11
Feb 20

Microsoft Patch Tuesday, February 2020 Edition

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Tags: , , , , , , , ,

56 comments

  1. The Sunshine State

    Adobe Flash should be killed off like Windows 7 SP1

    • “Adobe is slated to retire Flash Player later this year.”

      • Except that there will be so many websites out there that will forget to create a non flash version of their services. And, things will break forcing users to keep an outdated unsupported version of flash…. happens any time something goes unsupported. Just look at shockwave!

  2. The small business that I help with IT cannot upgrade their PC’s to Windows 10 because of the propriety software/hardware link that doesn’t run on Windows 10. For them such upgrade will require literally spending hundreds of thousands of $$ to upgrade the proprietary hardware as well, which will obviously not going to happen any time soon.

    So they will stay with Windows 7 for a very long time.

    It’s too bad though that Microsoft seems to have abandoned small businesses like that one.

    • It’s too bad that the people who made that software apparently have abandoned it. Ditto with the hardware. and it’s too bad that a business has placed itself in a situation where it has a single point of failure. But yeah Microsoft has some blame here as well.

      • Just curious as to why you’re putting blame on Microsoft for this matter. Win7 was release in 2009 and MS dropped support for it just a month ago. That’s over a decade later. Even other operating systems, like Mac or Linux, can’t claim that. Microsoft can be blamed for a countless list of other things, but not for its support of legacy software.

        • On top of that, the option still exists to pay for extended Windows 7 support. A business can decide whether extended support or a hardware refresh is the better investment in the long term.

        • People said the same thing when XP went EOL in 2014, after 12 years of support. I figure it’s just people complaining about change…

          Having said that, there are cases where something will just not work with a newer OS. When you get that situation all you can do is VLAN and firewall the old machine off from the internet and the rest of the network until it can be updated, replaced or retired.

          • I remember when XP went EOS. I was working for a company that was required to send data to a regulatory agency on a regular basis, weekly if I remember correctly. The only way to send the data was to use a program supplied by the regulatory agency and it only ran on XP. So yes, we took special measures such as only booting the PC when we needed to send data and only connecting it to the network after we had loaded the data onto the PC via external media, and immediately shutting down the PC upon completion of the data transmission, etc. It was at least two years after XP went EOS before the regulatory agency came up with an alternate way to send the data.

    • Set the firewall to block everything except the 0, 1 or 2 inbound ports/services you need.

      Block all outbound port except what is required.

      For more security add app blocker rules using the built in window 7 app.

      Google. “Create an Application Whitelist in Windows 7”

      G/L
      Bill

    • Have they looked into subscribing to Extended Security Updates for Windows 7?

    • This is often a problem for small businesses. I used to work for my brother’s company that provided small business IT support.

      If they have proprietary software that will only run on Win7 then those computers MUST NOT be connected to their network or the Internet.

      Also, where I work we have manufacturing equipment that uses embedded DOS, XP and Win7. This equipment is NEVER connected to our network or the Internet.

      Any computers on the network are Win10 and they have been for over 2 years.

    • 0patch is far better than nothing. I have bought a 12month subscription for what 0patch calls a micropatch solution. It works fine with no glitches and seemingly no performance hit.

      See https://0patch.com

      • Thanks for that very useful link. I’m usually not willing to try anything without a widely known reputation; but I did some searching on reputable sites. and everyone is talking about it. Someone with authority on some of these forums said that the man behind Opatch actually contracts with MS do do some of their patch support work – so that is about as safe as you can get. Woody Leonhard offered advice on his forum about it too! There is a lot of discussion on bleepingcomputer too

      • Additional good news: there’s a free service available for individual non-commercial as well as non-profit users.

        The bad news: VirusTotal turns up 2 hits for malicious, and malware. I’m going to contact them. Any response will be added here when and if it occurs.

        • Better news! Mitja Kolsek, who is 0Patch, explained that his software mimics some malware and can be identified as such. But, the “detection” was awhile ago, and some “security” firms aren’t up to speed. The explanation makes sense, and I’m going to use his service.

    • It’s too bad that the owner(s) of this small business made the decision to lock themselves into one version of Windows linked to proprietary hardware.

      Either they’re going to have to spend the money to upgrade and deal with the proprietary hardware issues or pay Microsoft through the nose for seurity updates for a EOLed operating system.

      But it’s not Microsoft’s fault. So I wish people would stop blaming them for not supporting old versions of Windows.

      • If they hadn't lied, maybe!

        Edward stop whining.

        • Nope. I won’t stop “whining”. I’m sick and tired of people whinging and complaining that Microsoft won’t support every version of Windows back to MS Dos 1.0 and that they’ve got a business with “proprietary software/hardware” that won’t run on anything other than some old EOLed version of Windows.

          It’s not Microsofts fault that a business locked themselves into one version of MS Windows and then to add injury to insult designed “proprietary hardware” that won’t run on anything else. Stupid is as stupid does. Bad business decisions will eventually catch up with a business. And this is one of them.

  3. my laptop got very slow after i updated it!!

    • It must be a bug in the bitcoin-mining malware that was surreptitiously installed. See if there’s an update!

      🙂

  4. After installing the first group of fixes for Windows 10, I rebooted and ran Windows Update a second time. One fix was found.

  5. Brandon Broussard

    My computers hard drive crashed after upgrading it from windows 7 to windows 10

    • Welcome to the club. The Windows software that Microsoft said would determine if my PC could be upgraded failed in the conversion to Windows 7 and to Windows 10. Both PCs functioned after the initial installation. Both PCs died after the first round of updates subsequent to the initial installation. The upgrade software never mentioned a diagnosis of the board so I am guessing that the cause of the incompatibility was in the board. One would think that the software would have a list of compatible boards.

  6. > Adobe Flash should be killed off ….like Windows 7 SP1 <

    So we should all listen to Microsoft's hype and ditch our perfectly stable Windows 7 systems and instead install the can of worms that is Windows 10? Yeah sure!

    "Microsoft and NSA say a security bug affects millions of Windows 10 computers. Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10. The vulnerability is found in a decades-old Windows cryptographic component, known as". CryptoAPI.
    -14 Jan 2020

  7. Can’t remember the last time I used Flash player or had it installed. But I still see big companies like Comcast still use it for streaming video. Windows is a target so big I can’t imagine anyone who should use a version without updates and connect to the web. Even if you use a excellent security suite and up to date browser. I use both Mac’s and Windows 10 PC’s and keeping them updated is the best defense for what is a constant evolving threat. Malwarebytes said that 2019 was a bad year for Mac OS attacks as well. Yeah Woody Leonard is a good guy even if he tends to be a bit paranoid about updates. He tends to be in the know about any issues with updates first.

    • Yeah, a pet peeve of mine is that Xfinity Stream still uses Flash Player on both Windows and OS X. (Updating Flash for OS X is somewhat more kludgy than for Windows.) I know they don’t have to use it, since Xfinity Stream on my iPad works just fine without it.

      We’ll see if they come out with a Flash-less version in time for the drop-dead date.

  8. I have installed KB4537820 with the ESU program, and the security patch generate reboot looping. Then that mean microsoft performance bugs and fails for W7, in change W10 works perfect.

  9. I agree with your comment that Ubuntu is the simplest for Windows users.

    I have been trying out other Windows like Linux distros. They are more familiar looking, but they lack driver support for the printer I have and don’t access the Windows drives.

    An Ubuntu installation running on a USB 3.0 stick plugged into a USB 3.0 connection on my computer runs pretty fast. USB 2.0 sticks and connections are frustratingly slow.

    Using Ubuntu on a fast USB stick can be a way to kick the tires without having to make a big decision.

    One poster said they can not switch away from Windows 7 because of a proprietary program. Not so. Install Windows 10 and run Windows 7 in Virtualbox with just that special program.

    I am doing that with an old program, Alpha4v8, running it in XP in a virtual machine. I don’t need or use network access, so it is reasonably secure.

  10. Overnight, Windows 10 update froze my computer. Screen is black. Shut compter off and tried to restart. So far it still shows a black screen. Any suggestions on how to resolve this?

  11. I’m a bit confused, why do I get the Flash Player update when I don’t have Flash installed? Is this shipped with Windows 10 by default and not visible to the user?

    • Yup!
      Unconscionable, I know!

      It’s in (at least):

      c:\Windows\system32\Flashplayerapp.exe

      I delete it and then get a little joy every time windows complains it’s missing.

    • Adobe Flash isn’t a standard “application”, per se, but a plugin/extension to your web browser. I’m unsure what it looks like on your system/browser, but if there’s some kind of “extensions” section, you might see it under that.

      Flash is just about unneeded nowadays, I would say mostly due to iOS not supporting it. You’ll mostly miss out on flash-based games, if that’s your thing.

  12. Adobe Reader DC appears broken post update. Getting Exception code 0xc0000005. That appears to be an access violation, maybe a null pointer. You’ve got to love Update Tuesdays and Crash Wednesdays!

  13. Mike: Thanks for info on Ubuntu–I’m considering it.

    Re: February Windows Updates:
    Sine yesterday I have become unable to use system restore–don’t know if it’s because of latest Win updates, but that’s suspicious.

    Regards,

  14. After rebooting Windows 10 update said “first phase of 4″and
    that was it: no more phases.
    Now my system has no sound, no internet, restore point unreacheable, the WMI service was disabled. The sound was the only thing I could fix.

  15. Specific to Windows 7, cautiously adding this: on an ongoing basis, without having subscribed to any flavor of extended support, updates (including a new version) for Microsoft Security Essentials continue to be available; and — employing Windows Updates — KB890830 (Windows Malicious Software Removal Tool x64 – February 2020) was on the menu and successfully (and uneventfully) installed. I haven’t a clue how long these options will continue to work.

    Emphasizing (as others have noted): this is not Best Practice.

    But by way of analogy, if I had a Device assembled with Whitworth nuts and bolts (if you’re unfamiliar with “Whitworth”, a web search will inform you) and that Device continued to perform necessary tasks, I’d maintain the relevant assortment of tools required to keep the Device operating. In this analogy, you can reasonably challenge whether keeping the notional Device operating has merit; the required tools are just that: tools.

    And yes, Ubuntu — and more specifically dual-booting Ubuntu (with W-7 as the alternative) — is one of a number of alternatives that work.

  16. I couldn’t believe Microsoft sent me a post Jan 14, 2020 Quality rollup update! I just received it today. I’m not going to refuse any updates I get from MS now, because it should stop soon, just like with XP. I’ll back up an image just as soon as I can, to preserve it for my posterity.

  17. If you have among your programs, Firefox, explorer ( or it’s latest variant), chrome, or it’s latest namesake, opera, you still get the Adobe updates. It seems as if all browsers have flash is a fallback program for unimproved sites. Just as new sites use HTML, old sites do not always respond back, oh, and flash does most of the adverts you see yet. And flash is two way, it responds back the ad played. Html is more often caught by your firewall and stopped. But flash! Durn. It’s still making money. No way to stop it.
    Luckily both of my sets faired well off this latest updates, but a whole day for my primary old set to recover. But, now I have to find the input string for God mode, they even took off the saved web page. All of the command page right there, so easy to find your settings there. And make sure they didn’t tamper with what I want set. Or how I want the system.

  18. I need the file

    • sorry, about this lateness. I had to find it again.
      Make sure your system account has administrative privileges
      Right-click on the Windows 10 desktop and choose New > Folder
      Name the folder: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} and hit enter/return to make it stick

  19. if we are are on Exchange 2016 CU 12, does this impact us?

    • If you bothered to click the link in the story, you’d see a list of exchange versions. From what I can see, you need to get on 2016 CU15, but maybe click the link for yourself.

  20. Keep getting IRL_LESS_THAN errors , had to revert.

  21. On Feb. 12, 2020 I had a automatic Windows 10 update, which has left my computer extremely slow. I have rebooted three times and each time it has taken close to 10 minutes from shutdown to total reboot. When I try to open Firefox it takes about a minute or so till my home page opens, once open I can load other pages. Any suggestions? Tried to restore to earlier time, but there are no restore points.

  22. Thee seems to be a lot of issues with this 2/11/2020 release. On two machines upon install, icons were missing, temp profile installed and custom background changed to default windows. Did not check files, etc.
    Had to uninstall the update and all returned OK.
    Lot of similar issues being posted on the microsoft form. I sent mine to Feedback Hub. Hopefully some action to resolve.

    • Was this on Windows 10 or 8.1? I had exactly the same problem on my 8.1 machine. Spent 4 days fighting the issue before I gave up and rolled back permanently. Nothing on MS sites about this.

  23. Windows 8.1. PC ‘update and shut down’ on 12th, but starting up the next day, froze at ‘Working on updates 95% complete Do not turn off your computer’. Two hard restarts later, gets to the same point, at which the little wheel stops turning and it just sits. Left it overnight last night, it hasn’t progressed. Never had this happen after a new patch. Set to run updates automatically. Most files backed up, but stupidly been working on a couple on the desktop, so going to try to avoid losing data if I can…

  24. After (incomplete – didn’t restart computer) automatic installation of 13 February 2020 update of Windows malicious software removal tool x64 KB890830, ANY and EVERY file I open is blank, despite information that appears in directory. (? Folder). Microsoft called me at my request, support desk lady took my details (having just called me at number I gave in request to call me), gave me a case number = 1494731428 –

    and said was putting me through to a technical support person. After a few minutes waiting, a recorded voice suddenly told me to call back during support hours, 9:00-9:00 Monday to Friday. No time zone given. Could not find where to *uninstall* update. Message received when I tried next to ask MS to contact me: Something went wrong on our end. We’re working on it.” In my last attempt to get the problem solved, I wrote: “I am annoyed but not surprised.”MS lives up to its reputation. Hoping to be reunited one day soon with the content of my files. PS1 Next time I know my nightly backup isn’t working, sort it out SOON, if not IMMEDIATELY. PS2 Next time I make a note to stop automatic installation of Windows updates, deal with it IMMEDIATELY, if not sooner. You live and learn…

  25. Successfully removed Feb. 13, 2020 Windows Security update. Computer back to normal. Thanks

  26. When we see new update??now in these days……thx 🙂

  27. please analyzed the uefi patch call kb4524244, hp user report freezes, hangs por bsod. This patch is evil

  28. When some one searches for his required thing,
    thus he/she desires to be available that in detail, thus that thing is maintained over here.