YPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”



Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.

According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.

Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.

The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.

That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: CVE-2020-0601, Johns Hopkins University, Kenneth White, Matthew Green, MongoDB, Qualys, Windows 10

This entry was posted on Tuesday, January 14th, 2020 at 9:31 pm and is filed under Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

Windows 95, 98, XP, 7 etc I look back at what I did on Windows 95 compared to today on Windows 10. Word, excel, publisher, outlook, internet, solitare was pretty much it for Windows 95, interestingly nothing has changed. I have queried a few others, some same age, some new, and all pretty much use computers for the same tasks. So given 100% of people I know do nothing any different than what they did in the 95 days, why do I need the huge processing power to run Windows 10, when all I do is the same stuff I did 15 years ago?

Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream. It’s a different model than all the previous Windows and its focus is on monetizing. Why else would the Pro version, which until Win 10 was geared toward business users, come bundled with Xbox and other consumer oriented apps, many of which you have to use Powershell to remove. Friends who use Win 10 Home complain that unwanted game apps like Candy Crush keep reinstalling themselves. And to make matters worse, some of these bundled apps are 3rd party bloatware. Who’s to say if they’re safe, or what data they’re collecting? And if I’m not mistaken, MS takes a cut of the revenue those 3rd parties generate from the bundled apps.

I’ve used MS OS since the days of MS-DOS. Good training for when I have to drill down when Windows goes on the blink, but I was glad when XP came along, and saw an incremental improvement with Win 7. Win 10 gives me nothing I need and everything I don’t want. I considered going to Linux, but I’m getting a little too long in the tooth ….. old enough to realize life is very short and I don’t particularly cherish the idea of investing more time learning a new OS. I’m hanging on to all of my Win 7 systems. They’re my reliable workhorse but will keep them off line. For online, I guess it’s Win 10 Pro, but stripped of all the bloatware and using the most restrictive privacy settings that MS allows, which still leaves me with a leaky boat. It’s giving me a sinking feeling!

“Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream. It’s a different model than all the previous Windows and its focus is on monetizing.” -Liz

Microsoft’s patches have been less than perfect – OK horrible for the two last years- and probably will continue in that direction.

Microsoft was a Personal Computer maker which turned into an Oracle or SAP or other Main Frame sellers – Which is of no concern to shareholders. But a huge concern to Microsoft users. “Personal” is out of the picture and high cost data centers are in.

Microsoft testing division was fired due almost entirely to Satya Nadella. Microsoft’s customers are now “beta testers” or rats in an abusive cage.

After Satya Narayana Nadella of Hyderabad India took over as CEO, Microsoft’s customers have been treated like teenage bubble gum iPhone users to be scammed or used as beta testers – a cheap doughnut to be dissolving in executives coffee mugs and consumed.

Woody notes the bad patches and why. Then there is a YouTube video that tells of how Microsoft fired their tester at Microsoft – a very bad situation.

“Why does Microsoft Windows 10 have so many bugs? Ex-Employee tells you why!” = a clear picture by an MS employee on in house firings of code testers.

“Satya Narayana Nadella (born …1967) is an Indian American business executive. He is the chief executive officer (CEO) of Microsoft, succeeding Steve Ballmer in 2014 …[Previously] a civil servant who worked for the Indian Administrative Service of the Government of India..” -Wikipedia

For those financial types, here is the disconnect between increasing Revenue and poor cash flow. “This quarter, revenue was $33.1 billion, up 14%… [but] Cash flow from operations …increased 1% year-over-year – or accounting methods made by Satya Nadella caused an hyped “revenue” but poor cash flow – like other scam artists throughout history.

ht tps://www.fool.com/earnings/call-transcripts/2019/10/23/microsoft-corp-msft-q1-2020-earnings-call-transcri[.]aspx

Huge pay: “Microsoft CEO Satya Nadella took home $42.9 million last fiscal, gets 66% raise ” -Khaleejtimes

ht tps://www.khaleejtimes[.]com/citytimes/newsmakers/microsoft-ceo-satya-nadella-took-home-429-million-last-fiscal-gets-66-raise

‘Bill Gates has quit as Microsoft chairman to take up a new role as technology adviser in a management shake-up that will see Satya Nadella become chief executive. The announcement ends a long search for a new chief after Steve Ballmer announced his intention to retire in August.Feb 4, 2014’-telegraph

ht tps://www.telegraph[.]co[.]uk/technology/microsoft/10616998/Bill-Gates-quits-as-Microsoft-chairman-and-Satya-Nadella-is-named-chief-executive.html

“Windows 95, 98, XP, 7 etc I look back at what I did on Windows 95 compared to today on Windows 10. Word, excel, publisher, outlook, internet, solitare was pretty much it for Windows 95, interestingly nothing has changed… 100% of people I know do nothing any different than what they did in the 95 days, why do I need the huge processing power to run Windows 10, when all I do is the same stuff I did 15 years ago?”-Darryl, January 20, 2020 at 4:45 am

“Good question Darryl, but maybe it isn’t so much that “we” need Windows 10. Rather Microsoft needed it to generate a better revenue stream.” -Liz January 21, 2020 at 12:40 am

Darryl is essentially correct. The functionality of Windows has not changed that much. The Microsoft corporation has changed – for the worst.

Microsoft’s huge management team is a mill stone around the company’s neck. The current CEO should be replace with somebody better . Microsoft’s patches have been horrible for the last year – and probably will continue in that direction. A Personal Computer maker which turned into an Oracle or SAP or other Main Frame sellers is no help to its users.

Microsoft testing division was fired due to Satya Nadella. Microsoft’s customers are now “beta testers” or rats in a cage.

After Satya Narayana Nadella of Hyderabad India took over as CEO, Microsoft’s customers have been treated like teenage beta testers.

Woody and others note a reason for the bad MS patches and why. Then there is a YouTube video that tells of how Mycroft fired their code testers at Microsoft – replacing them AI.

“Why does Microsoft Windows 10 have so many bugs? Ex-Employee tells you why!” -ht tps://www.youtube[.]com/watch?v=S9kn8_oztsA

“Satya Narayana Nadella (born 19 August 1967) is an Indian American business executive. He is the chief executive officer (CEO) of Microsoft, succeeding Steve Ballmer in 2014 …[Previously] a civil servant who worked for the Indian Administrative Service of the Government of India..” -Wikipedia

For those financial types, here is the disconnect between increasing Revenue and poor cash flow. “This quarter, revenue was $33.1 billion, up 14%… [but] Cash flow from operations …increased 1% year-over-year – or odd accounting methods made by Satya Nadella caused an hyped “revenue” increase but poor cash flow like other scam artists throughout history.

ht tps://www.fool[.]com/earnings/call-transcripts/2019/10/23/microsoft-corp-msft-q1-2020-earnings-call-transcri.aspx

Nadella’s Huge pay: “Microsoft CEO Satya Nadella took home $42.9 million last fiscal, gets 66% raise ” -Khaleejtimes

ht tps://www.khaleejtimes[.]com/citytimes/newsmakers/microsoft-ceo-satya-nadella-took-home-429-million-last-fiscal-gets-66-raise

Auto Brick Machine For Bangladesh Wholesaler Quotes & PriceList

‘Bill Gates has quit as Microsoft chairman to take up a new role as technology adviser in a management shake-up that will see Satya Nadella become chief executive. The announcement ends a long search for a new chief after Steve Ballmer announced his intention to retire in August. Feb 4, 2014’-telegraph

ht tps://www.telegraph[.]co[.]uk/technology/microsoft/10616998/Bill-Gates-quits-as-Microsoft-chairman-and-Satya-Nadella-is-named-chief-executive.html

Microsoft can only give away or sell so many poorly coded systems and useless cloud licenses. Clearly, Microsoft needs to clean up its act and get better management.

Block Machine, Block Making Machine, Brick Machine - Huarun Tianyuan,https://www.tyblockmachine.com/