08
Dec 20

Patch Tuesday, Good Riddance 2020 Edition

Microsoft today issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft’s most-dire “critical” label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users.

Mercifully, it does not appear that any of the flaws fixed this month are being actively exploited, nor have any them been detailed publicly prior to today.

The critical bits reside in updates for Microsoft Exchange Server, Sharepoint Server, and Windows 10 and Server 2016 systems. Additionally, Microsoft released an advisory on how to minimize the risk from a DNS spoofing weakness in Windows Server 2008 through 2019.

Some of the sub-critical “important” flaws addressed this month also probably deserve prompt patching in enterprise environments, including a trio of updates tackling security issues with Microsoft Office.

“Given the speed with which attackers often weaponize Microsoft Office vulnerabilities, these should be prioritized in patching,” said Allan Liska, senior security architect at Recorded Future. “The vulnerabilities, if exploited, would allow an attacker to execute arbitrary code on a victim’s machine. These vulnerabilities affect Microsoft Excel 2013 through 2019, Microsoft 365 32 and 64 bit versions, Microsoft Office 2019 32 and 64 bit versions, and Microsoft Excel for Mac 2019.”

We also learned this week that Redmond quietly addressed a scary “zero-click” vulnerability in its Microsoft Teams platform that would have let anyone execute code of their choosing just by sending the target a specially-crafted chat message to a Teams users. The bug was cross-platform, meaning it could also have been used to deliver malicious code to people using Teams on non-Windows devices.

Researcher Oskars Vegeris said in a proof-of-concept post to Github that he reported the flaw to Microsoft at the end of August, but that Microsoft didn’t assign the bug a Common Vulnerabilities and Exposure (CVE) rating because it has a policy of not doing so for bugs that can be fixed from Microsoft’s end without user interaction.

According to Vegeris, Microsoft addressed the Teams flaw at the end of October. But he said the bug they fixed was the first of five zero or one-click remote code execution flaws he has found and reported in Teams. Reached via LinkedIn, Vegeris declined to say whether Microsoft has yet addressed the remaining Teams issues.

Separately, Adobe issued security updates for its Prelude, Experience Manager and Lightroom software. There were no security updates for Adobe Flash Player, which is fitting considering Adobe is sunsetting the program at the end of the year. Microsoft is taking steps to remove Flash from its Windows browsers, and Google and Firefox already block Flash by default.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , ,

29 comments

  1. After the first update in December for Windows, my free word processing program (Open Documents) started jumping all over the page as soon as I hit any key.

    Had to restore Windows to a previous date (Nov. 18/2020) and that fixed it.

    I put updates on hold for 35 days, but then what do I do if I don’t want this update?

  2. Within 24 hrs after removing a Windows update and restoring to a previous date, I received in my Thunderbird email, 4 emails to my archives, my archives, mind you, without a subject, no content, and dated 12/31/1969.

    Is this something I should be concerned about (I did click on one, nothing in it) or is it a restoring your files issue?

    • An interesting date (although written in the American style of M/D/Y); in Unix-land that’s one day before the Epoch (1/1/1970). Negative 1, perhaps?

      • It’s not all that interesting, 1/1/1970 takes place at 00:00 UTC. Every time zone with a negative offset to UTC uses the appropriate time offset with the date 12/31/1969.

        Rolling back via system restore leaves user data intact.

  3. Tips? How about run Linux instead of windows.

    OK here is a tip. Use clonezilla to image your drive. If you have a lot of data you should have one drive for the OS which you can image and then have the data on a RAID array. The RAID array can be backed up on an external drive. RAID shouldn’t be treated like that data could never be lost.

    • Welcome to the year of linux malware:

      https://linuxsecurity.com/news/security-trends/is-2020-the-year-of-the-linux-malware-pandemic

      No Operating System is totally safe

      Windows can be more secure by taking out the bloatware…Use NLite

      • ridiculous. All of those attacks require a maliciuos insider (such as ‘evil maid’) and/or severe blunder of system management.

        Please give us one example – only one, pleeeease! – of an attack vector similar to those in the M$ biotope. A malware attack similar to those under Windows is IMPOSSIBLE against a Linux (or xBSD) desktop and network.

        Web servers are even more endangered. Why do the majority of web servers world wide run on Linux or xBSD? All successful attacks against Linux/xBSD web servers I know of were based on administrators errors (weak password and the like) and/or security holes in application SW (CMS, shop, database, …). Which again is an administrative or system management error: Available patches not applied. NEVER was a weakness in the underlying OS Linux or xBSD part of the attack vector – in all cases I know of. Do you know better?

        To make that clear: I am talking about the usual mass attacks. If you are target of a governmental “service” – they find their way sooner or later, so good luck! 🙂

      • I don’t rely upon Linux either; take a look at FreeBSD for an Internet-facing box.

  4. “please make sure you have backed up your system and/or important files”

    For which I *highly* recommend Macrium Reflect. I’ve used the free version for years to back up my C: drive nightly. (I also bought a copy). It’s industrial strength so usage is a bit arcane, but bulletproof in my extensive experience which includes dozens of full recoveries.

  5. For image backups of your C:\ drive I *highly* recommend Macrium Reflect. I’ve used the free version for years on multiple PCs (and bought a family license). It’s been 100% bulletproof in dozens of recoveries. Can’t say enough good things about it.

  6. I also use Macrium for monthly cloning and SyncBackFree for weekly, sometimes daily, data backups. I also backup my backups to a second external drive.

  7. Yes, backup please. There are some windows programs you can run on Linux wine, you can check the compatibility in wine. But, only a version of windows will run all windows applications. And newer versions of windows run in virtual machines run slower. And as more business starts to run Linux, more problems will follow the money.

  8. New windows feature updates have completely formatted our user pcs without consent, pcs were on 1903 and 1909 version.
    One day they login and pc is wiped. We were forced to reimage almost all machines of our organization. We expect this might have been due to our encryption software on pcs requiring a password before pc is able to boot in or a huge microsoft bug. Who knows…

  9. Speaking of backups, https://www.bleepingcomputer.com/news/security/microsoft-december-2020-patch-tuesday-fixes-58-vulnerabilities points out that seven of this month’s vulns are in Windows Backup. So do certainly back up your data, just make sure you’re not using Microsoft’s backup tools to do it.

  10. The update locked my new computer only running Folding@Home while I install its applications. It disrupted audio *while I was talking in a Zoom webinar* on an older computer upgraded to Windows 10. Both were fixed by rebooting.

  11. Michael Rohwedder

    Updates. I’ve never seen a debugger like this.

  12. Well, today I installed an update for Windows 8.1, as usual, and when I restarted my computer, the screen went totally black forever, except for the mouse movements. I had to force my computer to shut off by holding the power button down for a few seconds until it shut off, then I had to turn it back on and after my computer login, the screen went back to normal. Has the same black screen of death happened to you after the update?

  13. Thanks for the update and quick reply. I’ll be sure to keep an eye on this thread. Looking for the same issue. Bumped into your thread. Thanks for creating it. Looking forward for solution.

  14. It’s amazing how many people put up with the abuse from their proprietary OS.

  15. “Its not uncommon for windows update to hose one’s system…cause it to not boot”… is it just me or does it seem that these things are even less reliable than they were 20 years ago.
    I realise there are all sorts of excuses about hoe the os is more complex blah blah…but really.
    Not good.

  16. The older of my desktops has W7. Of course W itself is no longer updated, but the Malicious software removal tool is. It was this month.
    Does not happen every month, just every 2 or 3.

  17. The Nlite looks like it’s been 6 years since it was updated.

    I’ve used drive image xml for years, anyone got opinions on it versus reflect?
    https://www.runtime.org/driveimage-xml.htm

  18. The December 9, 2920 update removed all:y photos, documents, etc. Trued to restore to the previous date with no success. Was my hacked? Help!

  19. Thanks for the information keep sharing such informative post keep suggesting such post.