10
Dec 19

Patch Tuesday, December 2019 Edition

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.

Tags: ,

70 comments

  1. Brian, once again thanks for the info!

  2. This update totally bricked my laptop. Upon restart I ended up with the BSOD. Had to restore from a backup. Another fine mess MS got me into.

    • Another one for the chopping block… Microsoft strikes again!

    • Hi my comouter is stuck at preparing to configure windows screen after restart. How to resolve this? I git work to do damn….

    • I had to roll back this change on my older Win7 Pro Dell dual Xeon workstation. After the update, Windows would not render any of the UI, but the mouse pointer arrow and a Task Manager (when asked for).

      Instructions to rollback:
      1. reboot in safe mode
      2. click the Start button and choose Programs–>Programs and Features–>View installed updates. You’ll see a list of your most recent updates. Click the Microsoft December 11 2019 update, click Uninstall, then follow the prompts.

      • I have an older HP PC, and MS update took my machine out of sleep mode and undated over the midnight hours. Everything was fine the next morning fortunately.

  3. The Sunshine State

    From techspot(dot) com

    “In brief: Windows 7 faithfuls have known that the OS’ lifespan is ending for some time now, and Microsoft has been gradually ramping up its efforts to get the users to upgrade to Windows 10. On January 15, that will mean Windows 7 users will be hit with even more irritating upgrade prompts.Unlike most of these prompts to date, the new notification will take up your entire screen. It will warn you that your system is out of support, and you won’t have access to any further security updates or software features; no matter how dire the situation may become. Fortunately, you’ll be able to permanently or temporarily dismiss the message if you please.”

  4. I haven’t updated to Windows 10 yet from Windows 7. Should I take my computer to Best Buy to have them assist me?

    • You should: Once there are no more security patches it won’t take long before someone tries to add your system to his or her army of bots. Against some attacks a firewall helps. But against ones that enter through the browser you need security patches.

    • No. What you need is to google “how to backup my data and upgrade to Windows 10”. This is a very simple operation and IMHO it’s not worth it to pay GeekSquad a Benjamin to do it for you.

      Plus it’ll be fun!

  5. Windows is dead, full of bugs so you can’t use it in a hostile network like the Internet. Use Linux instead.

    • Marcus Aurelius Tarkus

      I’m about ready to do exactly that.

      Despite my customary precaution of waiting to install every monthly “security” update, I missed the bad buzz on the October W7 one. It crippled the Windows 7 Pro OS on my work computer. I can no longer trust it to successfully install W10, unless I wipe the hard drive and do a clean install. A new laptop–for which I have an inadequate budget–is my alternative. Meanwhile, I dare not even attempt to install the Nov., Dec. and Jan. remaining W7 updates.

      My home desktop (W7 Home Premium) installed the Oct. update OK. However, the other day, when I researched the Nov. update, I discovered that lots of users of W7HP suffered install failures and crashed systems from it. Naturally, I stopped right there, and will do no further updates. Looks like a totally new machine for home use, too.

      Like you and so many others, I’m sick of the sloppiness and failures of the Windows near-monopoly, and all the paranoia and precautions they make necessary. I’m totally looking into Linux.

      • Marcus – I am still too frightened to install the August and September roll-ups because of the damage done to my HD (Sept) on my Win8.1Pro.

        So I sympathise with you.

        Don’t expect any help from MS I have been asking for 3 months.

        Like you – I will examine Linux

    • Do all of you think that Linux doesn’t have security update patches too that need installing on a nearly monthly basis?

      • I’ve been a home and work Linux user for a long time and security patches are a regular occurrence; what is different is that most of the patches are maybe less severe and it is targeted less by hackers. The latter is the key.

      • Ubuntu LTS users have an anytime icon to check for updates. My machine is partitioned between Windoze 7 and Ubuntu 16 (I forget the decimals). In the AM most days I boot up to Ubuntu and click on “look for updates.” There’s an occasional small snafu, but nothing on the order of evil that emanates from Redmond. Updating in small chunks is much more user friendly. So there.

        • If your version isn’t the current year, the decimal should be 04.

          Ubuntu LTS releases are even years in April (04) and expire 5 years later (in your case, 2021).

          The other 3 releases are October (10) and April (04) in odd years. Their EOL is under 2 releases, so you have until July/January to migrate to a newer release.

  6. Unlike most of these prompts to date, the new notification will take up your entire screen. It will warn you that your system is out of support, and you won’t have access to any further security updates or software features; no matter how dire the situation may become. Fortunately, you’ll be able to permanently or temporarily dismiss the message if you please.”

  7. To the folks thinking of Linux, you have updates there also. Drivers and programs, but they are ” optional”. You can update or use your currant version. While updating, you can be in other programs, working, and background update. My Toshiba laptop, a satellite, keeps chugging along, even on the latest update days. Only once has it rebooted, from an update, and it notified me a reboot was necessary and save my work, or would I rather wait till end of day. And I’m still a newbie, I refuse to learn another language. But, it, just works. Durn.

  8. Windows 7 home premium. December update just hanging there saying “Preparing to configure Windows. Do not turn off your computer” has been saying that for the last 20 minutes. So I will have to re install an earlier image to get back my PC. Grrrrrr. So question mark on whether this update is sound.

  9. Prior to updating Windows, I use askwoody.com to help reduce the surprises that usually accompany the update process.

  10. I’ve never had a problem with Windows 10 and never bricked. Lucky, I guess. I also run Linux (Ubuntu & Kali), Tails, Qubes & mac OS in VM’s. Works great. I booted up an old laptop the other day that had Windows 7 on it (upgraded from Windows Vista!) and it look ancient.

  11. The well advised caution on the need to backup a system before updates are installed is also a statement on the unsuitability of Microsoft’s Windows as a consumer product. The increased unreliability of updates was caused by Microsoft putting profit before quality.

  12. “CVE-2019-1468, a similarly widespread critical issue”

    How widespread? Microsoft says exploits haven’t been found in the wild yet.

  13. Thanks once again Microsoft for failing to actually test the update on Server 2012. My server was caught in a perpetual reboot cycle last night until I managed to get it into safe mode and uninstall the update. Garbage software development as has been the case for the last few years. Back to manual updates as Lucy once again pulled the football away at last second.

    • If the update doesn’t crash on 99.99% of Windows 2012 systems… that means they probably did test it.
      Sysadmins still need to test on their environments, because Windows is all about interoperability and that is what usually breaks things. No two environments are the same, so it is up to you to test and make sure updates don’t break your set up.

      • Looks like not just my issue. This happened on two of my Server 2012 systems yesterday. Unless you’ve got an enterprise budget not many smaller shops can afford development servers to test on. Anyway I’ll be curious to see how many others experience this.

    • Oh my lord – I’ve had this same reboot/crash loop on numerous of my Windows 2012 Development systems now this morning that were set to auto-update. They’re running Windows 2012 because that’s the operating system the client is currently using so we can do proper testing. Thankfully the production systems aren’t set to auto-update and as usual we conduct manual installs for those.

      Do we know if there’s a fix, or is everyone just rolling back to November patches?

      Thanks!

  14. Windows 7 Pro December 2019 Update. Let it run. Was stuck on “Preparing to configure windows” screen for what seemed like an eternity (maybe close to an hour) I was nauseous the entire time since I failed to do a pre- back-up and I use this workstation for my livelihood. Finally came back up with successful installation.

    Longest update I have ever installed. Would definitely recommend backing up prior though so you aren’t sweating bullets.

    • Time to upgrade with a fresh install of a newer operating system.
      Windows 7 won’t be supported forever, and Microsoft operating systems are like many others… in that they will be shrinking their development cycle so that you’ll need to upgrade more often.

  15. This is a scary one. I never had this much problem with updates. Usually win 7 64bit is always known to sweat users when updating. Depending on configuration of pc just give it time to settle. It will hang at preparing to configure message and black screen might appear. Keep in mind, it will install another update after boot so chill your mind. Otherwise system restore seems to work too if you are not having patience.

  16. Non-vague advisories for the RDP bugs are disclosed here. https://blog.talosintelligence.com/2019/12/vuln-spotlight-RDP-Dec-19.html

  17. Same problem here. The first 15% of configuration are ok and then go into an endless loop after the restart. After 30 minutes of waiting “Prepare to configure windows”, I turned off the computer. Unfortunately, the update even continues in the safe mode. Ended up to push F8 upon startup and now restoring to Saturday’s system. I hope that this get the computer to work again as I have a lot of work to do.

  18. Somewhat irritatingly (but as usual), the MSRT patch wasn’t delivered with the initial batch and required a post-reboot check to reveal itself.

  19. Until right now i never had any issue with the window 10. Still looking forward for this update

  20. Same problem with hang on reboot

  21. 5 of my Windows Server 2012 r2 machines were caught in a boot loop while configuring updates.

    Booted into safe mode with networking and the updates reverted back.

  22. I had 3 Windows Server 2012 VMs “Fail” with this boot crash/loop with the December 2019 patch set. I tried Safe Mode with Networking, didn’t work. Safe Mode without seemed to start okay, then later a reboot without safe mode appears fine – but I don’t know for sure if my system is in a known patched state. I’m having to restore to last night’s backup and see if the SSU manually installed will fix the upgrade.

    Is that what everyone else is doing?

    • Hi Chris, mine are virtual servers and what I did was put a DVD in the drive and set to boot from it. Then bang quickly on the F8 key to allow Safe Mode boot and then uninstalled the Dec 11 updates, reverted to manual updates. Hope that helps.

  23. Win7 64b pro–Had to roll a user back to a restore point because of this update. Lots of old desktop icons showed up, still there after the restore. Not sure if it pulled from AD/policy. Icons from before we issued the laptop. oddness..

  24. I’ve used Windows since the DOS days but I’ve grown to detest it. While it has gotten more secure (I suppose it was impossible to get less secure) the update process is very buggy and leads to too many crashes and problems that should not occur.

    I have a dual bootable Windows 10/Linux (Ubuntu) system that takes 10+ minutes to boot into windows 10 due to some problem that popped up in an update. A previous update required tons of rebooting before it finally worked.

    Sure every OS has updates but neither Linux nor Apple seem to trigger anything close to the number of problems that Microsoft updates do.

    I’ve had an iMac 27″ computer since 2009 and it has never crashed during an update (and my GF is currently using it). I also have a newer one that hasn’t had any issues.

    Most of my Linux update experiences have also worked.

    Windows is just an expensive gaming machine and one that corporate America has bought into for some reason. I saw a story a while ago where IBM compared maintenance on 200,000 users using Windows vs. the same number using Apple computers. Besides people preferring the Apple devices, the support staff for the Apple computers was 1/3 of what was needed for Windows.

    I’m no Apple groupie but their stuff just works and it is nice not to have to worry about it on a constant basis.

  25. Up until last month I administered a network of 25 windows 10 and one win 7 machine. Going back all the way to the year 2000 I had less than 5 times where a patch went wrong.
    How do so many people have issues? Most of the time I had outdated hardware on about 10 of the machines, I dont know if that helped or hurt.
    I also keep around 10 machine for family I keep up too, already applied the patches to all but 2 machines this month without issue. I usually wait a week but just wanted them done. No issues with any of these either.

  26. You providing a great information,it helps alot. Lookong forward for the new one.

  27. The December Win7 updates to my Dell Latitude are stuck “preparing to configure Windows.Do not turn off your computer.”

    This is the second time in the last four months.

    I guess “they have ways of making users switch to Win10”

  28. Update has totally stuffed up my windows 7 Dell computer, can’t restore to previous versions…….
    Very upset, as I use this computer for work

  29. I’m one if many stuck in the update loop. Uninstalling the patch in safe mode isn’t working…it keeps showing back up in the update list when I go into safe mode. I’m losing my mind…any suggestions?

  30. Our Windows Server 2012 was caught in a boot loop this morning. Trying to start in Safe Mode and roll back.
    Could they not have waited till Friday 13th for this!