Todd Schell

Microsoft Patch Tuesday, October 2020 Edition

It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.

Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.

Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).

Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”

Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.

While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.

Other patches released today tackle problems in Exchange Server, Visual Studio, .NET Framework, and a whole mess of other core Windows components.

For any of you who’ve been pining for a Flash Player patch from Adobe, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe’s shipped an update that fixes a single — albeit critical — flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.

Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Microsoft Patch Tuesday, Sept. 2020 Edition

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.

Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.

Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday