Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.
June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.
A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows Server 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.
The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.
Microsoft Office and Excel get several updates this month. Two different flaws in Excel (CVE-2020-1225 and CVE-2020-1226) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness (CVE-2020-1229) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts Office for Mac, although updates are not yet available for that platform.
After months of giving us a welcome break from patching, Adobe has issued an update for its Flash Player program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its Experience Manager and Framemaker products.
Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).
Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
Further reading:
AskWoody and Martin Brinkmann on Patch Tuesday fixes and potential pitfalls
Thanks for the heads up on today’s security updates !
Took an hour and a half to install updates. I check for updates every day. A relative’s computer is not working well. I’ll bet he hasn’t checked for updates lately.
Literally 30 seconds here, that including the restart.
Thanks. An hour, SO FAR. Won’t panic yet.
“A relative’s computer is not working well. I’ll bet he hasn’t checked for updates lately”.
Given Microsoft’s past record of issuing flawed updates that break stuff on many machines, its likely your relative is suffering from MS-update syndrome.
The full details for CVE-2020-1301 have now been published by Airbus – it only affects SMBv1 (which every IT Admin should have disabled long ago):
https://airbus-cyber-security.com/diving-into-the-smblost-vulnerability-cve-2020-1301/
As a regular reader of your blog I just wanted to thank you for the great work!
Kind regards
Tejeddine
Quote: “Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches.”
Windows was intended for non-expert consumers. How are many of those consumers to perform what to them is an expert tech support procedure? In many parts of the world, people are still in lockdown and visiting them to give such support is not possible. What Satya Nadella has done is to ensure that Windows is no longer a reliable technology box where routine updates were routine trouble free (mostly) events and trouble was unexpected.
…anyone with a computer needs to have a backup…if they are not tech savvy then they need to find someone who is…
That is often not practical during COVID-19 lockdown. I would advise anyone with Windows 8.1 to stick with it for the next two years. Compared with Windows 10, it is rock solid reliable. It is old school Microsoft.
Windows 10 Feature Updates at the time of first release are not even up to Beta standard. They are a very poor Alpha. Mr Nadella’s preference is to add features, not reliability. He is only saved by Microsoft’s monopoly. If there was a realistic competitor, Microsoft would be in trouble for sure.
You can say that again!
Here’s what I noticed this morning after installing the update-
The screen background was black. It is set to run a slideshow of photographs in a wallpaper folder. The photos are there but none show up when the setting is set to slideshow. A single photo will display and the entire list of photos in the folder are visible if the Background is set to picture.
Annoying. Hopefully that’s the only problem I encounter . . .
I’m going to stay on Windows 7 as long as I can – all of my clients are finding Win 10 to be a buggy mess! Thankfully they all got rid of Adobe!
Oh shut up already.
You first.
https://www.youtube.com/watch?v=ePCVxoWlB2g
@Toby:
C’mon, grow up. Good for you if your experience has been okay — but while lots of people are also fine with W10, many others (including some top-notch IT pros) have had serious issues with it. Much depends upon just what one has installed on their particular machine(s), and some apps “agree” with 10 better than others. If W7 works well for them — and for many people it does — more power to them!
Let’s act like grownups here, okay?
Advocating for an OS that is no longer supported or patched by posting on Brian Krebs’ website misses the point of the website wouldn’t you say?
And it always makes me wonder if these “top notch IT pros” bring on their own woes when it comes to Win10 updates by altering their systems in ways that they shouldn’t and then simply whine about how Microsoft was to blame for everything getting borked during updates because of their decidedly non-standard Windows installation.
Same goes with the, “But I found the change on page 10 of a Google search and applied it to my Win10 installation and now Microsoft has ruined my computer with its defective updates.” idiots who know just enough to screw things up but aren’t willing to take the responsibility for those screw ups.
You have no idea what you’re blathering anecdotes about.
They’ve been pushing failing patches for years now.
You do know that support for Windows 7 ended this past January and any security flaws that Windows 7 has will not be patched?
I think your clients might find Win10 less onerous than a pwnd Windows 7 system.
Nah, people who are still running obsolete, outdated, and un-updated Windows 7 installations simply don’t care about the havoc they are wrecking on the internet and other users.
Microsoft should simply push updates to any remaining existing WinXP and Win7 installations that uninstalls the IP/TCP stack and renders them unable to connect to the internet and be done with it. There is no reason whatsoever for anyone to actually be running those versions any longer.
I love and use Win7 too. But from a security point of view, I am afraid, Windows 10 much better
Regarding the (monthly) statement: “Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.”
In my experience, the bootable copy you can make is a fresh version of Windows 10 without the apps you’ve installed on top, or your precious data. So you need to use both tools.
My computer has 2 drives one for booting and a second for my data. Before I allow windows to do it’s monthly update process I actually clone both drives onto a set of drives that sit in a locked file cabinet. If windows update causes problems I can simply reverse the process. I also alternate 2 different sets of back up cloned drives, giving me 2 different sets. I also have a 3rd drive used to do routine incremental backups in between cloning. Seems like a complicated system but since I rely on my computer for my income I must have reliable use every day. If anything goes wrong it only takes me a short time to be up and running exactly as I was before the failed update. Of course If an update fails I try to undo the update if that fails my clones can come to the rescue.
A tip for anyone who has not yet installed Feature Update 2004:
If you have Nvidia graphics (consumer or professional), update the driver first! There are a few anecdotes on the Web, and I’ll add my own. My <2 yr old Dell workstation blue screened during the first reboot and rolled back the update. I updated the only drivers that weren’t current, Intel Ethernet and Nvidia Quadro card. 2004 installed ok after that.
Thanks to my satellite ISP I never have a successful update unless I go to town and find a WiFi connection. As best I can determine this is both an advantage and disadvantage.
Do you have the download issue if you patch overnight when the ‘fair use’ caps are not in place? Our satellite provider loosens its caps and bandwidth restrictions between 11PM and 5AM. It is still slow, but doable.
I’ve read that to exploit this, there must be a shared partition on the server
Just did the v2004 update on an 8 years old HP 8300 All-in-One.
All went smoothly and it is working as expected.
It probably helps that I had upgraded the RAM and swapped in a SSD system drive previously.
This was originally Windows 7 Pro. It took the first bump to Win 10 Pro in Dec 2019, and I’ve been keeping it updated regularly.
500/500 MB FTTP helps a great deal.
Thanks for this very informative site.
PS:
“Literally 30 seconds here, that including the restart.”
— Only a very tiny update could happen that fast.
I’m definitely having issues. Windows is having trouble “finding my files”, even though I’m going into the folders and clicking on them directly. If I rename the files, they work, but connections between files/programs are broken unless I update them all manually. It started after the update was installed…
Andrew,
I’m having the exact same issue. However, even going in and renaming the files has not resulted in the apps opening files. Similarly, I am running into a problem even being able to open apps such as office suite applications. I did a system restore before the update and the bug is persisting.
Yes! Me too! I am unable to open up any Microsoft products such as excel or word, nor can I open my accounting software! I have been on hold with Microsoft and Windows all day and nothing is working. Microsoft is blaming Windows, Windows is blaming Microsoft. I am loosing my mind and really need to be able to access my work files.
Me too! Even pdf files on acrobat reader won’t open. Please update if you found a fix for this. I’m desperate!
I had the same problem with Microsoft Office after the Windows update. Ended up uninstalling and reinstalling and problem resolved.
This update has given me the exact same problem. After updating I can’t open Office (Word, Excel, Access etc.) or PDF (with Adobe Acrobat) documents. On top of that I can’t open the programs themselves and reversing the update, reïnstalling the programs and rebooting (in between steps) haven’t helped, so far.
OMG I’ve been scanning the internet for others who had the same issue and I’m so glad I’m not the only one! I had to use a restore point from the previous day, as uninstalling the update didn’t do it.
And to add to the Apps that don’t open (windows can’t find it even though I can look at the folders they’re installed in and they’re right there) I can’t open firefox or Daemon Tools lite after the update, in addition to office as others have said.
There is a problem with the Win 10 updates this month. Basically the print dialogue will not open, and closes the requesting app. This only happens if you are using PCL5 printer drives. Upgrade to PCL6 and the problem goes away.
Anyone else notice there is no MRT release this month?
New update broke Microsoft office suite except for teams oddly enough.
The update broke my computer to the point that it won’t boot. It says one of my files is corrupted so it won’t even turn on. I’m on Windows 7 Professional with an ASUS Z170-A
This update has completely destroyed my ability to connect to the internet. None of the usual fixes will work. Windows 10. Uninstalling the update.
Windows really needs to stop forcing us to update, especially when all the updates do is break our machines.
It’s all still just the same ol’ cobbled-together DOS 3.3 crap code
After the latest Win update, my wife’s Microsoft Home & Student edition of Office was killed due to the absence of a .dll file. This happens once in a while. Win updates used to often kill my printers until I set them up directly to our computers instead of using them through wireless.
I think I will eventually go to Ubuntu Linux!
Regards,
My dell desktop has been essentially ‘borked’ for approx 6-8 weeks now with universally-crashing apps, on and offline; EXCRUCIATINGLY slow internet (have 1gb/sec thru allo). Have run all manner of malware scans, etc, w/nothing amiss. Now this a.m. 6/12, it has the appearance of a full ‘reset’ – ALL my desktop icons GONE, my entire 5gb download folder contents (which recently uncheck in disk cleanup) GONE, firefox with its meticulous add-ons GONE. Even ALL system restore points GONE. I thought Gates was a sadist with his vaccines but this is a whole new level of evil (good thing i still have a functional laptop). This is catastrophic to put it mildly.
why is my email tempoary dormon window 7 phone number and says will ring if correct , nothing happens , i know i am entering correctly , cant look at my emails so frustrating , i wish to use windows 7 as long as possible please help 21.25 12thjune 2020
correct name holliday why cant i get into window 7
surname holliday 01342842646 why cant i get into hotmail a/c
This update borked our laptop, which displays nothing save the white arrow cursor on a black screen when powered on. Hitting [Enter] or [CTRL] or clicking *should* bring up the password login box (even if we can’t see it), but doing so and hitting enter does nothing.
And, of course, we can’t reboot in safe mode without being able to see the screen, so…
I am making a good salary online from home.I’ve made 97,999 dollar.s so for last 5 months working online and I’m a full time student. I’m using an online business opportunity I’m just so happy that I found out about it…
====>>> http://www.2usdlife.com
Vow amazing information. Thanks for sharing
Top 10 Lists – Best Of Whole World Knowledge
Social Bookmarking Sites List
Rabbit Alternatives
Best Commandos Games For Pc
I thought I am the only one who is always checking for updates. Reading the comments section shows there are lot of people, does the same as me.
I think MS purposely doing this to remain their product name ins the market. Otherwise why do they posting updates. I can’t understand such a big company why doing like this. I remember Bill Gates said If you read the Donald Knuth book, please send the resume to him. This is a stupid idea. They don’t know how cover their own ass. But they need a great people with zero errors. My understanding is the they didn’t follow properly the steps which is belongs to the software developing due to the trend of the market. I like to say don’t follow the market. Make liable product instead of keep sending the updates every week or month. This is not going to end.
Also, they are going to stop the Windows 10 in 2025 then swap to the Linux. This is major loop hole in their OS.
This update made that I could not start Microsoft Word and Microsoft PowerPoint. Microsoft Excel still worked. A “system restore” from just before the update made it work again. Aaarrgghhhhhh
Thanks for nothing. Now it’s jammed all our email system.
I am about ready to disable Windoze Update, and only allow updates when I am ready for them – not whenever this idiotic tool decides that it might be a good time. This morning, my machine had rebooted after installing this crap. The problem was that I had 6 different VMs running before the update, and it is going to take half the day to get them all up and running again. And that assumes that they shut down cleanly – if they didn’t then the virtual disks will be corrupt, and I will have lost a whole lot more than that, and have to revert to the last good snapshot.
And I had things running on these VMs before the shutdown – the next question is did those things shut down cleanly, did they finish, or is that all messed up?