March 2020
It’s been another strange patching month. The usual Patch Tuesday crop appeared. Two days later, we got a second cumulative update for Win10 1903 and 1909, KB 4551762, that’s had all sorts of documented problems. Two weeks later, on Monday, Microsoft posted a warning about (another) security hole related to jimmied Adobe fonts.
Predictably, much of the security press has gone P.T. Barnum.
The big, nasty, scary SMBv3 vulnerability
Patch Tuesday rolled out with a jump-the-gun-early warning from various antivirus manufacturers about a mysterious and initially undocumented security hole in the networking protocol SMBv3.
Later that day, Microsoft released a broad description of the SMBv3 security hole in Security Advisory ADV200005 – apparently trying to close the door after the cow escaped. And the crowd went wild. How could Microsoft tell these antivirus vendors about a forthcoming fix, then fail to deliver the fix – and not warn the AV folks in time to pull their press releases? Tales of impending doom ran rampant.
Then, on Thursday, we saw another cumulative update for Win10 versions 1903 and 1909. KB 4551762 patches the SMBv3 security hole and, being a cumulative update, includes all earlier patches. The rush was on to install the patch-of-a-patch, but we started seeing all sorts of problems: errors on installation; random reboots; performance hits; and the return of our old profile-zapping bug, which leaves folks with empty desktops and hidden files.
Here’s the punch line. (Tell me if you’ve heard this one before.) After all the sturm un drang, researchers (notably including Kevin Beaumont) discovered that they couldn’t effectively use the security hole to take over a system:
“Windows Defender, which is enabled by default, detects exploitation even if unpatched.”
As of this writing, I don’t know of any real-world attacks using the SMBv3 vulnerability. Certainly, one will appear sooner or later, but it isn’t a big deal right now.
The big, nasty, scary Adobe Type Manager font bugs
Yesterday, Microsoft released another Security Advisory. ADV200006 -- Type 1 Font Parsing Remote Code Execution Vulnerability describes a security hole in the way Windows handles fonts. We’ve seen a lot of those in Windows over the years. This one came with the usual zero-day language, advising that Microsoft has seen “limited targeted attacks that could leverage un-patched vulnerabilities.” The advisory shows that every version of Windows – going back to Win7 – is vulnerable.
Once again, the blogosphere went nuts. Microsoft’s warning meeeeeeelions of Windows users that their systems are under attack!
Yeah. Sure.
When Microsoft says it’s seen “limited targeted attacks,” that means some well-heeled hacking group is using the security hole against a very specific target – usually a government agency or a high-stakes corporate group. For normal people, in normal situations, it’s not a big deal.
We’ve seen these “sky-is-falling” scenarios play out over and over again in the past year or so. Some security holes (e.g., for EternalBlue/WannaCry and BlueKeep) need to be plugged shortly after the patches are released. But in the vast majority of cases, waiting a week or two or three to install the latest crop of Windows and Office patches just makes sense.
Windows Defender ‘Items skipped during scan’
Many – but not all – Windows 10 users report that a manual scan by Windows Defender triggers this “Items skipped during scan” notification (screenshot).
It appears to be a bug. According to Lawrence Abrams at BleepingComputer:
“It seems that in the older Windows Defender engines network scanning was enabled by default… [in newer versions of the engine] you can see that the Windows Defender preferences show that network scanning has now been disabled by a newer engine. It is not known why Microsoft decided to make this change, but the alerts appear to just indicate that network scanning was skipped.”
Günter Born originally reported on the bug. He has come up with a manual workaround to enable network scanning.
Other developments
More on the patching front:
- Microsoft has announced that it’s extending end-of-life for Win10 version 1709 Enterprise (and Education) to Oct. 13, 2020.
- Abbodi86 has discovered a way to install the latest Windows 7 security patches, even if you haven’t yet set up Extended Security Updates. Many people, including Patch Lady Susan Bradley, are asking Satya Nadella to offer Win7 Extended Security Updates to all “genuine” Win7 customers, particularly because of the increase in work-from-home.
- In the same vein, there’s a lot of discussion about throttling back on Windows auto updates, specifically to help keep work-from-home systems stable. Many advocate holding off on the inevitable Win10 version 2004 update. No indication that Microsoft has heard the pleas.
If there ever were a time for Windows patching stability, this is it.
We’ll keep pushing on AskWoody.com.