January 14, 2020

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”

Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.

According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.

Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.

The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.

That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.


88 thoughts on “Patch Tuesday, January 2020 Edition

  1. Darryl

    Windows 95, 98, XP, 7 etc I look back at what I did on Windows 95 compared to today on Windows 10.
    Word, excel, publisher, outlook, internet, solitare was pretty much it for Windows 95, interestingly nothing has changed.
    I have queried a few others, some same age, some new, and all pretty much use computers for the same tasks.
    So given 100% of people I know do nothing any different than what they did in the 95 days, why do I need the huge processing power to run Windows 10, when all I do is the same stuff I did 15 years ago?

    1. ASB

      As someone that has supported Windows, Linux and Mac systems since pre-Win95 days, I can assure you that while there are great similarities in what apps many people use on their computers (as compared with 1995), there are tremendous differences in terms of how much it is possible to do now vs then.

      I’d also be the last person to say that all of the change has been beneficial to mankind, but trust me, if I hand you a 20 year old computer with 20 year old software and ask you to keep working as you do today, there would be quite an adjustment for you. Probably less distractions, but a lot less productivity, too.

      Yes, patching is hard, and software is buggy. A lot of this is our insistence on moving at a fast pace, when a slower cadence would be better.

      But a lot of this comes from having millions and billions of devices with very different configurations, running all sorts of software combinations. It is tremendously annoying when you experience a problem in that cycle, but we don’t have nearly as much problems as might be expected for the combinations involved.

      I am involved directly and indirectly in the patching of hundreds of systems each month — and the percentage of months where we have issues is in the single digits per year, and the percentage of systems affected is also in the single digits per issue.

      Yes, we’ve had one or two big events (or, they would have been big events if we had not established processes to avoid that kind of problem), but this has proven to be the exception and not the norm.

      Even when Microsoft has seriously buggy releases, it’s not the same people running into problems each month.

      In the past 3 years, with ~15 systems in my home office, I have experienced 4 patch related issues. Twice with one of my own machines (most annoying, I know), and twice with different family members.

      This is not to say that I don’t believe that these things happen. I do. I’ve seen it, and I’ve experienced it.

      But frankly, I’ve had more Android upgrade issues that Windows upgrade issues in the same period of time.

      This is the annoying era we live in, because no one wants to wait for anything, and everything has to be thrown out the door as soon as humanly possible.

      From my vantage point, Microsoft has room to improve their process, but they’re not close to being the worst vendor managing this issue at this scale.

  2. Liz

    Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream. It’s a different model than all the previous Windows and its focus is on monetizing. Why else would the Pro version, which until Win 10 was geared toward business users, come bundled with Xbox and other consumer oriented apps, many of which you have to use Powershell to remove. Friends who use Win 10 Home complain that unwanted game apps like Candy Crush keep reinstalling themselves. And to make matters worse, some of these bundled apps are 3rd party bloatware. Who’s to say if they’re safe, or what data they’re collecting? And if I’m not mistaken, MS takes a cut of the revenue those 3rd parties generate from the bundled apps.

    I’ve used MS OS since the days of MS-DOS. Good training for when I have to drill down when Windows goes on the blink, but I was glad when XP came along, and saw an incremental improvement with Win 7. Win 10 gives me nothing I need and everything I don’t want. I considered going to Linux, but I’m getting a little too long in the tooth ….. old enough to realize life is very short and I don’t particularly cherish the idea of investing more time learning a new OS. I’m hanging on to all of my Win 7 systems. They’re my reliable workhorse but will keep them off line. For online, I guess it’s Win 10 Pro, but stripped of all the bloatware and using the most restrictive privacy settings that MS allows, which still leaves me with a leaky boat. It’s giving me a sinking feeling!

    1. KoSReader600000

      “Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream. It’s a different model than all the previous Windows and its focus is on monetizing.” -Liz

      +10

      I agree.

      Microsoft’s patches have been less than perfect – OK horrible for the two last years- and probably will continue in that direction.

      Microsoft was a Personal Computer maker which turned into an Oracle or SAP or other Main Frame sellers – Which is of no concern to shareholders. But a huge concern to Microsoft users. “Personal” is out of the picture and high cost data centers are in.

      Microsoft testing division was fired due almost entirely to Satya Nadella. Microsoft’s customers are now “beta testers” or rats in an abusive cage.

      After Satya Narayana Nadella of Hyderabad India took over as CEO, Microsoft’s customers have been treated like teenage bubble gum iPhone users to be scammed or used as beta testers – a cheap doughnut to be dissolving in executives coffee mugs and consumed.

      Woody notes the bad patches and why. Then there is a YouTube video that tells of how Microsoft fired their tester at Microsoft – a very bad situation.

      “Why does Microsoft Windows 10 have so many bugs? Ex-Employee tells you why!” = a clear picture by an MS employee on in house firings of code testers.

      ht tps://www.youtube[.]com/watch?v=S9kn8_oztsA

      “Satya Narayana Nadella (born …1967) is an Indian American business executive. He is the chief executive officer (CEO) of Microsoft, succeeding Steve Ballmer in 2014 …[Previously] a civil servant who worked for the Indian Administrative Service of the Government of India..” -Wikipedia

      Nadella is a less than perfect tech giant leader hired after Bill Gates’ exit.

      ht tps://en.wikipedia[.]org/wiki/Satya_Nadella

      For those financial types, here is the disconnect between increasing Revenue and poor cash flow. “This quarter, revenue was $33.1 billion, up 14%… [but] Cash flow from operations …increased 1% year-over-year – or accounting methods made by Satya Nadella caused an hyped “revenue” but poor cash flow – like other scam artists throughout history.

      ht tps://www.fool.com/earnings/call-transcripts/2019/10/23/microsoft-corp-msft-q1-2020-earnings-call-transcri[.]aspx

      Huge pay:
      “Microsoft CEO Satya Nadella took home $42.9 million last fiscal, gets 66% raise ” -Khaleejtimes

      ht tps://www.khaleejtimes[.]com/citytimes/newsmakers/microsoft-ceo-satya-nadella-took-home-429-million-last-fiscal-gets-66-raise

      [and]

      “Why did Bill Gates leave Microsoft?”

      ‘Bill Gates has quit as Microsoft chairman to take up a new role as technology adviser in a management shake-up that will see Satya Nadella become chief executive. The announcement ends a long search for a new chief after Steve Ballmer announced his intention to retire in August.Feb 4, 2014’-telegraph

      ht tps://www.telegraph[.]co[.]uk/technology/microsoft/10616998/Bill-Gates-quits-as-Microsoft-chairman-and-Satya-Nadella-is-named-chief-executive.html

      Nadella by Wikipedia or those interested or have more on the story.

      ht tps://en.wikipedia[.]org/wiki/Satya_Nadella

      Firings and unbecoming behavior by MS noted by Wikipedia [long list]:

      ht tps://en.wikipedia[.]org/wiki/Criticism_of_Microsoft

      Links broken to hinder bots

  3. KoSReader60000

    “Windows 95, 98, XP, 7 etc I look back at what I did on Windows 95 compared to today on Windows 10. Word, excel, publisher, outlook, internet, solitare was pretty much it for Windows 95, interestingly nothing has changed… 100% of people I know do nothing any different than what they did in the 95 days, why do I need the huge processing power to run Windows 10, when all I do is the same stuff I did 15 years ago?”-Darryl, January 20, 2020 at 4:45 am

    and

    “Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream.” -Liz January 21, 2020 at 12:40 am

    Darryl is essentially correct. The functionality of Windows has not changed that much. The Microsoft corporation has changed – for the worst.

    I also agree with Liz.

    Microsoft’s huge management team is a mill stone around the company’s neck. The current CEO should be replace with somebody better
    .
    Microsoft’s patches have been horrible for the last year – and probably will continue in that direction. A Personal Computer maker which turned into an Oracle or SAP or other Main Frame sellers is no help to its users.

    This is of little concern to shareholders – But a huge concern to Microsoft users.

    Microsoft testing division was fired due to Satya Nadella. Microsoft’s customers are now “beta testers” or rats in a cage.

    After Satya Narayana Nadella of Hyderabad India took over as CEO, Microsoft’s customers have been treated like teenage beta testers.

    Woody and others note a reason for the bad MS patches and why. Then there is a YouTube video that tells of how Mycroft fired their code testers at Microsoft – replacing them AI.

    “Why does Microsoft Windows 10 have so many bugs? Ex-Employee tells you why!” -ht tps://www.youtube[.]com/watch?v=S9kn8_oztsA

    “Satya Narayana Nadella (born 19 August 1967) is an Indian American business executive. He is the chief executive officer (CEO) of Microsoft, succeeding Steve Ballmer in 2014 …[Previously] a civil servant who worked for the Indian Administrative Service of the Government of India..” -Wikipedia

    Nadella is less skilled than Bill Gates and may have caused Gates’ exit from the company.

    ht tps://en.wikipedia[.]org/wiki/Satya_Nadella

    For those financial types, here is the disconnect between increasing Revenue and poor cash flow.
    “This quarter, revenue was $33.1 billion, up 14%… [but] Cash flow from operations …increased 1% year-over-year – or odd accounting methods made by Satya Nadella caused an hyped “revenue” increase but poor cash flow like other scam artists throughout history.

    ht tps://www.fool[.]com/earnings/call-transcripts/2019/10/23/microsoft-corp-msft-q1-2020-earnings-call-transcri.aspx

    Nadella’s Huge pay:
    “Microsoft CEO Satya Nadella took home $42.9 million last fiscal, gets 66% raise ” -Khaleejtimes

    ht tps://www.khaleejtimes[.]com/citytimes/newsmakers/microsoft-ceo-satya-nadella-took-home-429-million-last-fiscal-gets-66-raise

    [and the big question]

    “Why did Bill Gates leave Microsoft?”

    ‘Bill Gates has quit as Microsoft chairman to take up a new role as technology adviser in a management shake-up that will see Satya Nadella become chief executive. The announcement ends a long search for a new chief after Steve Ballmer announced his intention to retire in August. Feb 4, 2014’-telegraph

    ht tps://www.telegraph[.]co[.]uk/technology/microsoft/10616998/Bill-Gates-quits-as-Microsoft-chairman-and-Satya-Nadella-is-named-chief-executive.html

    Firings and unbecoming behavior by MS noted by Wikipedia [very long list]:

    ht tps://en.wikipedia[.]org/wiki/Criticism_of_Microsoft

    Microsoft can only give away or sell so many poorly coded systems and useless cloud licenses. Clearly, Microsoft needs to clean up its act and get better management.

  4. Rogenell Mojado

    Latest update destroyed all my VM guests. the heck happened.

    1. Virtual Mystery

      Try this command as admin and reboot

      bcdedit /set hypervisorlaunchtype off

      Probably Windows hypervisor is claiming its turf, even if you don’t use it. This command will release its grip so use can use another um, virtualizer.

  5. Fotios

    “Fix one, kill another” seems to be the rule by Microsoft.
    I had set up my pc for automatic backup on the C disk every Sunday at 3am. Today I turned it on to see a popup alerting me that the back up did not happen because the pc could not find the location! Following through the steps I came to a point where I had to chose between the desktop and a flash drive as a back up. I also saw that the auto back up scheduled time and date of the had been changed. I opted to go through the Control Panel – Backup and Restore to change back to Sunday 3am but the option of choosing the C disk was gone with the wind. So, it looks like that I either insert a flash drive every Saturday evening (my DVD drive is broken) for the Sunday 3am auto back up to take place (hopefully..) or to do a manual back up every while.

Comments are closed.