13
Aug 19

Patch Tuesday, August 2019 Edition

Most Microsoft Windows (ab)users probably welcome the monthly ritual of applying security updates about as much as they look forward to going to the dentist: It always seems like you were there just yesterday, and you never quite know how it’s all going to turn out. Fortunately, this month’s patch batch from Redmond is mercifully light, at least compared to last month.

Okay, maybe a trip to the dentist’s office is still preferable. In any case, today is the second Tuesday of the month, which means it’s once again Patch Tuesday (or — depending on your setup and when you’re reading this post — Reboot Wednesday). Microsoft today released patches to fix some 93 vulnerabilities in Windows and related software, 35 of which affect various Server versions of Windows, and another 70 that apply to the Windows 10 operating system.

Although there don’t appear to be any zero-day vulnerabilities fixed this month — i.e. those that get exploited by cybercriminals before an official patch is available — there are several issues that merit attention.

Chief among those are patches to address four moderately terrifying flaws in Microsoft’s Remote Desktop Service, a feature which allows users to remotely access and administer a Windows computer as if they were actually seated in front of the remote computer. Security vendor Qualys says two of these weaknesses can be exploited remotely without any authentication or user interaction.

“According to Microsoft, at least two of these vulnerabilities (CVE-2019-1181 and CVE-2019-1182) can be considered ‘wormable’ and [can be equated] to BlueKeep,” referring to a dangerous bug patched earlier this year that Microsoft warned could be used to spread another WannaCry-like ransomware outbreak. “It is highly likely that at least one of these vulnerabilities will be quickly weaponized, and patching should be prioritized for all Windows systems.”

Fortunately, Remote Desktop is disabled by default in Windows 10, and as such these flaws are more likely to be a threat for enterprises that have enabled the application for various purposes. For those keeping score, this is the fourth time in 2019 Microsoft has had to fix critical security issues with its Remote Desktop service.

For all you Microsoft Edge and Internet Exploiter Explorer users, Microsoft has issued the usual panoply of updates for flaws that could be exploited to install malware after a user merely visits a hacked or booby-trapped Web site. Other equally serious flaws patched in Windows this month could be used to compromise the operating system just by convincing the user to open a malicious file (regardless of which browser the user is running).

As crazy as it may seem, this is the second month in a row that Adobe hasn’t issued a security update for its Flash Player browser plugin, which is bundled in IE/Edge and Chrome (although now hobbled by default in Chrome). However, Adobe did release important updates for its Acrobat and free PDF reader products.

If the tone of this post sounds a wee bit cantankerous, it might be because at least one of the updates I installed last month totally hosed my Windows 10 machine. I consider myself an equal OS abuser, and maintain multiple computers powered by a variety of operating systems, including Windows, Linux and MacOS.

Nevertheless, it is frustrating when being diligent about applying patches introduces so many unfixable problems that you’re forced to completely reinstall the OS and all of the programs that ride on top of it. On the bright side, my newly-refreshed Windows computer is a bit more responsive than it was before crash hell.

So, three words of advice. First off, don’t let Microsoft decide when to apply patches and reboot your computer. On the one hand, it’s nice Microsoft gives us a predictable schedule when it’s going to release patches. On the other, Windows 10 will by default download and install patches whenever it pleases, and then reboot the computer.

Unless you change that setting. Here’s a tutorial on how to do that. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Secondly, it doesn’t hurt to wait a few days to apply updates.  Very often fixes released on Patch Tuesday have glitches that cause problems for an indeterminate number of Windows systems. When this happens, Microsoft then patches their patches to minimize the same problems for users who haven’t yet applied the updates, but it sometimes takes a few days for Redmond to iron out the kinks.

Finally, please have some kind of system for backing up your files before applying any updates. You can use third-party software for this, or just the options built into Windows 10. At some level, it doesn’t matter. Just make sure you’re backing up your files, preferably following the 3-2-1 backup rule. Thankfully, I’m vigilant about backing up my files.

And, as ever, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: ,

134 comments

  1. I run windows in a VM and checkpoint it before patching. if it crashes after updates, I just restore to the previous checkpoint.

    • On a side note, when installing patches, Windows automatically creates a restore point before its installation…. so manually creating one, while makes sure you have a restore point, is sort of redundant.

      • That’s a different story. The Windoze restore point may be handy in case the System boots after the update failed. If not – well. 🙁
        On the other hand, the checkpoint of the VM containing the System is a complete image of the system before updating. It can be restored OUTSIDE and independently of the potentially screwed system. I for one work the same way. Host is debian; Windoze is caged and controlled in VirtualBox VM. 🙂

  2. The Sunshine State

    Security update KB4505903 blue screened my Windows 10 machine

    • Marcus Aurelius Tarkus

      This is why I never apply patches until at least the following weekend, being reasonably confident that all bugs were worked out.

  3. Same here. Last month’s update messed up my important workstation. Not to the point of blue screening it but badly enough that some things still don’t work even today. To make sure that I can actually work on it I had to “relax” my security settings. Then on the other workstation backups stopped working. And on the third all my custom ACLs were reset. Not good, Microsoft.

    So there was one sure fix for me — kill those updates for good!

    I know there’re zero days and stuff, but ask yourself these two simple questions that will tell you what to do. For the last year or two, how many times have you been affected by a malware that creeped into your computer through a zero-day vulnerability? And then, how many times was your system crippled by an update?

    This is my point.

    • There is a balance between applying updates and testing and waiting. To each their own and backup early and often.

    • That is terrible advice. That mindset is one of the main reasons breaches happen all too frequently–outweighing convenience over security. Just because you’re confident you won’t get infected, or since it hasn’t happened yet, this doesn’t mean that it can’t happen. I’m certain that you could fall for a well-crafted spear phishing campaign that is directed only to you.

    • Disabling updates? Hello future drive-by-download/worm victim.

      If you login into your bank’s website from that system, kiss your money goodbye. Also, R.I.P your credit score.

  4. I have yet to have a windows update fubar my machine, but it is quite discouraging to know that you have run into this, Brian. Is there a way to tell windows to automatically update your pc, say, 3 days after the patches are released instead of the same day? Otherwise I think I might miss a few.

  5. I hate being the tester for Win 10. Last updates trashed my laptop with SSD. I’m about to switch to ubuntu desktop and only run Windows in a vm when I need it. Mess up the vm, copy from the last backup. I have no time to sit and reload all my apps when Redmond decides to be stupid. This needs to stop. Sick of the BS.

  6. You would think by now Microsoft would be able to implement a self correction if the patch fails.

  7. There is an update for Adobe Flash, but the AX version is not yet available for Win10 through Microsoft (probably will come in a few days). If you’re using Firefox (or are running an older version of Windows), then you should grab v32.0.0.238 updates in whatever flavors are needed at:

    https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html

    Scroll down to the “still having problems” section for the relevant direct download links.

  8. Marcus Aurelius Tarkus

    “… this month’s patch batch from Redmond is mercifully light…”

    That only makes me wonder what MS missed.

    Also, having read all distressed comments from Windows 10 users, I am more determined than ever to cling to Windows 7 OS on my home and work machines. I at least will cough up the $50 extortion to continue receiving security updates for a year past 01-20-2020. It’s time worth buying.

    • I am also interested in keeping my PC on Windows 7 for as long as possible. Please tell me the URL where I can purchase extended updates for Win7 beyond Jan 2020. Thanks

      • Me too. I have an old(er) netbook running 32-bit W-7. I’ve convinced it to dual-boot both W-7 and Linux. (“Convincing” almost deteriorated to editing the hard drive with a 3-pound sledge and a cold chisel, but I digress.) If all goes as hoped, this is The Plan for my 64-bit machines running W-7 for when W-7 support for mere mortals ends. But continuing security updates for W-7 would be nice: belt & suspenders.

      • Marcus Aurelius Tarkus

        Jay, I believe I have the site bookmarked on my work computer but, alas, not on the one from which I comment here. The former is W7 Pro. The latter is W7 Home.

        My greater concern is the work computer, because I watched as every other computer in my small township office was switched to W10 and all experienced serious, time-consuming problems. My own did not.

        My less-than-clear recollection is that Pro will be eligible for extended updates, but Home might not.

        I am holding off for now on any purchase of extended coverage because a) there’s still lots of time left, and b) the probability of hardware failure in older systems only increases with time. A simple Google search can probably get you quickly to the extended coverage link you seek.

        I’ll likely pull the trigger–or not–sometime in December.

        • You’ve left us in suspense. Reports I’ve read indicate, after January 2020, continued support for W-7 — for a price — will only be available to Enterprise license holders. If you’re aware of continued support available for individual W-7 users, please share it.

          • Marcus Aurelius Tarkus

            Sorry, Arbee. Didn’t intend to raise and then dash expectations. I just came across the following article. Note especially the last two paragraphs. This sounds more like a workaround than a simple extension of protection. No matter which, there will be a price to pay, but you’ll still be able to run W7 safely.

            https://www.zdnet.com/article/microsoft-windows-virtual-desktop-is-now-feature-complete/

            • Thanks for the follow-up. Bottom line: reading the link you provide and links within that post, it appears there’s no workaround for individual users (including those willing to pay) for Microsoft’s January 2020 cut-off for Windows 7 updates.

              As noted above, I’ve set up an old netbook to test dual-booting W-7 and Linux (Ubuntu v18.04); so far, so good. Others may find a different approach suits their needs.

              • Marcus Aurelius Tarkus

                Call it wishful thinking if you like. Nevertheless, I have a hunch that MS will “cave” to extending W7 support for individual users prior to the “doomsday” date. Why deny an additional revenue stream when the evidence of resistance to W10 and adherence to W7 are so prevalent on the web, in the blogosphere, etc.?

                Surely someone at MS must be aware of the similar opportunity they missed when the cut off individual users of XP, the most popular Windows OS–possibly–ever.

      • Unless Microsoft changes its mind, Windows 7 after-EOL patches will be available for purchase only by organizations with Enterprise licensing.

    • How about an exploit giving local untrusted users SYSTEM privileges on all versions of Windows?

      https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html?m=1

  9. I always wait a few days or more to apply my patches. I like having unpatched vulnerabilities in my Windows, as the bad guys reverse engineer the patches and create exploits….

  10. Started at 7:30 p.m. At 10:30, finally at 90%! I’ve been at 90% for 10 minutes. We need to be warned that things will take 4-5 HOURS. I’m in a city, not the boondocks.

  11. Perhaps Microsoft is reading your back-issues and took your advice to heart. Following your suggestion, when a .NET Framework update is part of the package, I de-select it and install it after the other update file(s) install successfully. This month is the second time the .NET Framework update (KB4503548) check-box wasn’t — by default — checked when the updates downloaded. Installed subsequently, all went well.

  12. Windows become a virus. Each time you download a patch or up date. You wanna cry. Luckily I dont use windows no more.

  13. For those with Win 7 and Norton on their systems and are puzzling over why the August security rollup isn’t being offered after running Windows Update, DO NOT MANUALLY INSTALL THE SECURITY PATCH until Norton issues a fix. Here’s the advisory from MS:

    Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.
    Guidance for Symantec customers can be found in the Symantec support article.

    https://support.microsoft.com/en-us/help/4512506/windows-7-update-kb4512506

  14. I have windows xp which not supported by windows how can I secure my pc

    • Good question!

      Step 1: Uninstall any anti-virus, firewall, or other security solutions.
      Step 2: Downgrade from Windows XP to Windows 95.
      Step 3: Download and install all files in your spam box.
      Step 4: …
      Step 5: Profit.

    • The power of marketing never fails to amaze me. People still believe the irresponsible statements the Mac Ad campaigns told over a decade ago. “Mac’s don’t get viruses”. lolz. Be sure to disable your updates on that Mac too, for convenience sake.

      FYI Malware that would be classified as a computer “virus” is pretty rare on any OS these days, or even during the days of that Apple Mac Ad campaign.

      Fake News: https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/Apple-Mac-Os-X.html

    • Stop trolling. Not everyone has an extra 500$ to 1000$ to spend for a machine of the same hardware specs.

  15. Brand Coupon Mall is not a carbon copy coupon website. We approach hunting for coupon and discount codes in a unique way and new users are finding real value in the approach. Using coupons and discount codes to shop online is certainly a way to consistently save money. Visit us to find the best deals

  16. My task manager says nothing is running in the performance tab, but at least I can kill apps from the details tab. This is nice because Outlook 2016 is locking up a couple times a day now.

  17. Never update because its consequences can be as bad as malware. Unless you are concerned about a legal liability for a work computer, none of the millions of “security updates” will save you if your machine is targeted. Apparently the bad guys are much smarter than MS engineers and the good guys who find and expose these vulnerabilities are collaborators who point the way for the bad guys. There is no winning this war.

  18. Patricia Cravener

    Thanks, as usual, for your timely and useful post, Mr. Krebs.
    The last W10 update caused so many problems with my main computer that I had to restore back to the last “version” to keep working. Grrrr . . .
    I’ve been quite diligent with maintaining updates, but after this experience — which hit a number of apps even though no CPU load, memory hogging, or high disk activity showed with task manager — I’ll start waiting a few days before getting updates, as you suggest.
    Thank you.

  19. Throwing this out in case I’m not the only one, but strange in my experience:

    Win 10 Home ver 1903, August patch applied- result have internet access, but Firefox “white-screened,”
    and locked.

    Win 10 Pro ver 1903, August patch applied- result
    have internet access, but Firefox “white-screened,”
    and locked.

    Win 10 Home ver 1809, NO August patch- result
    Firefox access as usual.

    • Note:
      Starting Firefox in Safe Mode avoids the
      “white screen of death” but only renders
      the initial home page on screen.

  20. I have a weird bug from the last few updates. “Update can not start because update service is shutting down”. Tried running Windows Update troubleshooter, said it repaired a corrupted database before. Now it says no problems.

    I use a tool I found on patchmypc.com, Windows Update Mini Tool to download and install the updates now. Anyone know of a fix?

  21. I have a fleet of windows 7 computers that no longer boot after the August 13th updates. They all seem to Gigabyte H77m-d3h boards. Frustrating Microsoft. If anybody has any suggestions to which update it was, that would be great.

    • Did you find a resolution to this issue? We have a number of Windows 7 systems here that are also unable to boot following the most recent set of updates, came in this morning and they were struck in a system repair loop. I rebuilt the BCD but they’re still not booting. I then restored the EFI partition with a disaster recovery image and now I’m seeing

      Status: 0xC0000225

      Info: The boot selection failed because a required device is inaccessible.

      A few of them are Intel based systems on the rock solid business Q87 chipset (Asus Q87M-E/CSM) which is similar in age to your 77 chipset board.

      • These are Windows 7 machines? Why on earth did you run updates on them? You are still using Windows 7 machines presumably because you didn’t feel safe going to Windows 10. Then let well enough alone, if it ain’t broke don’t fix it, don’t poke the bear, don’t change horses in midstream, don’t reinvent the wheel. As you witnessed, the chances of an update bricking your machine are SIGNIFICANTLY higher than someone using a theoretical vulnerability to target YOUR machine. Besides, if your machine specifically is targeted, no update is going to protect you. Remember (all with Windows 7) that the reason you still have Windows 7 is because it’s stable and you can reliably accomplish work with it.

      • I also attempted the restore EFI partition and got the same error. I worked on the problem for 6 hours and couldn’t get anywhere. I’m just restoring the units to a Windows 10 image. Annoying to have to do this for 60 computers.

        My computers are configured for UEFI/AHCI.

  22. Don’t follow the tutorial to reset your computer to “metered” or your risk rendering your computer unable to complete the boot sequence. Then a system restore may be necessary, wiping out your data. HP won’t do a restore point nor revert to a previous version. Bad advice on the “metered” score.

    • Jay, please tell us how you were able to determine that setting the computer to metered connection caused the boot sequence problem. I can’t see how that would be the case. Thanks.

      • I was wrong. The problem was coincidental, not causative. It occurred because I moved a backup thumb drive from one socket to a different socket on my hp laptop, which induced the OS to try to boot from the thumb drive, which invoked an HP intercept. Discovered the problem by removing the thumb drive. Please delete my comment.

  23. Francois Giroux

    we also have a bunch of computers win7 pro booting on bsod after windows update yesterday. Most are hp 6000 g1. Don’t start in safe mod(bsod). Can not restore . Any solutions?

    • I posted the same issue above. I ‘ve been working on it all day, haven’t found a fix yet. I can’t get DISM to work in command prompt to try to uninstall the updates. I’m still not even sure what’s really broken. During automatic repair, the computer notes “MissingOsLoader”

    • Do you have your Win7 DVD? If so, this worked for me in the past. https://www.lifewire.com/how-to-perform-a-startup-repair-in-windows-7-2626170

      CAUTION — Make sure you click ON the “REPAIR YOUR COMPUTER” option. DO NOT click the “INSTALL NOW.” If you do, you’ll wipe out all your data and end up with a clean install. If for some reason your system does not recognize the DVD and tries to boot from the HDD/SSD, restart your computer and boot into your BIOS by repeatedly pushing one of the function keys while the system is booting. I don’t have an HP, but I think it’s the F10 for you. Once in the BIOS utility, change the boot sequence to boot from the optical drive. Save and exit the BIOS. Restart the computer with the Win7 DVD in the optical drive. Hope that works for you.

      By the way, read my earlier post above pertaining to systems with both Win7 and Norton. Installing the August security rollup will wreak havoc, so do NOT manually force install the rollup until Norton issues the fix. The Windows Update utility should not have downloaded and installed the rollup if it found Norton on your system. At least that’s the way it should have worked.

  24. Actually I’ve found “Crash Wednesday” to be more appropriate as I have set the servers to reboot Wednesday morning at around 4:45 AM…

    No major complaints from users yet, though many are oblivious to the “Update and restart” prompt under the Windows power icon. “Hmmm… How many times have we gone through this exercise during your employment here?”

    Reading the update documentation caused me to bring up the Group Policy to insure that Network Level Authentication was enabled to mitigate Bluekeep. We’re in an enterprise situation with VPN to RDP, with only W10 Pro and Enterprise, so the times that updates have broken things have been pretty much nonexistent. I wonder if a lot of the breaks reported are from W10 Home users…

  25. This update blew up the rootkit protection service in Malwarebytes Anti-malware.(Win7/64bit) I’m not done playing with it, to see if I can get it going myself, but I may have to consult MBAM support.

    Typical MS update performance – just throw it out there and see what sticks, or blows up! We are just guinea pigs for their update test “program”.

    • Yikes. Do you mean the real time malware protection? Can you still manually scan for rootkits either with Malwarebytes or their MBAR Anti-Rootkit tool? Or are those disabled too?

      Perhaps a complete uninstall of MBAM using their support tool and fresh install??? I had a similar problem a while back and the only way to fix it was to uninstall using the MBAM tool. Can’t remember what caused the problem but something got corrupted. https://support.malwarebytes.com/docs/DOC-2674

      • Thanks for the link! I have used that tool before, but after a BSOD on 1st startup, and several restarts later with pop ups from MBAM saying the root kit service was down, it finally settled in.

        MBAM now reports all services loaded and running. You can get false positives from maintenance activity if your PC was a fully outfitted MPAA custom desktop. All the hardware and software is surveilled by several legal spyware applications installed as both software and hardware on my machine. These can be interpreted as malware by MBAM, but I need them to run my HD cable content, and my blu-ray player, so I put up with it. There is probably one legal root-kit involved, at least.

        Everything seems to be running fine now, with the exception that RAM usage has gone up a gigabyte or two – probably due to the MPAA spyware. I’m also able to use sleep mode again.

        • Glad you found a solution that worked. There was a time, decades ago, when I thought technology was a time saver. Then reality hit and I stopped suffering from that delusion. But this is getting ridiculous.

  26. Beaufort Computer Waterdown (Ontario CANADA)

    Reply to Mark’s previous posts with the comments:

    “I have a fleet of windows 7 computers that no longer boot after the August 13th updates.”

    ~ and~

    “During automatic repair, the computer notes “MissingOsLoader””

    I was able to solve the exact same issue on multiple PC’s by replacing the file “winload.efi” (most commonly found in the C:\windows\system32 folder) with a known working copy from another PC and rebooting. If you don’t have a boot CD or want to pull the HDD to connect to another PC as a secondary drive, you can also do this after Automatic Repair fails using the Command Prompt in the Advanced Repair Options and a USB drive with the file copied to it (usually with be assigned as drive E:).

    Hope this helps!

    • Hello from Niagara! That’s funny, I posted the same fix in Spiceworks and Microsoft TechNet forums this morning. I guess us Canadians are ‘do it yourself’ resourceful!

      You need the winload.efi file patched with KB4474419 which also came out on August 13th. An older version can cause blue screens.

  27. I’ve been trying to update for two days now and keep getting this error. I’m trying to update to 1903.

    2019-02 Update for Windows 10 Version 1809 for x64-based Systems (KB4465065) – Error 0x80070005

    A friend got one fail, but 2nd time update worked for him. No luck here.

    Is there a way around this? Thanks.

  28. Not quite like going to the dentist but a “chroot” canal.