Patch Tuesday: 99 holes, 'exploited' IE fix, Win7 mayhem and UEFI ghost

Credit to Author: Woody Leonhard| Date: Wed, 12 Feb 2020 09:40:00 -0800

What a month it’s been – and the Patch Tuesday patches have only been out for 24 hours. There are many February patching foibles to report.

Every version of Windows 10, stretching back to the beginning of time (except for the long-neglected version 1511) got patches this month.

There was no free Windows 7 update this month, even though Microsoft released a Monthly Rollup Preview in January. Anyone concerned about the well-documented “Stretch” black wallpaper bug caused by last month’s Win7 Monthly Rollup apparently can pound sand – or manually download and install the fix. Your choice.

It looks as if Microsoft has repaired the part of the KB 4539602 manual patch that was deleting boot files, although the official explanation  (SHA-2 enablement) still doesn’t make sense to me. 

Those of you who paid for Win7 Extended Security Updates have these patches on offer (Thx, RDRguy.) :

Two problems. First, you’ll only see those updates if you first install the patch Microsoft released yesterday:

Second, you won’t be able to see them until you get January Servicing Stack Update installed, KB 4536952. Many folks report that they were never offered the January SSU – remember you have to completely clear out the patch backlog before Windows Update will even show you an SSU. Alternatively, you can download and install it manually. Sound familiar?

Once you have the January Servicing Stack Update installed and the next for-pay patches appear, you should also get

Of course, we haven’t had enough time to test any of the patches, so it’s best to wait. Who knows? Maybe Microsoft will have another surprise pre-patch patch waiting.

By the way…, it looks as if Microsoft has backtracked on another part of its Windows 7 end-of-life saber rattling: I’m seeing many reports that Win7 machines are getting the latest Malicious Software Removal Tool, even though MSRT updates were supposed to expire last month.

Let’s hear it for the “you better patch now or else, bucko” contingent. This month, the patching blogosphere is alight with dire warnings about the security hole CVE-2020-0674, yet another IE/JScript “Scripting Engine Memory Corruption Vulnerability.” 

This time, we’re all supposed to get the January patches installed RIGHT NOW because this horrible hole has already been exploited. Yeah, sure. 

We’ve heard that tune before, most recently last month when the Chicken Littles (and the U.S. National Security Agency) said the sky was falling because of the horrendous Crypt32.dll security hole, known as “Chain Of Fools” or “CurveBall.” That one fizzled out, too, in spite of the government-funded hype. I don’t know of any widespread CurveBall attacks – not yet, anyway.

Think you need to fix CVE-2020-0674 right away? Consider. The new, new IE/JScript “exploited” security hole is so threatening and ominous that Microsoft itself held back on releasing the fix. Microsoft first warned us of the security hole on Jan. 17 in Security Advisory ADV200001, which included a manual workaround (disabling JScript). It didn’t release a fix until yesterday. If Microsoft could wait a few weeks to release the patch, my guess is that you can handily wait a few weeks to install the patch.

Oh. If you followed the ADV200001 advice and manually disabled JScript, you have to manually re-enable it before installing this month’s patch. Joke’s on you.

Many of us are hoping that the micro-patching company 0patch will be able to plug the security holes in Win7, without paying for (or hassling with) Microsoft’s Extended Support Updates. As of this writing, 0patch has issued a fix for the “exploited” Internet Explorer JScript bug, but I haven’t yet heard of a fix for all of the other ESU-related patches.

There’s a problem in paradise, though. In some cases, Firefox can crash on start if you have 0patch installed – there’s a conflict between Firefox 73 and the 0patch agent. Mitja Kolsek has a workaround posted on the 0patch blog.

Microsoft seems to have a specific UEFI manufacturer in its sites. KB 4524244, the “Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020” is being offered, independently of the usual Cumulative Updates, on all versions of Windows 10. 

By the way, if you think Win10 version 1909 was immune from the KB 4524244 malaise, think again. Microsoft forgot to include 1909 on its master list, but KB 4524244 is included in the 1909 MS Update Catalog listing and in the WSUS listing. (Thx, PKCano.) The KB article – even its title – is clearly wrong.

Here’s what’s odd about that patch, aside from the fact that it isn’t bundled with the cumulative updates. Microsoft is targeting one specific UEFI supplier:

Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.

I don’t know which UEFI boot manager has been singled out for this extraordinary treatment, but if you know, I’d sure appreciate a hint on AskWoody.com

The patch isn’t without its hazard. From LordDeath86, on Reddit: “After installing the update for 1909 I got a new pending security update KB 4524244 and it always fails with error 0x800f0922. And again Google and Bing are failing me here because that error code can mean anything from bad VPN software (don’t have any) to a too small system partition (also not the case here) to a bad star constellation that sends cosmic rays into my PC and let the update fail.”

We’re only starting to collect and collate the problems with this month’s patches. If you have a tale to tell – or a question – hit us on AskWoody.com.

http://www.computerworld.com/category/security/index.rss