic updating is turned off

  Posted on August 10, 2020 at 07:00 CDT by woody • Comment in the Forums

  Tomorrow’s the second Tuesday of the month – and  many of you know that means Microsoft has a wad of patches waiting to go barreling down the automatic update chute.

  There’s no reason to install any of the patches immediately, and loads of reasons to hold off until we’ve heard back from the early adopters (who frequently post here with tales of woe).

  Save yourself some gray hair and take a few minutes to make sure Windows Update is paused. You need to install the patches sooner or later, but not right away.

  We’ll keep up with the latest here, of course.

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security August 2020 Black Tuesday, MS-DEFCON 2
• Newer Entries »