Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.
The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.
Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.
“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”
Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.
Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.
Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.
Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.
Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
Firefox also had a security update in the last 48 hours
I read your info, and I appreciate what you are doing for all of us.
I am 86 y.o. disabled veteran. I use my laptop every day, and I do wonder why these massive wealthy corporations that design and manufacture computers, and sell them to us do not make safe ones.
With all their wealth, very high paid various engineers, why cannot they create at least one “secure” computer.? that does not need to be repaired every day, week, year.
Thanks for what you do.
Hello Martin. Software development is very complex. It’s like asking “why can’t they design a car that never crashes, never breaks down, never needs to be serviced, and is impossible to break into”.
Trust me, everyone tries to create secure and stable software, but it’s an impossible task, so all we can do is our best. An operating system like Windows is several hundred million lines of code, written over several decades, by thousands of different people.
The idea that MS is “trying their best” is a laughable excuse though.
They forced their product on users of an existing product claiming security improvements and better reliability, and it’s been the exact opposite to the thousandth power. Every single month they are bricking swaths of machines with few exceptions. Either their monthly schedule is too rigorous and ambitious to accomplish with proper QA to prevent these major fails, some of which are borderline unrecoverable for end users they made promises to, or they just aren’t investing in the QA aspect properly at all because they don’t care enough to spend time and manpower on it – guess which one it is, go ahead.
This is total bollocks.
The software industry is in crisis. The reason is two fold and endemic to the industry.
1. Features and functions above quality. Fail constantly fast and hope nobody notices.
2. Engineers know just enough to be dangerous. I have been in this field for 30 years and I see it constantly. In fact, its getting worse with software engineers graduating with arrogance and zero concept of empathy in the designs they create for their victims. This know-it-all attitude and arrogance obscures their ignorance of the subject leaving sites and software open to all sorts of problems.
That’s not just software engineers many IT industry people have the same arrogance and lack of empathy. Due to this kind of culture I am treated as if I were one an arrogant unempathetic know it all.
To the original posters question about making a secured system. It is very difficult to build a secured impenetrable piece of software and try and keep things feature rich and user friendly as well.
If today someone were to build a secured browser people would compare it to IE, Firefox, or Chrome and failing to measure up in many ways I would quickly go out of business.
Same with operating systems there are many robust secured systems but they are more difficult to use and lack the ability to do many things the big boys do. If a more stable OS is what’s on the menu there are many flavors of Linux that will fit the bill. Many of them lack high end video game support which is a deal breaker for a lot of end users and some flavors of Linux are not easy to adapt to. I would recommend Ubuntu or Mint both have long term support releases and have a easy to use interface.
Patch Tuesday did not deliver KB4497165 applicable to me, so I successfully installed it after the Windows Updates for today were successfully installed.
See https://www.ghacks.net/2020/09/07/microsoft-releases-kb4558130-and-kb4497165-to-fix-intel-cpu-security-issues/ .
My system has shut down and restarted 4x on its own since the patch was installed.
Update seems to take a long time and has my laptop inoperable for over an hour so far…
Thx 4 the reminder about updating. I took the opportunity to go on an update blitz this evening, updating everything on my PC-s, phone (Android 11 out 2day), printer firmware, all the software I could find, and my seldom-used xBox One.
Friend’s Dell 2-3yr-old laptop started to do update, flashed Unrecoverable error, now stuck in Preparing Automatic Repair boot loop.
Hoping this might work.
https://www.easeus.com/resource/fix-windows-automatic-repair-loop.html
updated my 1.5 year old alienware and the same thing happened. The update bricked both my internal drives. Gotta love windows 10.
Most of us who are not au fait with the technical matters and descriptions come to this Site because of its great clarity at Update time. Usually, headings, denoting versions of Windows affected (eg mine is Win8.1), are used but this time I do not have a clue.
I still have not installed any Updates since August 2019 when that Update for that month and the following badly affected my computer and cost me a lot of money.
So – so far I have not had a hint of a problem – I would like to update but do not have the courage
If your computer never goes anywhere near the internet, you don’t have to patch. Otherwise, it is just a matter of time before your computer is compromised. Patching is risky, but not patching is even more risky.
I would, as Brian suggests, make a backup first. There are free tools out there to make a complete image of your computer (I am partial to VeeamAgent). Do this before Patch Tuesday, and if the worst happens, you can do a full roll-back.
It is extremely rare to find a computer that “never goes near the internet”.
Some people might assume that they’re safe because “I don’t use a browser… that’s the Internet, right? email doesn’t count.”
I stuck with Win 7 x64 Ultimate…but my wife upgraded to Win 10. I found that before updating Win 10 where there is a major update, it might pay to temporarily uninstall any 3rd party graphics drivers temporarily and then reinstall them after the major update has completed successfully. When I encountered a major win 10 update problem, I traced it down to a graphics driver conflict causing a system hang/crash during the update. I restored using a system image and the recovery CD I had made (the system was completely bricked so could not access the image recovery through Windows) and then uninstalled the NVIDIA graphics drivers before rebooting and trying the update again. That worked. It is a bit of a pain to do, but it worked for her PC.
Such is life with an MS OS…
When I was supporting Windows 1.0 for Dell Corporate we would just reinstall Windows at the drop of a hat – all 27 3.5″ floppies of it – loaded onto DOS 3.3 with Quarterdeck Memory Manager….
Fast-forward to Microsoft Patch Tuesday, Sept. 2020 Edition: it’s all still the same ‘ol cobbled-together DOS 2.0 crap code with all of the same undocumented functions that Microsoft got sued for because of anti-trust violations back in the ’80s…
That having been said I guess I’m still a glutton for punishment because I actually subscribe to the Windows 10 Insider Preview Release program – on the aggressive track no less. So I imagine I have already been getting pieces of these updates over the past few weeks and can report with a fairly high degree of confidence pretty much the same number of hangs, BSODds and weird-ass DLLs loading into Windows modules (that seem to confuse even Sysinternals) that I have been witnessing since 1991. 😀
Thanks for the update Cyberhero Krebs!
And as an old-schooler who has wrestled with Adobe Flash as much if not more than most over the years (as a user AND a developer), I just have to say for the record that we all need to get off of Adobe Flash’s ass for one minute and remember how friggin’ boring the Web was before it…
I think animated .GIFs were the about the best we has up to that point right?!? 😀
Thanks CBK
I have installed update but now I am not able to login my account. It shows wrong password even I actually entered the correct one. PLEASE HELP.
BaliRob’s dilemma illustrates the problem that we all have with Windows Updates–they are the first and sometimes only line of defense that we have against many vulnerabilities–yet Microsoft’s solutions to the problem that THEY create leave us with unbootable PCs and unstable systems.
So much for Win 10 being so much safer than previous versions. Today, strangely, MS offered my Win 7 Ultimate x64 system the Malicious Software Removal Tool for installation along with update for Microsoft Security Essentials. Having made a system image recently, I went ahead and allowed it to install thinking it would fail since I am on Win 7 with no ‘enterprise’ subscription. It created a restore point and then successfully installed, much to my surprise.
BTW, after all the reports of hacks, I will never use IE or Edge. Windows Update sometimes offers me Edge, thanks, but no thanks!
Thanks Brian for the suggestion of making an image backup of Windows 10 systems; it is an excellent idea, because I can’t tell you how many of my clients have had their perfectly fine new computer bricked by Windows Update!!
If you make a system image, be sure to also regularly back up manually in a location other than the C: drive some other items that will be overwritten if you have to use an old image to recover your system, such as bookmarks and desktop files. If you don’t, when you recover from the image, these will be replaced with the ones present on the date the image was made.
It is also a good idea to make regular lists (even if it is just a screen shot) of your Windows Update history and installed file history before you use a system image to recover. That way you can easily know what needs to be reinstalled or updated. CCleaner can make a list of installed files, and you can use this commaand to make a text file of installed Windows updates (be sure to copy it to a drive besides the C:):
wmic qfe list full /format:csv > “C:\test\sysinfo.txt”
You run that command line from an elevated command prompt, and yesm the quotes are part of the command.
It is also a good idea to periodically run these command as well:
DISM.exe /Online /Cleanup-image /Scanhealth
sfc /scannow
They will check and if they can, correct any glitches in your system. I use these with Win 7 regularly, at least once a week because, once bitten, twice shy (the history of bad Windows Update experiences).
I launched an Administrator window of cmd and tried your wmic command on my Windows 10 Home Edition version 1903 system, but it fails with error code 0x80070002 and the description “The system cannot find the file specified.” When I entered “wmic /?” the help suggestions do not look anything like the command line options you list in your post. Interestingly, your wmic command does create the sysinfo.txt file in the folder, but the file is empty.
Any idea what I am doing wrong?
I realized after I my previous post that the empty sysinfo.txt file was created because the output redirect (“>”) portion of the command line worked. So, this is another indication that the problem resides in the wmic command options.
I’m guessing that the command line options for the Windows 7 version of wmic (that you said you use in an earlier post) is different than the Window 10 version of wmic.
Is there an equivalent command for Windows 10 wmic?
Well, I installed both KB890830 and KB4577066 and restarted, and then after 50 minutes it returned to the desktop screen, but at 1:27 PM EDT, the screen suddenly froze forever. I couldn’t mouse over any icons when I moved my mouse or highlight any of them, so I had to force-restart my computer by holding the power button in for a few seconds before turning it off and then turned it back on again. Has the same freezing issue happened to you?
Same issues as mine. Happened over Labor day weekend. Still struggling with it.
Anybody wonder – if the patches
themselves come with vulnerabilities
already in place ? How many hundreds
of ‘holes’ have been patched since
Win10 came out ? It’s never ending.
Depends on how you count them. According to this site it was over 1,000 CVE by the end of 2019.
https://www.cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26
I’ve seen much higher numbers also.
Whenever I see Brian’s “Patch Tuesday” posts I check to see if the update is there for me and immediately “pause” it for at least two weeks.
Personally, I’ve never been bricked by an update but…why take a chance.
When will Trend Micro ApexOne fix its BSOD issues on Windows 10 2004?
Moving to another product. Patching these is easy while $8k product for 250 users BSODs on sleep.
I had to update my laptop over Labor Day weekend.
Now I had to update again today! On 9/9/2020
Now again my laptop says I need to update it again! WTF? I’m getting tired of having to update my poor laptop for the third day in a row!
PLEASE MICROSOFT, STOP MAKING SO many updates. I’m losing my patience with Microsoft. I’m about to switch to a Mac. That’s how upset I am.
I would go Linux before mac. Ubuntu or Mint are very user friendly.
Compared to mac, for noobs? Lol? I dunno.
They need that safe app store and the hand holding.
I had to perform an update over the Holiday weekend.
Now I had to do another update today on 9/9/2020.
Now I’m going to do this again tomorrow! I’m getting tired of the many updates that Microsoft wants us to improve our computers.
Please stop making so many updates to computers and laptops with Windows 10! This is frustrating me to no end.
I’m having to do THREE UPDATES this week to my laptop.
Microsoft, how soon are you going to stop with these patches or updates?
I’m getting tired of the many updates that Microsoft wants us to improve our computers.
Please stop make this end soon!
Woke up this morning to another automatic update and discover that Word documents I am working on have lost all changes since Sept 3rd even though Autosave every 10 minutes is set. It has never been this bad before. What are they doing?
Maurice: What are they doing? They are telling you to backup your documents to a USB
Why servicing stack update of Sept 2020 there not exist for windows 7? Attack the esu bypass v 4.6?
Its not there because, as of January, Windows 7 is unsupported. You need to upgrade to Windows 8.1 or 10 to continue receiving patches.
Anyone have issues with the latest Windows 10 update? I have been stuck at “Getting Windows Ready, do not shutdown” for 4 hours now.
If you’re on Getting Windows Ready screen – do as it says.
Eventually it should resolve. This latest build on 4gb of ram…
takes hours and hours and hours.
Be sure to use disk cleanup to get rid of the GIGABYTES of cruft,
update crumbs, then disk optimize. Then you should be back.
Windows 10 actually does work on 4gb, it’s not terribly fast…
but it doesn’t grind to a halt. Let the update run, trust me.
This one took something like 6 hours all told.
I have to do 3 uodates this week to my computer. Thanks for this article.
windows 10 is just a joke how can you buy OS but can’t even choose what you want to updates its system or not. This problem just make me go nuts. At least make it optional to choose you want or do not want to updates.
I am in the IT field but wouldn’t claim to be a Windows Admin. At home, I have a couple of Windows 10 Home Edition PCs, and both systems are experiencing these two problems with the September 2020 updates:
1) After an initial failure (with error code 0x800f0922), update history now shows successful installation of “Feature update to Windows 10, version 1909” yet, after multiple reboots, my system still shows it is running version 1903.
2) I am unable to install the Quality Update KB4574727 both via automatic update and offline update. The error code is the same as above, 0x800f0922. I have attempted both the version 1903 and 1909 offline update. The installation appears to go smoothly to 100% but then immediately indicates a message similar to “Cannot complete the installation” and it backs out the update.
I try to keep my systems up-to-date with the latest updates to patch security flaws, so it particularly concerns me that I cannot install the KB4574727 fixes.
I have reported this to Microsoft via their Feedback app but I thought I would alert you to these issues too.
That is my current problem. I can’t even log into my computer and it doesn’t recognize the power button on the screen as a way to turn off the computer. I ended up holding down the power button to turn it off, packed it up, and took it to a computer guy to fix it. I am not happy I am having to spend $$ to fix their screw up.
I’ve had good luck using the “System Mechanic” app by iolo. It has a number of tools to improve Windows systems for better performance, including reviewing startup tasks (allowing you to disable unneeded apps and drivers), disk fragmentation optimization, network input/output optimization, registry repair & optimization, and more. Likely, your computer guy will run a tool like this – but you might want to purchase such a tool and run it periodically. Just a suggestion….
@Craig Stutzman
I too have the exact same issue – same behaviours and status codes. Quick questions to find possible correlations. 1) Do you have Vmware Workstation/Player installed? 2) Did you have to modify Device Guard settings – or other resolutions as outlined in this kb? https://kb.vmware.com/s/article/2146361
I had to ensure Hyper-V was totally removed (which was accidentally installed when testing the windows “sandbox” feature). I also used group policy to disable Device Guard.
Please let me know if any of these thing correlate with your experience.
Anyone seeing issues with printers after current Win10 updates?
Issues: jobs not being sent to the printer queue and login security pop-ups windows wen adding printers?