10
Mar 20

Microsoft Patch Tuesday, March 2020 Edition

Microsoft Corp. today released updates to plug more than 100 security holes in its various Windows operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.

All told, this patch batch addresses at least 115 security flaws. Twenty-six of those earned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Given the sheer number of fixes, mercifully there are no zero-day bugs to address, nor were any of them detailed publicly prior to today. Also, there were no security patches released by Adobe today. But there are a few eyebrow-raising Windows vulnerabilities worthy of attention.

Recorded Future warns exploit code is now available for one of the critical bugs Redmond patched last month in Microsoft Exchange (CVE-2020-0688), and that nation state actors have been observed abusing the exploit for targeted attacks.

One flaw fixed this month in Microsoft Word (CVE-2020-0852) could be exploited to execute malicious code on a Windows system just by getting the user to load an email containing a booby-trapped document in the Microsoft Outlook preview pane. CVE-2020-0852 is one just four remote execution flaws Microsoft patched this month in versions of Word.

One somewhat ironic weakness fixed today (CVE-2020-0872) resides in a new component Microsoft debuted this year called Application Inspector, a source code analyzer designed to help Windows developers identify “interesting” or risky features in open source software (such as the use of cryptography, connections made to a remote entity, etc).

Microsoft said this flaw can be exploited if a user runs Application Inspector on a hacked or booby-trapped program. Whoops. Animesh Jain from security vendor Qualys says this patch should be prioritized, despite being labeled as less severe (“important” versus “critical”) by Microsoft.

For enterprises, Qualys recommends prioritizing the patching of desktop endpoints over servers this month, noting that most of the other critical bugs patched today are prevalent on workstation-type devices. Those include a number of flaws that can be exploited simply by convincing a Windows user to browse to a malicious or hacked Web site.

While many of the vulnerabilities fixed in today’s patch batch affect Windows 7 operating systems, this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Update, 7:50 p.m.: Microsoft has released an advisory about a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. Critical SMB (Windows file-sharing) flaws are dangerous because they are typically “wormable,” in that they can spread rapidly to vulnerable systems across an internal network with little to no human interaction.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Microsoft’s advisory says the flaw is neither publicly disclosed nor exploited at the moment. It includes a workaround to mitigate the flaw in file-sharing servers, but says the workaround does not prevent the exploitation of clients.

Tags: , , , , , ,

24 comments

  1. What ever you do – do NOT install the MS Win 7 quality roll up update offered after the January cut-off date! Even though I restored to a date before it was installed, my PC is permanently slower since then. I’m hoping micro updates by third party providers will improve this, but we’ll see.

    It is even using more RAM since then – ( I suspect MS installed APT spyware) This happened immediately after the update – but I hardly thing it was a sleeping Trojan that caused it – at least nuking the drive from space didn’t prove that, but it could be possible.

  2. MS updates could not be trusted since 2014. Would be interesting to know how many millions have turned them off since then, like me.
    One less annoyance for a happy life.

    • Wonderful Idea! For even better protection from Microsoft, you should post your external ip address here on the forums, to let your voice be counted to stand up to the tyranny of security patches. Also, please visit this totally normal website I created that has a similar name to google and click though any security warnings your browser might have for you. Everything will be fine!

      • Such a arrogant voice for someone who obviously knows so little.
        As my dad used to say, better to be thought of as a fool, than to open your mouth and remove all doubt.

        • Take your Dad’s advice!

        • Bobo was a bit sarcastic, yes… but really, you were asking to be ridiculed and shamed for such a statement here.

          This site is about security… and suggesting that security updates should be disabled because they are “annoying”… needs to be shamed.

          • It would be appropriate for all who comment on my response to the OP to disclose your financial interests in propagating and proselytizing this Windows update fiasco and scam.
            Are you getting a cut from the sale of personal data collected by MS, or from milking your customers to patch, or is it just job security in corporate IT.
            Rock’in seven Windows 7 machines malware free for more than a decade now. Win update free for six years.
            Btw, my IP is 127.0.0.1 so have a go at it.
            PS. only the uninformed still use Google.

            • Let’s take about 20-30% off there bud.

              IPS, good perimeter security, and strict local security policies will keep you very secure, but that isn’t the point, is it?

              You have 7 devices that have hundreds of logic vulnerabilities throughout the entire software-stack, from boot-up to boot-down.

              Some of these vulnerabilities are so severe that they could be used to alter the MBR and write code to disk essentially alongside the OS ( rootkit || bootkit ), rendering all OS operations to detect it useless.

              This is not a push for Microsoft to rule the world, this is a security patch.

              The Cost-Benefit Analysis, for most people/businesses, shows that the cost of an incident far outweighs any benefit of not patching, i.e. the Benefit of patching far outweighs the effort it takes to perform the patch.

  3. Adobe Flashplayer 32.0.0.344 was released very late in the day.

  4. Does any of this fix last month’s (Feb 2020) WIN 10 debacle with missing profiles? I’ve still got patches delayed the max it will let me. As far as I know last month’s patch has not been pulled and is still out there.

  5. Windows updates for 8.1 are having problems with f12.dll locking up computer with a fatal error also.
    Microsoft needs to do more testing prior to sending out these buggy updates.

    • Thousands if not hundreds of thousands of people don’t have a single problem with updates. You have a problem and you immediately blame Microsoft for sending out “buggy updates”. I wonder if the bug resides on your computer and not the MS update.

  6. I applied this patch to my HP Elite Book and it’s now been an hour of watching the little white dots chasing each other in an infinite circle. Just an FYI that this patch might take some time to apply.

    • I’ve been watch the little dots chase each other for an hour also. And I haven’t seen the hard drive activity light blink (granted I could’ve blinked and I’m not staring at at the thing all the time).

  7. Knock on wood I have not had any major issues with Windows 10 since installing 1511. But the Windows ecosystem is so complex and full of many different hardware, software, and driver combinations. I think its very difficult to do Windows 10 the way Microsoft has wanted to implement it. Not to mention that Windows 10 has just as many security issues as any previous Windows which Microsoft had previously said would be reduced in windows 10. But then again they have said this with every Windows release. Don’t get me started on moving to Linux, it is much worse with drivers.

  8. My prime computer at home is an iMac but since I do a lot of computer work I try to stay semi-current with Windows, I also have a dual bootable (Win 10 Prof/Linux).

    After an update a while ago with Win 10 that machine literally takes 15+ minutes to boot up. Once up it seems ok but that is crazy. I looked at the obvious issues but since I don’t use it much and at this point, hate windows and don’t want to waste my time, I haven’t actually fixed it.

    Instead I mostly use that computer for Linux stuff.

    Got my first iMac about 10 years ago, my GF uses that one now and I got a new one about 14 months ago. Neither has ever crashed on an update. They just work day after day without blue screens of death. The only rare problem I had was with…Excel and that only required a force quit.

    I’ve used computers since the Radio Shack days and went through the DOS, and various windows OS but I’ve grown to detest them. Other than gaming it is best to avoid them, you pay a price for cheapness.

  9. my windows 10 build ring 1803 patch KB4540689 wusa show me ‘the update not applicable to this computer’. I think microsoft is pulled to end user forced install his latest version 1909 or this year the ring 2004

  10. I have a laptop with Windows 7 Professional (home user) and I keep getting updates from Microsoft, even though I have not paid any fees.
    Today, 3/12, I got an update from Microsoft, called “Malicious Software Removal” KB890830. Also, on 2/16/20, I received an
    update from Microsoft called “Quality Rollup for Windows 7 KB4539601.
    I thought that after 1/17/20 I was not supposed to get any more updates from Microsoft?

    • Good question Erik, hope someone savvy about Win7 chimes in if the “updates” for 7 are real or fake after the officially ended date.

    • KB890830 comes out each month, for every version of Windows. It doesn’t surprise me that it’s still coming out for Win 7, though I’m not sure how much longer that will continue. It basically scans your computer for the most common/prevalent malware that Microsoft is seeing each month.

      KB4539601 looks like a fix to a “wallpaper bug.” Not sure why that was released for Win 7.

      Overall, you should not expect many updates for Win 7, the most important being the critical security updates for each calendar month.

  11. If I (ab)use Windows? You mean if I allow Windows to abuse me???!!!!! Way to go fuck you Microsoft, one hour updating and you’re at 27 percent, forcing me to reboot. Now the system is stuck on “Undoing updates” and I’m effectively locked out of a screwed system. I want my fucking computer back. If my system is corrupted I’m not reinstalling Windows. This is enough to drive me to Linux, or anything other than Microsoft. FU bastards.

  12. I found, that settings EnableSuperfetch flag to 1 (or 0) in Registery or even switching off the superfetch service in Services with stopping Windows Search serice can speed-up working. Later Windows Search can be switched on, on idle time.

  13. march update kb4551762 causeing same problems for me as kb4532693 with a temporary account with no data and desktop configurations anyone else having same problem with kb4551762 after I uninstall this update everything is back to normal its only happening on my new dell laptop 3 hp desktops and 1 hp laptop everything is fine why is this only happening on my dell laptop 2 months in a row