11
Aug 20

Microsoft Patch Tuesday, August 2020 Edition

Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. Yes, good people of the Windows world, it’s time once again to backup and patch up!

At least 17 of the bugs squashed in August’s patch batch address vulnerabilities Microsoft rates as “critical,” meaning they can be exploited by miscreants or malware to gain complete, remote control over an affected system with little or no help from users. This is the sixth month in a row Microsoft has shipped fixes for more than 100 flaws in its products.

The most concerning of these appears to be CVE-2020-1380, which is a weaknesses in Internet Explorer that could result in system compromise just by browsing with IE to a hacked or malicious website. Microsoft’s advisory says this flaw is currently being exploited in active attacks.

The other flaw enjoying active exploitation is CVE-2020-1464, which is a “spoofing” bug in virtually all supported versions of Windows that allows an attacker to bypass Windows security features and load improperly signed files. For more on this flaw, see Microsoft Put Off Fixing Zero for 2 Years.

Trend Micro’s Zero Day Initiative points to another fix — CVE-2020-1472 — which involves a critical issue in Windows Server versions that could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

“It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it,” said ZDI’S Dustin Childs. “What’s worse is that there is not a full fix available.”

Perhaps the most “elite” vulnerability addressed this month earned the distinction of being named CVE-2020-1337, and refers to a security hole in the Windows Print Spooler service that could allow an attacker or malware to escalate their privileges on a system if they were already logged on as a regular (non-administrator) user.

Satnam Narang at Tenable notes that CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020. Narang said researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat security conference earlier this month. More information on CVE-2020-1337, including a video demonstration of a proof-of-concept exploit, is available here.

Adobe has graciously given us another month’s respite from patching Flash Player flaws, but it did release critical security updates for its Acrobat and PDF Reader products. More information on those updates is available here.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re less likely to pull your hair out when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And as ever, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , , , , ,

49 comments

  1. For those of us who have roughly a dozen machines to deal with, these patches are a huge pain in the ass..

    • For those of us with about a 1000 machines to deal with it’s just another crank of the wheel.

      • Yeah, I patch about 800 servers every month and it’s just a game of averages at this point. If I get above an 85% successful patch install rate and no major application outages afterward, then it’s a good month. I can remediate whatever remains–which is never less than a dozen!

    • I’m pretty sure unwinding malware from your six boxes is going to be infinitely more painful than the patches. It literally took me about 5 minutes to patch one box, and it’s not like you have to do them serially.

    • Try ManageEngine Desktop Central. Its free for under 25 PC and works great.

  2. I tend to live mostly in the Apple OS world and use SuperDuper to clone my drive.

    If you have Windows 10 and especially if you have a dual bootable Windows 10/Linux system, what is the best way to clone the entire drive?

    I’m guessing you can use rsync when you boot into Linux and backup the entire drive? My goal would be to create a clone of the drive with both OS on it.

    • I use Macrium Reflect for cloning and imaging hard drives. Used for many years, never had any issues.

      • Macrium Reflect is a good product, but there are a couple of drawbacks. – ‘See thing is it’s free; and you get your money’s worth.

        For a faultless and money-backed clone I recommend Acronis True Image (Latest version).

        • I’ve used Macrium Reflect for over a decade now, with the free and paid version, and I’ve had not one failure to recover, and neither have my clients. I am not a shill for MR, how about you?

          • I’m not a paid shill but Acronis is relatively problem-free. The only issue is needing to buy new versions periodically as old versions don’t typically support new OS versions. But its had a bootable media builder for wholesale wipe & reload system restores for years. The couple times I’ve had to use it everything worked without any fuss. Now that being said I never heard of Macrium Reflex, so I’m certainly going to give it a look before plunking money down on a new version of Acronis. In the 15 or so years I’ve been using Acronis I’ve only bought 2 upgrades (to go from XP to 7, then 7 to 10) so it’s not horrible. And it goes on sale for around $10 every so often (full product, not an upgrad) so the cost isn’t always onerous.

            • Good to know – thanks! Macrium will occasionally block an update if one is using the free version, but eventually the update is allowed as time goes on. Since I’ve been using the same PC for 12 years or so now, and still using Win 7 (updated with micro patches from Opatch) I haven’t run into the compatibility problem yet, but my sister did, when she bought a new PC; she was glad to pay for a new Macrium License for the Pro version, and the price is more than reasonable. In the past the only difference I could tell about the Pro and free versions, was that you got access to a Windows environment image instead of the free Linux one, and some IT pro files to help with that line of work. I’m sure that has changed as they seem to be stepping up their game to keep updating Macrium Reflect.

              Note it is spelled REFLECT and not reflex – just to clarify here.

      • Thirding Reflect, for things like imaging old laptops and restoring them when Windows breaks it’s awesome!

        • Macrium Reflect is my go-to backup solution for imaging / cloning hard drives on Windows machines. It’s well maintained & has never failed me. It has advanced features like the ability to virtually boot a backup image & backing up to a network shared folder.

      • I have been using Macrium Reflect for years as well. I have both nightly incremental backups to my NAS as well I use it for one off cloning. It’s a fantastic product and I’ve never had one issue with it.

    • I use clonezilla if I need to make a disk image.

    • Clonezilla has been my go to for,,, hmm I think well over 10 years. Used it to successfully clone a failing encrypted disk once. All command line, but works perfect. Also used it at a company for imaging across the network, no complaints 🙂

  3. Somebody knows Which is the KB number for CVE-2020-1380 and CVE-2020-1464?

  4. “CVE-2020-1337”

    7h15 m4d3 m3 fuck1n6 l0l

  5. The Sunshine State

    Google Chrome 84.0.4147.125 was released on August 10th, with fifteen security fixes.

  6. Careful with your backups. My support ticket to Microsoft using the VSS (file history) recently ended with Microsoft saying that file history should NOT be used to backup user data files. It is only intended for system files (WTF).

    If you use file history versions and rely on it as your backup, then make sure you test the recovery of files on a regular basis.
    I have locally stored MS Access, Excel and Word files that become corrupt after being recovered. MS would not fix it, or even recognise that the issue was their fault. (The recovered files are corrupt, not the current ones).
    Now my organisation has disabled VSS backup globally.

    • I agree with MSFT on this one…Snapshots are not the same as backups.

      VSS is handy to temporarily protect file versions or to read a large file for backup operation while the original is still in use. Since VSS snapshots are on the same storage as the original file it should not be relied on as data protection strategy.

      Also, It sounds like you ran into a an file consistency issue. If the OS initiates a VSS Snapshot it can only collect what has been written to the disk. The application need to be VSS aware (which I do not believe Access or Excel are). VSS aware applications like SQL Server will flush data from memory to disk to create a consistent & recoverable file before VSS is allowed to continue.

      It would be like trying to recover a file after pulling the power from the computer while a MSAccess save operation was in process..

    • There are some nice versioning-based backup systems that avoid needing to fiddle with VSS. I use Syncback, which automatically snapshots data to a remote device or server and will store multiple generations of files, which is useful for dealing with ransomware.

      • shadow copies are not really a backup solution… had so many issues with them. I do use them so users can restore their own files if needed in their fs dirs.

  7. Wait, File History is no longer meant for user files?! https://support.microsoft.com/en-us/help/17143 makes no mention of this and it sounds like the same user backup utility as ever before.

  8. Isn’t Microsoft also sposta be deprecating Sha-1 in this month’s patch?

  9. For those of us who have roughly a dozen machines to deal with, these patches are a huge pain in the ass.

  10. RE: CVE-2020-1472. Microsoft’s documentation is vary vague regarding Windows 7. Is Windows 7 included or excluded by the solution to the CVE?

  11. I had 2 updates, one a NET update, the other the cumulative Windows update. NET did it’s thing but the other borked the system enough even windows said it was going to uninstall it after 3 BSs in a row (that did not write dmp file…) Anyway, thought Windows seeing the system needed to uninstall the updates was nice but the system was weird. Used Acronis to restore a 3 day old C: drive image. One weirdness with Acronis is that I used a backup stored on one of my NAS’s and after the Acronis restore, I could not see that NAS via Windows. The other NAS not involved with the backup was normal and windows saw it fine. Got it back though, thought it was weird.

    • Windows 10 2004 has a Windows Update reboot loop. Don’t know the exact reasoning yet, but to fix:
      Shutdown Windows Update Service
      Delete c:\windows\softwaredistribution\downloads
      Restart Windows Update Service
      Go to Windows Updates and retry.
      Worked for my laptop.

      • Delete the contents of the c:\windows\softwaredistribution\downloads folder, not the folder itself. Just to clarify.

  12. Thanks for the update, I will check on my laptop.

  13. I was greeted with an Adobe Flash update this morning (08/12/2020). So, I was surprised to see this article say that Adobe did not publish any Flash updates.

    • Not all Flash updates have security fixes. I forget which is which but it’s either only the odd-numbered versions or even numbered that have security updates included. I know that doesn’t help much, but there weren’t any security updates available this month for Flash (yet). It is always possible you were running an outdated version though.

  14. | Perhaps the most “elite” vulnerability addressed this month

    I appreciate that humor Krebs.

  15. Brian, I am planning on buying a new laptop for my son who is an incoming transfer student at ASU (Finance/ engineering). Could you recommend a good PC and a non Microsoft operating system? Thanks very much!

  16. I agree with the positive comments on Macrium Reflect. Many years ago I used Acronis but there were problems. Have since been using Macrium Reflect free and paid versions for both Win7 and Win10 with no problems. It’s frequently updated and the updating process is easy (usually ‘patching’). One good feature is that you can make automatic verification after the backup image has been made. (Here is a small difference between paid and free editions – in the free edition you have to set this every time, in the paid the setting is remembered next time). I’ve also used it once for cloning to a larger SSD drive – with Windows 7. That gave only one problem – Microsoft began telling me that my Windows was not genuine! But these messages could just be ignored. I think this may not be a problem in Windows 10.

  17. Anyone else running into AD authentication issues after installing the CVE-2020-1472 Netlogon updates? We’ve installed it in 4 domains so far, one is Server 2008 R2 the others are 2012 R2. Only one of the 2012 domains was not affected. The others had Netlogon events indicating that authentication failed to the various domain controllers. This led to being unable to RDP to some servers, errors connecting to TFS and SQL Server, etc. After uninstalling the update from the domain controllers the issues were resolved.

    • We had some issues with our File Storage. File Shares weren’t reachable because of Authentication.
      After rollback the shares worked fine!

  18. This patch/update is a huge nightmare. My husband owns a $1300, 2 month old Alienware beautiful gaming laptop. It’s essentially been a brick for the last 6 hours.

    He has had to factory reset and that was 2 hours ago and it’s still “updating”. I have the option to update myself(on my over 1 year old Dell machine) and I certainly won’t be doing it before Monday at the earliest, as I’m not trusting my low powered computer to not crap out as well.

    I’m over Microsoft putting out “updates’ that work so poorly they then need to come up with a patch for the patch.

  19. Such cases are the reason ‘they’ (i.e. not MS) recommend you put updates on pause for 2-3 weeks every month. (‘They’ = e.g. Brian Krebs, Woody Leonhard (‘AskWoody’) and Susan Bradley).
    By that time MS has usually patched the errors. They effectively use ordinary users as beta testers. But you can avoid that by postponing the updates.

    • That truly is the only solution, if you tinker with the services to stop updates it will pepper you with failure notifications, and if you turn those off nothing works lol. Windows 10 is a trap in a box marked “trap” – every single month this year it’s been russian roulette hamster experiments on the users at large. From the inception really, from the moment it popped itself up as a startup routine in Windows 7 without being invited under the guise of an ‘upgrade’ nobody had to affirmatively ask for to have try to install itself, literally.

      -Sent from Windows 7, the last honest MS box marked trap.

  20. I wonder if it’s related to Home vs Pro vs Enterprise. I’ve one home machine that hiccuped about Windows 10 licensing, but a reboot fixed that. I never see update issues on Windows Server 2012 or Windows 10 Enterprise or Pro.

    One has to wonder, especially if one is an OG in Windows what in the hell is wrong with the process if you can rack up 100+ bugs meriting and update with ~10% of those being critical enough to make the CISA warnings!. That is ludicrously poor quality control. Don’t they use the Windows equivalents of lint, valgrind, gcov, etc?

  21. This latest update has really screwed my current laptop. I’m still running Windows 7, and I use Chrome. The whole system has become unstable — frequent shutdowns; inability to check Yahoo mail properly (I can’t delete e-mail without it opening up); I can’t even get into my College’s web portal right: Outlook e-mail bounces me out, and a number of apps don’t work.

    Yeah, I’m not a super-computer genius, but for a lot of folks who need their computer to do basic things and are just savvy enough, this is a massive nightmare and inconvenience. Not what I needed with the new academic year beginning, and I know a lot of my colleagues feel the same.

  22. 0patch (that is a zero + patch) is utility recommended “if you must use Windows 7” and are not interested in paying for MS’s update service for Win7.

  23. Noticed some packet drops from few machines after installing Aug2020 MS security patches, any suggestions please.

  24. I’ve been doing IT support for 41 years and the last 18 months have been the worst because of those windows updates designed by summer trainees at M$. 2020-08 after being installed on our Dell T110 II DC running 2012R2 somehow managed to screw up Netlogon so it was impossible to log on it with domain admin credentials. Had to roll back a month with veeam backup and redo the work that was done since then on it. So i bet civilization is not going to fall because of running out of conventional oil, but because of the accumulation of poor OS and firmware design like windows and uefi (which multiplies by 1000 the attack surface for hackers). The more time goes by, the more Theodore Kaczynski looks like a prophet albeit a violent one.