13
Oct 20

Microsoft Patch Tuesday, October 2020 Edition

It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.

Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.

Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).

Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”

Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.

While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.

Other patches released today tackle problems in Exchange Server, Visual Studio, .NET Framework, and a whole mess of other core Windows components.

For any of you who’ve been pining for a Flash Player patch from Adobe, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe’s shipped an update that fixes a single — albeit critical — flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.

Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , ,

25 comments

  1. The Sunshine State

    I would also back up your Windows registry and browser settings , offline to a drive and or to the cloud.

    Then do a system restore point !

    • Bullwinkle J Moose

      No registry backup is required

      No restore point is required either

      At least, not for a Real Security Expert!

      I use Windows XP online without Service Pack 3 and have never had any malware of any type wreck this installation

      It does not have a single Microsoft Security Update installed and is running ONLINE with a full Admin Account

      Nobody has been able to wreck this box with malware since 2014

      These are facts!

  2. The Sunshine State

    Fireside Chat with Brian Krebs November 5 !

  3. Hi Brian. This is a serious bug. Our experience at Sophos was that we were able to turn around a practical proof-of-concept exploit on short notice. We did so to demonstrate the seriousness of the bug and to emphasize the need to patch immediately. It won’t take long for people who do not have the best intentions to reproduce this Ping of Death Redux and use it to cause trouble.

    • You did not “turn around” a PoC on short notice — if you’re going to be an ambulance chaser, cop to it. You took the Microsoft POC, modified the src/dst addresses, and reproduced the crash like every other member. Stop trying to pretend you did anything interesting to add to this.

  4. Hi Brian. I’m glad you emphasized that this is a serious bug. Our experience at Sophos was that we were able to turn around a practical proof-of-concept exploit on short notice.

    We did so to demonstrate the seriousness of the bug and to emphasize the need to patch immediately. It won’t take long for people who do not have the best intentions to reproduce this Ping of Death Redux and use it to cause trouble.

    The video of the PoC is here: https://vimeo.com/467834951

  5. I have apple. My iPad is brand new Pro 12 inch. It all is rooted. It is so massive in tasks that it has over run everything. The iPad and computer have both bricked up and apple had to help do reinstalls. Yet they are claiming they don’t see the problem. I’m an analyst not a programmer but have worked with processes and procedures my entire life. I don’t know how to handle this because it does involve things that I don’t have any knowledge in like crypto currency banks wallets and a lot of assets. This is a self learning thing too. My computer had been turned off. The network erased from the system, no “nodes” or anything it could use. While on the phone with apple trying to explain the logs and framework changes being done in the background, my computer actually did a reinstall while off and no network. So if I share the wrong information and someone can take it and exploit it worse then that isn’t what my goal is. Do I start taking to Twitter? Doing a little blog with pictures and posting it? I made a claim with the FTC even though apple claims it is my network provider responsibility and they have nothing to do with it. I don’t know how to handle this. I’m being slaughtered.

  6. Microsoft has long advised that end of lifecycle for Office 2010 is this month. Evidently today is its last hurrah, since the October updates installed on my home Win10 notebook included several security fixes for Office 2010 components. Time to bite the Office upgrade (NOT Office 365!) bullet….

  7. Good thing these patches are out, definitely some nasty exploits for sure.

  8. I got a blue screen of death early yesterday morning. I was freaking out so much that I didn’t see the message while the screen was up so I don’t have a definitive answer, However I do remember updating my computer a little bit before it happened.

    The fact that you mentioned the blue screen being caused right after the update helped my isolate the possible problem. How long do you think I should wait before doing the update? How will I know if I update I wont get the blue screen again? I have it paused until the middle of November but I want to update at some point.

    • Go “Ask Woody” at the his lounge; somebody is bound to help you. They also have a list of Win 10 updates to avoid or delay on his site, or newsletter. You can sign up for free, but some of the juicy stuff is for members who donate – no donation amount is required, just give what you can, if you are interested. Woody Leonhard is his name – he’s been around since the beginning of time.

  9. Servicing stack update for Windows 7 is back

  10. Err, don’t backup to only the cloud. Have one in your possession. Also a “new” copy of the operating system that you currently use. Be it xp, 8, or10 or linux, or the versions of applesauce.
    Not all parts of a computer restart when you find a good. In safe mode, your driver’s for the network may be left out, along with any special driver’s needed to access the web. That presents a problem when recovering from the web. Keep a copy on hand.

  11. Interesting, bsod autocorrected to good? Neat.

  12. Yeah, It’s actually a great thing.

  13. Yeah, it’s really a great thing.

  14. On an update not long ago, a Win10 MS update knocked out permissions on LibreOffice. Maybe MS is up to its old monopolistic habits again?

  15. Hello, is CVE-2020-16898 applicable for Windows 2012, Windows 2012R2 , WIndows 2016 or Windows 2016R2..also do we have to disable ICMPv6 RDNSS in Windows 2012, Windows 2012R2 , WIndows 2016 or Windows 2016R2… please suggest

  16. I have a user experiencing password issues with his Windows 10 msn login.
    He’s been able to reset the password online and able to access on another device.
    What’s the best fix to address issues with the update and or a corrupt OS?

  17. The problem is about every 3rd Windows Update breaks something on my system

    The last time I had a successful virus infection was in the mid-90’s

    In other words Microsoft has about a 1000 times better chance of breaking my system than hackers and viruses have

  18. I turned on my desktop PC today to see a blue screen saying something went wrong with my C drive during the updates. I can’t even get the 2 restore points they offered (10/14 & 10/21) to work. Any solutions? I am not a happy camper right now.

Leave a comment