Microsoft Patch Alert: January 2020 patches look relatively benign

Credit to Author: Woody Leonhard| Date: Thu, 23 Jan 2020 07:17:00 -0800

The big patching problems this month fell at the feet of admins who had to deal with an unholy mess of pressing exposures: Fixing the holes in Microsoft’s RD Gateway (CVE-2020-0610; see Susan Bradley’s Patch Watch, paywalled); dealing with Server 2008 R2 systems that booted to Recovery mode after installing the January patches; scrambling to pick up after breaches in Citrix networking products; or the 334 Oracle security patches. They all took a toll.

Those of us not in charge of multinational networks could breathe a little easier. In spite of a stellar advertising campaign from the National Security Agency (NSA), the Chain of Fools/CurveBall CVE-2020-0601 hole hasn’t turned into an active attack. As I said at the time, it’s a long way from a third-degree polynomial to working ransomware.

Yes, you need to patch sooner or later. But, no, the sky isn’t falling. Those reports of the internet’s impending CurveBall doom were just a little bit overblown.

As usual.

I would conjecture that the January Patch Tuesday crop is relatively well-behaved because, at least apparently, they only contain security patches. Normally, Microsoft releases dozens of “optional, non-security” patches every month – bug fixes – but those annoying little gnats haven’t made an appearance since October.

I expect that will change shortly. We’ll no doubt see dozens – if not hundreds – of smaller patches out in the usual “C Week/D Week” cadence soon. Since we’ve seen no such infestation in three months, you’d be smart to avoid the “optional” patches, once they arrive, until they’ve been well vetted.

Günter Born has put together a comprehensive list of printing problems associated with recent patches. They seem to come and go – many different printers, many different symptoms.

There are also many reports of January cumulative updates failing to install, with various error message.

None of the problems seem particularly remarkable – or even replicable – to me, but if you get stuck trying to install one of the January patches, your opinion may vary.

If you “seek” by clicking on the “Check for updates” button in Win10 1809 or 1903, Microsoft warns that it may upgrade you to Win10 version 1909:

Current status as of Jan. 21:

Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.

Of course, Microsoft disavowed any use of the bafflegab phrase “Semi-Annual Channel” a year ago. Consistency. Hobgoblins. Little minds. Microsoft may feel that 1909 is ready for widespread deployment, but I’m still seeing many reports of problems with Win10 version 1909 – the well-documented Search in File Explorer bugs, power problems, video problems, Your Phone oddities.

In addition, Microsoft has warned that it’s starting to force Win10 version 1809 customers onto 1909:

“We are starting the next phase in our controlled approach to automatically initiate a feature update for an increased number of devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. Our rollout process starts several months in advance of the end of service date to provide adequate time for a smooth update process.”

For reference, Win10 version 1809 is supposed to hit end of service on May 12. You 1809 users are getting four months shaved off of your promised end of life. As a Service.

Remarkably, tests by @PKCano show that Microsoft is still honoring the “Defer feature updates” setting in Win10 version 1803 Pro. It looks like the methods for staying on 1803, 1809, and 1903 as documented in How to block the Windows 10 November 2019 Update, version 1909, from installing still work. And if you want to upgrade to 1903, avoiding 1909 for the time being, the method described here also works.

Everybody’s favorite whipping boy, Windows 7, got slapped with two bugs in the final round of free patches.

Anybody using Win7 who installs the January patches will find that their “stretched” desktop wallpaper comes out black, which can look disconcertingly like a Black Screen of Death. Lawrence Abrams has a full description, and a clever workaround, at BleepingComputer.

More alarmingly, Microsoft posted Security Advisory ADV200001 on Jan. 17. The Advisory details yet another security hole in Internet Explorer’s JScript engine, CVE-2020-0674. There’s a manual workaround with numerous side-effects, at least some of which have been overcome by a 0patch micropatch that you can install if you feel threatened.

Here’s the big open question: Will Microsoft fix Windows 7 later this month, in spite of the Jan. 14 end of service deadline? Or will Win7 drift into the sunset with a Black Screen bug and a known IE hole?

Seven semper fi.

This isn’t a widespread problem. It only applies to those who are running Office 365 ProPlus, which is directed at (but not limited to) Enterprises with savvy admins. But it’s an astounding push nonetheless.

In an official post from ‘Softie Daniel Brown entitled, Microsoft Search in Bing and Office 365 ProPlus, Microsoft seems to be saying that everyone who installs the latest patch for Office 365 ProPlus will have their default search engine in Google Chrome changed to Bing.

I fully expect someone with some sense at Microsoft will swoop down in the next week or two and rescind the decision. But until that happens, this stands as a browser hijacking threat of unprecedented proportions.

Join us for the latest on AskWoody.com.

http://www.computerworld.com/category/security/index.rss