Microsoft Patch Alert: May 2020
May brought us an undocumented drive-by patch that rebooted most exposed machines. In addition to the usual problems with random patching bugs, five (!) zero-days were announced by malware sleuths ZDI. By and large, the patching scene has settled down now.
With most of the fanatical Windows fan base now circling the trough on the just-released upgrade to Windows 10 version 2004, it’s time for those of us who rely on stable PCs to consider installing the May patches.
While the general outlook now is good, we’ve been through some rough patches – which you may, or may not, have noticed.
Unannounced Intel microcode patch triggers reboots
On May 20, Microsoft released another of its ongoing series of “Intel microcode updates,” all named KB 4497165. Ostensibly intended to fix the Meltdown/Spectre security holes, many of them have a history of problems and hassles not commensurate with the amount of protection they provide (unless you’re running a bank transaction system or decrypting top secret emails).
This incarnation has proven relatively benign. The main problems:
- Microsoft pushed it out the Automatic Update chute (and thus triggered a reboot) without warning anybody.
- The Knowledge Base article still doesn’t describe this particular version.
- Many machines that shouldn’t receive the patch – including AMD-based machines, which clearly don’t need an Intel patch – got it.
If you leave your machine set to install Automatic Updates, you get what you paid for. And then some.
The 5 scary new zero-days
Given the sensationalistic turn, Windows patching has taken, I’m surprised we haven’t seen a rash of headlines, “Run for the hills! FIVE new Windows zero-days published!” But that’s what happened late last week. Trend Micro’s Zero Defense Initiative, ZDI, published descriptions of five new Windows zero-days. Four of them are the dread Privilege Escalation Vulnerabilities. Microsoft didn’t patch them quickly enough, so ZDI acted according to its conventions – waited four months to give Microsoft time to fix the hole – and then published “a limited advisory.”
Truly tempest in teapot territory. The holes aren’t particularly gaping. In fact, they’re just barely interesting.
The zero-day that wasn’t announced
Windows observers – especially security folks without much Windows experience – are prone to jump on the “OMG! There’s a zero-day you have to patch RIGHT NOW!” bandwagon. In fact, when Microsoft releases a fix for a zero-day security hole (identified with “Exploited = Yes” in the associated CVE article), it’s exceedingly rare for a new, widespread related security breach to appear in short order. Sometimes Microsoft identifies security holes as zero-days, then without any fanfare goes back a couple of days later and changes the “Exploited” setting to “No.”
Huawei ranks No. 1 by 4-socket (4S) rack server shipments in both the global and China markets, thanks to the continued success of its FusionServer Pro series.
I’ve searched high and low for “Exploited” zero-days that rapidly turned into working, widespread malware. The worst case I found was the Sasser worm, which was patched, then exploited, two weeks later.
That was 16 years ago.
This month saw the situation in reverse: Microsoft released a patch for the CVE-2020-1048 Windows Print Spooler elevation of privilege bug. It was (and still is) marked “Publicly disclosed: No” and “Exploited: No.” Immediately after the patch came out on Patch Tuesday, two security researchers published a lengthy paper on the security hole, complete with working exploit code.
Rob VandenBrink, writing on the SANS Internet Storm Center, says:
“This vulnerability was actually disclosed to Microsoft by the research community, so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out.”
For a while, I was concerned that a fully-formed exploit was imminent. Silly me. I still haven’t seen any widely available threat – although the folks at 0patch have released a fix for this “PrintDemon” security hole in Windows 7.
Temporary user profile bugs continue
“In some set of circumstances, as yet undiagnosed, the Win10 Cumulative Update installer hits a ‘race condition’ on reboot, with the user coming back up in a temporary profile. That sounds like a lot of buzz words, and it is, but the net result is that the user runs the update, reboots, and returns to a clean desktop, without their desktop customizations, while files in their customary folders (such as Documents) have disappeared.
“It’s disconcerting, even if you’re savvy enough to realize you’ve been pushed into a temporary profile. The desktop customizations are still there, as are the files, but they behave as if they belong to a different user.”
Yep, Microsoft knows all about it. Nope, they haven’t officially acknowledged – much less fixed – the problem.
Ongoing audio problems
In addition to all of the usual problems we’ve seen – Mayank Parmar has a well-researched list of failed installations, performance problems, blue screens and black screens on Windows Latest and Lawrence Abrams has a second, detailed take at BleepingComputer – I’m seeing many reports of messed up audio that may be related to the latest updates. Or maybe not.
AskWoody poster @LoneWolf found a solution for some of the bugs:
“This issue occurs with people who have Realtek audio; which of course, means 3/4 of those with on-mainboard audio out there. It’s likely that you had a driver update from Microsoft, and there’s an issue there. Symptoms:
- Your Device Manager once showed “Realtek High Definition Audio;” now it shows “Realtek(R) Audio” instead.
- You also see in Device Manager a new Audio Device entitled “Nahimic mirroring device” or similar
Realtek’s latest driver includes these Nahimic software drivers for some future 3D audio enhancement (likely done in software and provided by this third-party vendor). What didn’t happen with the driver update is that the Nahimic control panel wasn’t installed. This is a UWP application you can get from the Microsoft Store; search for “nahimic” and you’ll get this app that’s a blue square with a squiggly white N.
In my case, installing this app and rebooting the system resolved the issue. Also, note that Realtek has gone to a UWP application as well; if you don’t have this, you may need to install theirs from the Microsoft store as well.
Sadly, Realtek’s own latest driver download from their website seems to have the same problem, which explains why my installing it didn’t fix the issue either. I think it’s the exact same package Microsoft bundled in their driver updates.”
(Also note @EP’s comments on the various boards, chips, and errors.) No way the Nahimic app will solve all the audio problems out there, but for many, it’s a godsend.
HP’s KMODE_EXCEPTION_NOT_HANDLED Blue Screen
Early this month, HP computer owners started encountering Blue Screens that say KMODE_EXCEPTION_NOT_HANDLED. It ends up that the BSoDs were triggered by a conflict between the support software for HP’s OMEN series of computers, and one of the recent Windows Defender updates.
HP released an update last week called “HP Software Component 184.108.40.20679” that seems to solve the problem. The patch came out through Windows Update, even though it’s listed as driver update. (Thx, @FAKramer.)
Thumbs down for Fast Startup
Earlier this week, Microsoft revealed that “Windows updates might not be installed on your system after you shut down your computer. This behavior occurs when the Fast Startup feature is enabled. This behavior doesn’t occur when you restart your computer.”
The culprit, Fast Startup, intercepts your request to shut down your computer and fudges things a bit by creating a backup copy of certain system files, which are used to start the next time. As Microsoft says, “When you shut down your computer, your computer actually enters a hibernation state instead of a full shutdown.” So if your updates require a full shutdown, you may not get them because your shutdown isn’t a shutdown.
Try explaining that to a Chromebook user.
Nope, it hasn’t been fixed. Microsoft says it’ll get around to solving the problem “in a future Windows version.”
Office 365 Click-to-Run bug got fixed
Yet another bug in Office 365 Click-to-Run sent some folks running for pitchforks. Per an anonymous poster on AskWoody:
“Outlook would open in the tiny window slightly larger than a close icon and then crash. The usual fix was deleting Outlook profile and recreating. This particular machine/user I had done that twice and the fix no longer worked. I initiated an online repair via Add Remove programs and clicking Modify in Office. The repair failed during the reinstall phase. This left the machine with no Office install. I went to Office.com and attempted a new install from C2R download. It got stuck on the initial download screen once launching. I rebooted and tried multiple times.
“I tried office cleanup tool but all it did was say Office wasn’t installed. I got fed up and start ripping things out myself. Deleted Office reg keys from HKCU and HKLM. Then deleted Office dir from Program Files. After all of that, it seemed to install properly.”
Microsoft fixed the bug the next day. No telling how many admin-hours were wasted.
Next up: Windows 10 version 2004
As expected, Microsoft released the latest Windows 10 update. As expected, it’s full of problems.
For starters: If you own one of Microsoft’s latest PCs – the Surface Pro 7, Surface Laptop 3, or Surface Pro X – you won’t even see the upgrade offered. Microsoft has upgrade blocks in place for all three.
Keep in mind that Microsoft has had five months to beta test this latest, greatest version of Win10 – and that the customer-facing part of Windows and the entire Surface effort report to the same guy. That has to give you pause.