Microsoft's 'Patch Tuesday' Includes 129 Security Updates, Mostly to Windows

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.
The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."

Don't hold your breath until MS gets it right

[shanen]

One of my Windows 10 boxes is unable to install some of the security updates. Another has to be forcibly rebooted several times a day after hard freezes.

Something is seriously wrong with an economic model that allows Microsoft to be one of the most profitable companies in the world in spite of producing such gawdawful products for so many years.

Funny small world syndrome. Just reading a Taschen book about supposedly great websites. One of them was the promotional website for Windows Vista. Rather amusing to contrast the actual product with the advertising, eh?

I'm NOT saying that Microsoft shouldn't try to deliver reliable and secure software. I'm just (again) noting that they are doing it REALLY badly.

Re:

[Impy the Impiuos Imp]

I keep saying beloved Linux would be destroyed if it had even remotely the user base of Windows...and thus the focus of the intentions of thousands of motivated and intelligent bad actors. We've seen it start catching such flack in the past at various times.

Don't think any other OS or product set is more secure for a microsecond under such assault.

Re:Don't hold your breath until MS gets it right

[guruevi]

About 84% of the Internet-accessible systems runs on Linux, only some end-users and some corporations run Windows publicly.

If you want to create a wide botnet system, and we've seen them on Linux for Apache, various database products and various web frameworks, then Linux would be a prime target.

Re:Don't hold your breath until MS gets it right

[Zitchas]

That might be true, but they also are not really making it any easier for themselves, either.

All I need my OS to do is a) manage my files, and b) launch my programs. That's it, that's all.

I explicitly do NOT want my OS: searching the internet, suggesting new programs that I might like, manage my settings, synchronize my settings (and files) to online repositories, bugging me about connecting my local account to some nebulous online account, looking fancy.... And there's a couple hundred other things that they do that the OS really doesn't need to be doing. All that stuff should be plug-ins, extensions, or dedicated programs.

That all just wastes space, time, and effort. I am *never* going to sit around staring at my OS going "that looks pretty!" or "I'm so glad that it does this animation while I move files!"

I realize there's a lot of drivers, libraries, and other stuff that need to be there in order to support the programs that I'm using, but there's so much garbage too. For instance, searching the internet. I can guarantee you that absolutely 100% of the time, if I am searching for something in my OS, I am looking for something local. If I want to search the internet, I'll go use something specifically designed for using the internet. Use the right tool for the right job, after all.

I suspect that they'd have a more stable and robust system if they cut out all the extraneous stuff and focused on the core job of the OS: Manage files, and run the programs that I *actually* need to work in order to do my work.

Re:

[shanen]

Well said and I wish I had a mod point for you.

Re:

[Joce640k]

You might want to look into Windows LTSB:

https://www.ecosia.org/search?... [ecosia.org]

Re:

[Anonymous Coward]

Remind us again of the procedure for obtaining the Windows LTSB builds legally.

Re:

[Joce640k]

Good point.

OTOH I don't feel dirty for having a paid-for license for Windows 10 Pro and installing LTSB instead. YMMV.

Re: Don't hold your breath until MS gets it right

[Billly Gates]

LTSC still has the same vulnerabilities ðY. Sure it also got patched but not some magic bullet. Infact it has more bugs as it's a 2015 version of Windows and is missing alot of stuff like WSL for Linux and azure and drivers for newer hardware

Re:

[Joce640k]

The subject has changed to "Windows without cruft".

LTSB/LTSC has a lot less, but Microsoft doesn't want you to have it.

Re:

[Anne Thwacks]

I suspect that they'd have a more stable and robust system if they cut out all the extraneous stuff and focused on the core job of the OS: Manage files, and run the programs that I *actually* need to work in order to do my work.

May I respectfully suggest you might prefer to be running RSX11, and running FROM Microsoft products - at the speed of the latest Intel offering.

Re:

[arglebargle_xiv]

And that's both the problem with Windows and the fix. Note the problem report:

in its Windows operating system and supported software

It's all the crap that's shovelled onto a Windows PC that has most of the flaws. I went through some of that list and it was mostly "disabled that, uninstalled that, blocked that, turned that off, ...". In the end there weren't any significant vulns I needed to worry about because I'd removed or blocked all the crap that had the vulns in it, and I've noticed no loss of functionality from doing so. If they had all this shit tur

Re:

[Anne Thwacks]

"bad actors"? What the fuck is that even supposed to mean?

I believe they are referring to Hollywood actors with fake Russian accents, but what do I know?

Re: Don't hold your breath until MS gets it right

[Gavino]

Robert Di Nero is a wannabe hacker I guess

Re:

[Joce640k]

Something is seriously wrong with an economic model that allows Microsoft to be one of the most profitable companies in the world in spite of producing such gawdawful products for so many years.

People need computers, most of them have Microsoft preinstalled.

Re:

[shanen]

Seems rather shallow reasoning and I'm not sure if your evidence is still valid. I would certainly count smartphones as computers and Microsoft lost that battle for preinstallation. Badly. I even mourn for Nokia.

Re:

[Lije Baley]

The path to the efficient and the optimum rarely leads to greatness or perfection.

Re:

[shanen]

Superficially attractive as a philosophic statement, but unclear how you map it to Microsoft's claims and track record.

Re:

[Lije Baley]

In business it is common to see products that are "good enough" to be profitable, and trying to make them better is essentially a waste of society's resources. Their claims are not relevant. Their track record is that they have made a lot of money selling their "crap", and their products have provided much productivity. The value of the bulk of what has been produced with those products seems more ripe for debate.

Re:

[shanen]

I'm not disagreeing, but in the context of this article I think the negative value, that is to say the harms, caused by the security problems should be the primary focus. If Microsoft had merely had to cover the damage their software has allowed, then I think the company would be bankrupt. They have LOTS of customers.

Of course the liability should go beyond covering the costs where negligence can be proven. But I think that 40+ years of security incompetence should be sufficient proof.

Re:

[Lije Baley]

You may be right about their effect on society being a net loss, but that discussion could get quite complicated. Limiting liability, however, is a common concept that societies find useful, and even though Microsoft may have been unhelpful, the rules that allowed them to become that way likely also encouraged many other ventures that were necessary for the immense progress in personal computing. Is there an alternate history where Linux is developed to provide an alternative to CP/M, etc...

Re:

[shanen]

I don't think those timelines (UNIX -> Linux and CP/M (8 -> 16 -> 32?)) could have been fit together, but I do think alternative history is always possible. In particular, I think the confusion of the English word "free" did enormous damage, mixing the minor economic senses of the word with all the more important meanings and resulting in disaster. Possibly even our extinction as a species (though in that case I suspect it's merely the most frequent resolution of the Fermi Paradox).

The solution app

Re:

[shanen]

Weird. How did I get an FP? Well, partly by cutting the story short, so here's the rest of that first example for Windows 10. (Unfortunately I can't access that machine right now, so I don't have access to all of the details.)

The problematic update is a major one. Based on this machine's logs, the latest version of the failure is most likely associated with KB4574727 for the base system, but the various versions of the corresponding updates been failing for some months. (Feels like years, but who can tell i

Re: Don't hold your breath until MS gets it right

[Billly Gates]

It does. It's called Android and iOS. Windows solely exists for corporate software and that is it. No one should use Windows for Facebook or to browse the web like they used to 10 years ago.

College campuses are loaded with all Macs for those that still need Office to type papers.

Linux has it's own can of worms and is far from perfect. Gnome3 truly is aweful and so is Kde for the past 14 years. The only people who defend it are slashdotters because they are used to it and forced it upon themselves. 99% of th

Re:

[shanen]

I only asked one question and I don't see how "It does" is an answer to it. Were you intending to reply to a different comment in the thread? There was something someone else wrote about the prevalence of Windows.

Re:

[WierdUncle]

What gets me is that my updates for Ubuntu Linux are not just for the OS. All the applications are included in the updates. These updates are generally no trouble at all, and only take a few minutes.

At one time, I used to build Windows systems for specialist access control software. I thought it a good idea to upgrade Windows to the latest edition, before installing our software and shipping the PC. The Windows update took hours, and I had a real struggle keeping up with deliveries. Having been used to Linu

Re: Goes to show

[martynhare]

It more goes to show that Windows lack of per-process privilege restrictions (everything is per-user/group) and sandboxing by default makes it a terrible system to use. Vulnerabilities in other systems are usually less bad than in Windows. For example, CUPS is confined (by SELinux or AppArmor) regardless of the user it runs as but Windows Print Spooler has way too much privilege - to the point where it became a serious attack vector recently.

Re:

[xonen]

Of course you can improve your chances.. But what amount of 'maybe compromised' you consider acceptable. 20%? 2%? 0.1%?

Even if Linux is 10x as secure as Windows, do you that number into consideration and what number would you call acceptable.

I've got very little doubt that a state-level intrusion or targeted hacker attack can compromise pretty much any home installation. If not by technical flaws then by social engineering. But assuming the computer is safe is a flawed assumption imho.

Supported software critical bugs

[minorityreport]

A "critical" bug in supported software is a "critical" bug in the Operating System, namely Microsoft Windows.

Re:

[shanen]

I would actually credit Microsoft with two innovations. None of them technical.

Microsoft devised EULA "contracts" such that the victims have no legal standing against Microsoft, no matter what level of incompetence or negligence caused any level of damage.

Microsoft devised a new sales model for the consumer product. MS pre-sold the product before the customer ever got to see it. This allowed MS to focus the marketing on a small number of (commodity) manufacturing companies and not quite entirely ignore the

Re:

[gweihir]

You are correct on this. Instead of producing good technology, they figured out how to sell bad technology. These methods are two creations of utter evil that have held back the computing field for a long time.

Bill Gates can only hope he does not get a realistic performance evaluation for what he did this life. The hours of lifetime of others wasted by him add up to a spectacular mass-murder, probably larger than any other in human history.

Very disappointed

[davebarnes]

"Microsoft's 'Patch Tuesday' Includes 129 Security Updates, Mostly to Windows"
And, none for MacOS.
Lazy gits.

It keeps getting worse.

[antdude]

:(