{"id":17715,"date":"2020-02-12T10:30:13","date_gmt":"2020-02-12T18:30:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/02\/12\/news-11450\/"},"modified":"2020-02-12T10:30:13","modified_gmt":"2020-02-12T18:30:13","slug":"news-11450","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/12\/news-11450\/","title":{"rendered":"Patch Tuesday: 99 holes, 'exploited' IE fix, Win7 mayhem and UEFI ghost"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 12 Feb 2020 09:40:00 -0800<\/strong><\/p>\n

What a month it\u2019s been \u2013 and the Patch Tuesday patches have only been out for 24 hours. There are many February patching foibles to report.<\/span><\/p>\n

Every version of Windows 10, stretching back to the beginning of time (except for the long-neglected version 1511) got patches this month.<\/span><\/p>\n

There was no free Windows 7 update this month, even though Microsoft released a Monthly Rollup Preview in January. Anyone concerned about the well-documented <\/span>\u201cStretch\u201d black wallpaper bug <\/span><\/a>caused by last month\u2019s Win7 Monthly Rollup apparently can pound sand \u2013 or manually download and <\/span>install the fix<\/span><\/a>. Your choice.<\/span><\/p>\n

It looks as if Microsoft has repaired the part of the KB 4539602 manual patch that was deleting boot files, although the <\/span>official explanation <\/span><\/a>\u00a0(SHA-2 enablement) still doesn\u2019t make sense to me.\u00a0<\/span><\/p>\n

Those of you who paid for Win7 Extended Security Updates have these patches on offer (Thx, RDRguy<\/a>.)\u00a0:<\/span><\/p>\n

Two problems. First, you\u2019ll only see those updates if you first install the patch <\/span>Microsoft released yesterday<\/span><\/a>:<\/span><\/p>\n

Second, you won\u2019t be able to see them until you get January Servicing Stack Update installed, <\/span>KB 4536952<\/span><\/a>. Many folks report that they were never offered the January SSU \u2013 remember you have to completely clear out the patch backlog before Windows Update will even show you an SSU. Alternatively, you can download and install it manually. Sound familiar?<\/span><\/p>\n

Once you have the January Servicing Stack Update installed and the next for-pay patches appear, you should also get<\/span><\/p>\n

Of course, we haven\u2019t had enough time to test any of the patches, so it\u2019s best to wait. Who knows? Maybe Microsoft will have another surprise pre-patch patch waiting.<\/span><\/p>\n

By the way\u2026, it looks as if Microsoft has backtracked on another part of its Windows 7 end-of-life saber rattling: I\u2019m seeing <\/span>many reports<\/span><\/a> that Win7 machines are getting the latest Malicious Software Removal Tool, even though MSRT updates were supposed to expire last month.<\/span><\/p>\n

Let\u2019s hear it for the \u201cyou better patch now or else, bucko\u201d contingent. This month, the patching blogosphere is alight with dire warnings about the security hole <\/span>CVE-2020-0674<\/span><\/a>, yet another IE\/JScript \u201cScripting Engine Memory Corruption Vulnerability.\u201d\u00a0<\/span><\/p>\n

This time, we\u2019re all supposed to get the January patches installed RIGHT NOW<\/em> because this horrible hole has already been exploited. Yeah, sure.\u00a0<\/span><\/p>\n

We\u2019ve heard that tune before, most recently last month when the Chicken Littles (and the U.S. National Security Agency) said the <\/span>sky was falling <\/span><\/a>because of the horrendous Crypt32.dll security hole, known as<\/span> \u201cChain Of Fools\u201d or \u201cCurveBall.\u201d <\/span><\/a>That one fizzled out, too, in spite of the government-funded hype. I don\u2019t know of any widespread CurveBall attacks \u2013 not yet, anyway.<\/span><\/p>\n

Think you need to fix CVE-2020-0674 right away? Consider. The new, new IE\/JScript \u201cexploited\u201d security hole is so threatening and ominous that Microsoft itself held back on releasing the fix. Microsoft first warned us of the security hole on Jan. 17 in <\/span>Security Advisory ADV200001<\/span><\/a>, which included a manual workaround (disabling JScript). It didn\u2019t release a fix until yesterday. If Microsoft could wait a few weeks to release the patch, my guess is that you can handily wait a few weeks to install the patch.<\/span><\/p>\n

Oh. If you followed the ADV200001 advice and manually disabled JScript, you have to <\/span>manually re-enable it<\/span><\/a> before installing this month\u2019s patch. Joke\u2019s on you.<\/span><\/p>\n

Many of us are hoping that the micro-patching company 0patch will be able to plug the security holes in Win7, without paying for (or hassling with) Microsoft\u2019s Extended Support Updates. As of this writing, 0patch has issued a fix for the \u201cexploited\u201d Internet Explorer JScript bug, but I haven\u2019t yet heard of a fix for all of the other ESU-related patches.<\/span><\/p>\n

There\u2019s a problem in paradise, though. In some cases, Firefox can crash on start if you have 0patch installed \u2013 there\u2019s a conflict between Firefox 73 and the 0patch agent. Mitja Kolsek has a <\/span>workaround posted <\/span><\/a>on the 0patch blog.<\/span><\/p>\n

Microsoft seems to have a specific UEFI manufacturer in its sites.<\/span> KB 4524244<\/span><\/a>, the \u201cSecurity update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020\u201d is being offered, independently of the usual Cumulative Updates, on all versions of Windows 10.\u00a0<\/span><\/p>\n

By the way, if you think Win10 version 1909 was immune from the KB 4524244 malaise, think again. Microsoft forgot to include 1909 on its <\/span>master list<\/span><\/a>, but KB 4524244 is included in the <\/span>1909 MS Update Catalog listing<\/span><\/a> and in <\/span>the WSUS listing<\/span><\/a>. (Thx, PKCano.) The KB article \u2013 even its title \u2013 is clearly wrong.<\/span><\/p>\n

Here\u2019s what\u2019s odd about that patch, aside from the fact that it isn\u2019t bundled with the cumulative updates. Microsoft is targeting one specific UEFI supplier:<\/span><\/p>\n

Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.<\/span><\/p>\n

I don\u2019t know which UEFI boot manager has been singled out for this extraordinary treatment, but if you know, I\u2019d sure appreciate a hint on AskWoody.com<\/span><\/p>\n

The patch isn\u2019t without its hazard. From LordDeath86, <\/span>on Reddit<\/span><\/a>: \u201cAfter installing the update for 1909 I got a new pending security update KB 4524244 and it always fails with error 0x800f0922. And again Google and Bing are failing me here because that error code can mean anything from bad VPN software (don’t have any) to a too small system partition (also not the case here) to a bad star constellation that sends cosmic rays into my PC and let the update fail.\u201d<\/span><\/p>\n

We\u2019re only starting to collect and collate the problems with this month\u2019s patches. If you have a tale to tell \u2013 or a question \u2013 hit us <\/span>on AskWoody.com<\/span><\/a>.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 12 Feb 2020 09:40:00 -0800<\/strong><\/p>\n

\n
\n

What a month it\u2019s been \u2013 and the Patch Tuesday patches have only been out for 24 hours. There are many February patching foibles to report.<\/span><\/p>\n

Every version of Windows 10, stretching back to the beginning of time (except for the long-neglected version 1511) got patches this month.<\/span><\/p>\n

Welcome to the new, improved, paid-for Win7 patches<\/strong><\/h2>\n

There was no free Windows 7 update this month, even though Microsoft released a Monthly Rollup Preview in January. Anyone concerned about the well-documented <\/span>\u201cStretch\u201d black wallpaper bug <\/span><\/a>caused by last month\u2019s Win7 Monthly Rollup apparently can pound sand \u2013 or manually download and <\/span>install the fix<\/span><\/a>. Your choice.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[13764,714,10525],"class_list":["post-17715","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17715"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17715\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17715"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}