Disappearing SMBv3 patch, non-security Office patches, and a so-far-mild Patch Tuesday

[Karlston]

Disappearing SMBv3 patch, non-security Office patches, and a so-far-mild Patch Tuesday

With lots of drama over a patch that was never released, and a handful of non-security Office patches that should’ve been released a week ago, this month’s Patch Tuesday is progressing surprisingly well.

Thinkstock/Microsoft

It’s been almost 24 hours since this month’s Patch Tuesday patches rolled out. The good news: Almost everybody patching individual machines reports smooth sailing.

 

That’s remarkable, given the host of problems with last month’s disappearing icons (temporary profile) bug and the unending litany of complaints about the last “optional, non-security, C/D Week” patch. As best I can tell, none of those problems have been officially acknowledged, and if they’re still in evidence with yesterday’s patches, people aren’t complaining about them. Yet.

 

To be sure, we’re still seeing the usual problems with installing the patches — Error  0x800f0900 seems particularly prolific on Reddit — but at this early juncture, I don’t see any debilitating problems.

 

That may well change. Many patchers have other problems on their minds and the day is still young.

Duplicated updates

I’ve seen numerous reports of duplicated updates in Windows Update lists, specifically for Windows 8.1, a .Net Quality Rollup, and the Server 2012 R2 Monthly Rollup. Seeing the same, identical patch listed twice in an update list does not inspire confidence. 

 

It looks like Microsoft tidied up the list overnight. At this point there are 110 “2020-03” entries in the Microsoft Update Catalog — which is to say, 110 individual patches — three fewer than there were last night.

 

Less is better, yes?

Extra Office updates

It looks as if Microsoft took advantage of Patch Tuesday to release additional non-security patches for Office. Usually the non-security Office patches come out on the first Tuesday of the month, but this announcement contains links to all of these new Office non-security patches:

 

Excel 2016	March 10, 2020, update for Excel 2016 (KB4011130)
Office 2016	March 3, 2020, update for Office 2016 (KB4484247)
Office 2016	March 10, 2020, update for Office 2016 (KB3213653)
Outlook 2016	March 10, 2020, update for Outlook 2016 (KB4462111)
PowerPoint 2016	March 10, 2020, update for PowerPoint 2016 (KB3085405)
Project 2016	March 10, 2020, update for Project 2016 (KB3085454)
Skype for Business 2016	March 3, 2020, update for Skype for Business 2016 (KB4484245)
Skype for Business 2015 (Lync 2013)	March 3, 2020, update for Skype for Business 2015 (Lync 2013) (KB4484097)
Office 2016 Language Interface Pack	March 3, 2020, update for Office 2016 Language Interface Pack (KB4484136)

Remarkably, those patches are not listed in the official Latest non-security updates for versions of Office that use Windows Installer (MSI) post.

The strange case of CVE-2020-0796 'CoronaBlue' 

Yet another patch timing mishap: The SMBv3 patch described in Microsoft Security Advisory ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression has been causing all sorts of consternation among admins in charge of networks running SMBv3. 

 

Long story short, Microsoft apparently had the patch ready to go but pulled it at the last minute. Microsoft warned security software manufacturers in advance that the patch was coming (a common practice), but didn’t yell, “Stop the presses!” in time to keep the cows in the barn. Two organizations on the inside accidentally published, then pulled, descriptions. The story raced through the blogosphere.

 

The hole is wormable in that it might be able to propagate without any human interaction. “Might” being the operable term: A potential exploit faces formidable challenges.

 

At first, Microsoft didn’t officially announce the hole, and didn’t post a fix. Then, its hand having been forced, on Tuesday night, Microsoft posted the Security Advisory, which says:

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

At this point, it appears that only Server 2013 and 2019 are affected. Microsoft has a manual workaround. There aren’t any known exploits but Catalin Cimpanu at ZDNet just tweeted:

I have now seen/talked to 3 different people claiming they found the bug in less than 5 minutes. I won’t be surprised if exploits pop up online by the end of the day.

If you’re in charge of a network running SMBv3, you can catch up on the developments by reading Satnam Narang on Tenable, Sergiu Gatlan at BleepingComputer, Catalin Cimpanu at ZDNet and, in the past couple of hours, Dan Goodin at Ars Technica. There’s an active discussion on AskWoody. You should also follow @msftsecresponse on Twitter.

 

If you aren’t running a network with SMBv3, you can chill. There’s nothing in this month’s patches that need concern you right now.

 

We’re kickin’ butt and naming names on AskWoody.

 

 

Source: Disappearing SMBv3 patch, non-security Office patches, and a so-far-mild Patch Tuesday (Computerworld - Woody Leonhard)