Patch Tuesday brings a reprise of the Autopilot debacle, now quashed, and another Win7 nag

Credit to Author: Woody Leonhard| Date: Wed, 11 Dec 2019 07:33:00 -0800

Patch Tuesday in December rarely brings anything worthwhile — everybody’s on vacation, or wants to be on vacation — and this month’s no exception. We got patches for 36 separately identified security holes and two new advisories, full of sound and fury but covering very little.

The one “exploited” security hole — CVE-2019-1458 Win32k Elevation of Privilege Vulnerability — shouldn’t cause any heartburn. Microsoft says:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

Then Microsoft gives the hole an “Important” severity rating, a big step below the “Critical” that’s de rigeur. Short version: Although you need to patch sooner or later, you don’t need to worry about any of the security holes right now.

Remember back in October when Microsoft mysteriously pushed out a patch for Autopilot, a little-known app that helps companies set up new machines? I wrote about it in “Microsoft pushes, then yanks, rogue kinda-security patch KB 4523786, ostensibly for Autopilot.” 

Looks like the cows are out of the barn again. Microsoft released KB 4532441 yesterday, the latest “Cumulative update for Autopilot in Windows 10, versions 1903 and 1909: December 10, 2019.” Once again, many folks saw that they were being offered the patch (although this time it apparently only went out to 1903 and 1909 Pro customers). Once again, the patch was offered repeatedly, even after it was installed properly. Once again, Microsoft yanked the patch, then updated the KB article to say:

This update was available through Windows Update. However, we have removed it because it was being offered incorrectly. When an organization registers or configures a device for Windows Autopilot deployment, the device setup automatically updates Windows Autopilot to the latest version.

Note There is no effect on Windows Autopilot being offered to Windows 10 devices. If you were offered this update and do not use Autopilot, installing this update will not affect you. Windows Autopilot update should not be offered to Windows 10 Home.

Those who cannot remember the past are condemned to repeat it.

In addition to the usual laundry list of patches, we also saw:

A new Malicious Software Removal Tool. Folks who downloaded the patches early may have missed it, because MS didn’t push it until several hours after the initial patching payload.

Updates for .Net Framework 3.5.x, 4.6.x, 4.7.x, 4.8 and more. Dozens of them. Martin Brinkmann has the full list on ghacks.net.

As well as the usual assortment of Office security patches.

There are new Servicing Stack Updates for Server 2008 and Server 2012, with manual download links as usual in ADV990001. If you don’t know about Servicing Stack Updates, don’t sweat it.

December’s Windows 7/Server 2008 R2 Monthly Rollup brings a full-screen nag for upgrading to Windows 10, due to appear starting on January 15. Here’s what Microsoft says:

IMPORTANT Starting on January 15, 2020, a full-screen notification will appear that describes the risk of continuing to use Windows 7 Service Pack 1 after it reaches end of support on January 14, 2020. The notification will remain on the screen until you interact with it. This notification will only appear on the following editions of Windows 7 Service Pack 1:

Note The notification will not appear on domain-joined machines or machines in kiosk mode.

Remarkably, the Security-only patch, KB 4530692, doesn’t include the nag, which is embodied in the program EOSNotify.exe. Apparently the nag will only appear once, take up the whole screen and, once you’ve dismissed it, never return again. You’ll be forgiven if you recall similar promises during the “Get Windows 10” GWX campaign.

For those of you who can’t be bothered to dismiss the nag screen (or worry that it won’t go away as easily as Microsoft says), you can set this registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionEOSNotify

To have the value “DiscontinueEOS”=dword:00000001

We’ll be covering that nag and its aftereffects extensively as details unfold. Remember that more than a quarter of all Windows users are on Win7.

Watch the bugs come out of the, uh, woodwork on AskWoody.

http://www.computerworld.com/category/security/index.rss

Leave a Reply