10
Sep 19

Patch Tuesday, September 2019 Edition

Microsoft today issued security updates to plug some 80 security holes in various flavors of its Windows operating systems and related software. The software giant assigned a “critical” rating to almost a quarter of those vulnerabilities, meaning they could be used by malware or miscreants to hijack vulnerable systems with little or no interaction on the part of the user.

Two of the bugs quashed in this month’s patch batch (CVE-2019-1214 and CVE-2019-1215) involve vulnerabilities in all supported versions of Windows that have already been exploited in the wild. Both are known as “privilege escalation” flaws in that they allow an attacker to assume the all-powerful administrator status on a targeted system. Exploits for these types of weaknesses are often deployed along with other attacks that don’t require administrative rights.

September also marks the fourth time this year Microsoft has fixed critical bugs in its Remote Desktop Protocol (RDP) feature, with four critical flaws being patched in the service. According to security vendor Qualys, these Remote Desktop flaws were discovered in a code review by Microsoft, and in order to exploit them an attacker would have to trick a user into connecting to a malicious or hacked RDP server.

Microsoft also fixed another critical vulnerability in the way Windows handles link files ending in “.lnk” that could be used to launch malware on a vulnerable system if a user were to open a removable drive or access a shared folder with a booby-trapped .lnk file on it.

Shortcut files — or those ending in the “.lnk” extension — are Windows files that link easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. It’s perhaps worth noting that poisoned .lnk files were one of the four known exploits bundled with Stuxnet, a multi-million dollar cyber weapon that American and Israeli intelligence services used to derail Iran’s nuclear enrichment plans roughly a decade ago.

In last month’s Microsoft patch dispatch, I ruefully lamented the utter hose job inflicted on my Windows 10 system by the July round of security updates from Redmond. Many readers responded by saying one or another updates released by Microsoft in August similarly caused reboot loops or issues with Windows repeatedly crashing.

As there do not appear to be any patch-now-or-be-compromised-tomorrow flaws in the September patch rollup, it’s probably safe to say most Windows end-users would benefit from waiting a few days to apply these fixes. 

Very often fixes released on Patch Tuesday have glitches that cause problems for an indeterminate number of Windows systems. When this happens, Microsoft then patches their patches to minimize the same problems for users who haven’t yet applied the updates, but it sometimes takes a few days for Redmond to iron out the kinks.

The trouble is, Windows 10 by default will install patches and reboot your computer whenever it likes. Here’s a tutorial on how to undo that. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Most importantly, please have some kind of system for backing up your files before applying any updates. You can use third-party software to do this, or just rely on the options built into Windows 10. At some level, it doesn’t matter. Just make sure you’re backing up your files, preferably following the 3-2-1 backup rule.

Finally, Adobe fixed two critical bugs in its Flash Player browser plugin, which is bundled in Microsoft’s IE/Edge and Chrome (although now hobbled by default in Chrome). Firefox forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: , , , ,

34 comments

  1. A Win7U desktop got the updates in several rounds (one for Office apps, one for security updates and the final one a servicing stack update), but processed all of them okay. I’ve deferred the Patch Tuesday updates on one Win10H machine for a few days, but have allowed the other (a storage-constrained machine) to go ahead — if it gets farkled, I’ll just restore the original image and try to upgrade it directly to 1903 after de-crapification and before anything else. That’s the process I had to follow in order to get the 1809 upgrade to install properly, after all of the various incremental attempts to fix problems had finally compromised the 1803 OS.

    • Well, it took awhile for the space-constrained laptop to process everything; aside from one complaint about wanting more storage, the updates installed without issue for that 1809 OS. Since i seemed to go well and I haven’t seen reports of big problems elsewhere, I reset the other 1809 machine’s deferment on updates and have now completed the entire round of patches on it without any issues.

  2. The Sunshine State

    Their is also a annoying “service stack” update for Windows 7 and 8.1. I don’t know if it’s for Windows 10(1903) I haven’t got that far yet.

  3. The Sunshine State #2

    By the way , Chrome 64 bit was updated to version 77.xxxxx also today.

  4. “Microsoft also fixed another critical vulnerability in the way Windows handles link files ending in “.lnk” that could be used to launch malware on a vulnerable system if a user were open a removable drive or access a shared folder with a booby-trapped .lnk file on it.”

    For more than 20 years, Microsoft have shipped their Windows with a critical vulnerability.

    “Hide extensions for known file types” is on by default.

    “Oooh, what is this?”
    “I dunno, lets click on it and see what happens!”

    Even with “Hide extensions for known file types” disabled, Windows still hides extensions like ‘,lnk’, ‘.shs’, etc.

    I remember when the ILOVEYOU virus broke out.
    Windows was good enough to hide the .vbs file extension so millions read the love letter, thinking it was just a .txt.
    We were running NT4 at the time (no native VBS skript support) so we were immune.
    Two W95 laptops got whacked though.

    Hunting down and nuking all instances of:
    NeverShowExt
    In the registry will unhide all file extensions.

    • That and Autoplay. Allowing flash videos in MS Word files. Allowing dll hijackung if an executable’s name is setup.exe, allowing to untrusted users to install, executable and modify executables from everywhere except C:/Programs. MS Word trying to teach users that opening a word file is safe as long as it is opened read-only.

    • In this case it is not necessary to click the link. You just have to open the drive.

  5. I keep getting error 8024200D when trying to install the Security Rollup. I’ve tried the solutions provided by Google, but no luck so far.
    This is Win 7 – 32bit

  6. I just applied the patches today to 1903 and now Edge cannot connect the internet. Chrome connects fine.

  7. Applied the latest patches from MS on my Win 10 Versiom 1903, Build 18362.239 PC. The list only had four Office 2013 Security updates installed yet my PC keeps reminding me to reboot to complete installation. Have done so now four time but still get the reboot message!

  8. I have users with Windows 10 that can no longer access windows 2003 RDP after this update. Has anyone else seen this and does anyone have a solution yet?

  9. Patch has auto-installed on several of our 2008 r2 servers in azure vm. They have become completely unresponsive to any encrypted communication. All tls and rdp stopped working. These servers are effectively bricks. I caution STRONGLY against patching 2008 r2 especially if you manually enabled tls1.2 on them in the past.

  10. Is there even a credible scenario in which RDP wouldn’t be used to illicitly access a remote windows system? It seems like a bad idea all around.

    • Oh, I don’t know – maybe to remote in, so IT can help a user? We relied on that pretty heavily on my last contract. We used our own version of TightVNC.

      • In the end, aren’t you wasting more money than saving with remote access? In order for it to work, there are patches that need to be applied, security holes to monitor, firewalls to check, software to keep updated, etc etc.

        If you just drove over to the client and fixed things on site, maybe a little less convenient, but you’d know that you could save time on keeping hackers out.

        No?

        • Depends on how much the client has to lose – if they are already a low interest target, I don’t worry about their firewalls; if they have a lot to lose, I try to get them to install a good UTM gateway appliance, so they don’t have as much to worry about on the network, anyway.

          There are two good solutions to desktop remote software now, and one of them is free. It updates itself – I have very little trouble at all. Both of them are rated well in security, and in fact the operating system Microsoft client is more dangerous to use. I’d say it is a LOT less trouble than driving to their location. Where I live, they maybe be hundreds of miles away.

          In fact, as far as client side maintenance, you are right – where they actually need the service, I make money off doing all that drudgerous work for them. They don’t like doing security, so they pay me to do it. I can keep them updated by RDP solution.

  11. Thanks Microsoft for that 3-hour update!

  12. IMHO: whatever MSFT is doing it ain’t just system maintenance. I don’t think we should be expected to believe that a professional software company could be that inept.

  13. Last night they must have pushed a patch while I was out…I saw the bsod before I shut it off. This morning I’m having fun trying to get out of the boot loop.

  14. Office 2010 x64 will not open MS Word on Windows 7

  15. MS Update in August failed to install KB4512506 and this week failed to install both KB4516065 and KB4474419. All went well until my Win 7 restarted and then went into Startup repair tool which eventually allowed the machine to start up normally, tho without the important updates. This type of nonsense from Microsoft updates happened a few years ago but suddenly started working well—until August of this year. I have now disabled updates given these problems and the fact that, come January all support will go away anyway. Perusing the MS help forums, etc. about this problem is fruitless—few answers and some much more complicated solutions for something so important that should work easily for those of us of limited computer savvy. Irritating, to say the least.

  16. I had two fail updates. On Windows 2016 Std. KB4516044 fail to install last month and this month (Sep).
    On Windows 2008 R2 the update KB4516065.
    Made a call to Microsoft Support seems they are very very busy, they were suppose to get back to me 1 hr, the answering service investigated the reason of not meeting the SLA, they are very busy and will call me in about 1 to 1 1/2 hr.
    This does not look. Maybe it’s for the best they didn’t install.

  17. Woody (“AskWoody”) is rating the current patches as DefCon 2 – “Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.”

    He also notes that Win7 and 8.1 patches come with (possibly unwanted) telemetry, and there is a Search bug in Win 10 1903.

    https://www.askwoody.com/

  18. The recent .NET update for Windows 10 broke a whole bunch of apps (including Discord and ExpressVPN). Had to roll back that particular update and reinstall the apps.

  19. Windows update left the last .NET update unchecked – I’ve learned not to change that until the previous updates are finished. It didn’t help last time, but this time everything went off without a hitch. This is for a Windows 7 – 64 bit operating system. I’m not looking forward to the Win7 shutdown in January – I think I’ll just dual boot to Mint at that time – I’m thru buying new computers just because of a new operating system or trying to upgrade to Win8 just to limp along. Why bother?

    Fortunately I no longer need Windows Media Center, and it doesn’t work anymore anyway. My cable company does streaming now – no need for Windows. If my Blu-ray player can’t work in the Linux environment, there is always dual boot just to do a burn job and that’s it!

  20. I have a problem or a bug with September update of windows 10….where I cannot access my drives from This PC….I cannot copy files from one place to another when ever I double click to get inside the drive it revokes back to this PC….Andy soln….

  21. after update my PC crashes every 16:25 mins [+or – 8 seconds….]

  22. Why do we update to render windows obsolete? or so they tell you, turn them off they don’t matter.

  23. After the September update it took 5 tries before my PC would boot. Now at day 2 it will not start at all. Does someone out there have a solution?

  24. Why the emphasis on Win.10 ?? For the second consecutive month Win.8.1Pro has been badly affected by careless untried updates. On the first of these two occasions Modem users were unable to gain access to the internet. That was not so important because one could get into the system and construct a Restore Date and then deal with the offending Update by denying it access.

    However, this month’s Sept 11th was a very real threat to those affected because one was TOTALLY denied access past the Lock Screen (date & time) and unable to get pale blue screen Windows Advanced Repairs to get at the Start-up system on Partition One. Even using the Restore Date facility given under this repair
    page to 8th Sept failed to reverse the damage.

    Yes, ok I have back-ups but we all know that we have to spend hours getting back to the status quo after such events.

    Examination of the HD proved that the first Partition had been wiped.

    For those who say – this must have been a co-incidence and other factors involved – must understand that most of us are absolutely clear what is to blame and do not believe in co-incidences!! I personally witnessed MS doing its worst – by being present at morning switch-on and watching the Update complete its cycle and then attempt to go through the start-up process which reached Lock Screen as stated but unable to get to sign-in page.

    The worst aspect of this whole matter is that MS gave advance warning to expect problems too late for ordinary mortals – THEN WHY DID THEY NOT CANCEL THE UPDATES ??!!

  25. Still waiting before installing 6 of the 7 “important updates” that downloaded automatically last week. Any clues on when it might be clear (if ever?) that all of these are more or less safe to install on my Win7, SP1 laptop? — And default check box on 7th item (.NET Framework 4.8 update, KB4503548 — “Recommended”) is empty — (indicating wise to wait until after other installation is all complete?), but I assume that should be done too, after the others?

  26. This week I read an article about how every Internet company in the U.S. has been cheating American consumers for cable charges and slow Internet through some scam the companies have cooked up. Why does the government allow this (Consumer Protection Agency, e.g.). My cable bill is extremely high given that I have been with the same provider for 35 years and the service is going worse and worse. I found that they have off VP6 and then relaying to me with who is VP4.My computer is slow and it is supposed to be a very fast one; I have other people signing into my computer because I do not have any protection from users jumping into my system through Wi-FI and I have a wife security code on my system. Seems like my computer is open game. Why. What to do? I have invested a lot of money into cybersecurity, but hasn’t solved anything yet.

Leave a comment