Microsoft Patch Alert: February 2020 patches bring fire and ice but seem to have settled – finally.

Credit to Author: Woody Leonhard| Date: Wed, 26 Feb 2020 09:44:00 -0800

The real stinker this month, KB 4524244, rolled out the automatic update chute for four full days until Microsoft yanked it – leaving a trail of wounded PCs, primarily HP machines, in its wake. The other big-time bug in this month’s patches, a race condition in the KB 4532693 Win10 version 1903 and 1909 cumulative update installer, hasn’t been officially acknowledged by Microsoft outside of a blog post. But at least it’s well known and understood.

Folks running SQL Server and Exchange Server networks need to get patched right away.

Patch Tuesday brought KB 4524244 for Windows 10 owners, a bizarre single-purpose patch apparently directed at one specific UEFI bootloader. I talked about it last week.

The patch was pulled on Friday, but in the interim lots of people reported problems. Most notably, many folks running HP machines with Ryzen processors saw their machines hang, followed by an HP Sure Start Recovery message saying Sure Start had “detected an unauthorized change to the Secure Boot Keys.” HP has posted a list of affected machines:

HP EliteBook 735 G5 Notebook PC, 735 G6, 745 G5, 745 G6,  755 G5, and HP ProBook 645 G4 Notebook PCs. HP EliteDesk 705 35W G4 Desktop Mini PC, 705 65W G4 Mini PC, 705 G4 Microtower PC, 705 G4 Small Form Factor PC, 705 G4 Workstation Edition, 705 G5 Desktop Mini PC, 705 G5 Small Form Factor PC, HP mt44 Mobile Thin Client, mt45 Mobile Thin Client, and HP ProDesk 405 G4 Small Form Factor PC.

If you have any of those machines and left your PC open to Microsoft’s updates during Patch Week, you got clobbered. In addition, Microsoft documents a bug in the “Reset this PC” function but doesn’t give any details.

There’s nothing you can do about it now. If KB 4524244 installed successfully, everything’s OK. If it didn’t, you need to follow HP’s removal instructions or Microsoft’s removal instructions to get things working again.

Shortly after the Patch Tuesday patches arrived, we started seeing reports from folks who installed the Win10 1903 and 1909 cumulative update, KB 4532693, saying that their desktops got wiped out. A little poking revealed that all of their customizations had been tossed – icons, wallpaper – and many of their files weren’t where they left them.

Long story short, it looks like the patch gets ensnared in a race condition bug, which I wrote about last week. We’ve never been able to pin down which other programs trigger the race condition, but at least in some cases certain antivirus and “secure banking software” programs will leave your PC with a dangling temporary profile.

Microsoft hasn’t identified the offending software. Nor has it even acknowledged the problem either on the Knowledge Base article page or the Windows Release Information status page, two places that bugs like this are traditionally documented. (Perhaps Microsoft figures it’s the other software’s problem, so it has no need to report it?)

Fortunately, there’s a Microsoft Answers forum post that addresses the problem:

Microsoft is aware of some customers logging into temporary profile after installing KB4532693, on both versions 1903 and 1909.

Rebooting into Safe Mode* and then starting back in normal Mode should resolve this issue for most customers.

You may uninstall any secure banking software or anti-virus in the temporary profile which may resolve this if the above steps do not help.

If you didn’t accidentally find that explanation, or don’t know what a temporary profile is, or how it could get secure banking software, heaven help ya. But at least Microsoft “is aware” of the problem.

How many people were affected by those high-profile bugs? I don’t know. Judging by the number of complaints online – hardly a reliable metric – both of the problems were widespread and became apparent shortly after release.

HP could probably come up with a tally of the number of afflicted machines and whether or not those machines installed the buggy UEFI patch. But the only organization that has comprehensive numbers about these bugs is Microsoft, and it’s not talking.

Think of all of that lovely telemetry we’re providing to Microsoft.

That “exploited” Internet Explorer JScript hole, CVE-2020-0674 – the one that prompted computer security “experts” to tell you that you had to get patched RIGHT NOW? It hasn’t gone anywhere. This is the second month in a row that we’ve been inundated by Chicken Little warnings about the need to get patched immediately. Look where knee-jerk installation of new patches has left folks running HP Ryzen computers, or the unidentified “secure banking software,” this month.

Those of you running Windows 7, who haven’t paid for Extended Security Updates, should know that 0patch has released a micro patch for that particular security hole. It also has an online test you can use to confirm that your Win7/IE 11 system has properly swallowed the micro fix.

To be sure, there are major security holes that need your attention, but only if you’re in charge of a network running SQL Server or Exchange Server. That latter vulnerability is particularly vexing because anyone who can get access to any Exchange account on your server can take over Exchange. Seems that somebody forgot to delete hard-coded keys.

We’re looking into a report that Win10 version 1903 running Hyper-V is throwing “Synthetic_Watchdog_Timeout” errors. There are unconfirmed reports that there will be a fix in late March.

There seems to be a way to cheat the 35-day “Pause updates” limitation imposed in Win10 version 1903 and 1909. In a nutshell, if you tell Windows to Resume Updates, then unplug the computer from the internet, you may be able to reboot and get 35 more days paused, without installing the outstanding updates. In addition, @abbodi86 has a more complex but apparently foolproof way to wipe out the 35 day limitation.

Join the patch watch on AskWoody.com.

http://www.computerworld.com/category/security/index.rss