Microsoft fixes 99 vulnerabilities, but one WIndows 10 update is more complicated than the others
SOPA Images/LightRocket via Getty Images
If you thought that updating Windows 10 was a problem that had long since been solved, then I congratulate you on your optimistic outlook. However, while Microsoft is no longer warning some Windows 10 users not to install an update that could break the Windows Defender Advanced Threat Protection service as it did last year, things remain somewhat confusing as far as security updates are concerned. Patch Tuesday has now been and gone, but not everyone is going to be protected from one “important” vulnerability unless they install a total of three updates in a very specific order.
Microsoft has 99 problems, make sure you fix them all
The latest Patch Tuesday round of vulnerability fixes hit Windows users this week, with 99 flaws covered in all. I was pleased to see that the actively-exploited and critical Internet Explorer vulnerability, that was causing problems for those applying workarounds, has finally been fixed. As Satnam Narang, a senior research engineer at Tenable, said: “This is one of the largest Patch Tuesday releases we’ve seen in recent times.” As far as I can tell, it’s the biggest since August 2019 when there were still an impressive 93 CVEs fixed. “Unlike the song where you need to take each bottle down and pass it around,” Todd Schell, senior product manager of security at Ivanti, said, “the good news here is many of these CVEs can be resolved by applying just a few Microsoft updates.” As Schell pointed out, most of these are in the OS itself and, “on average, your OS updates will resolve around 50 CVEs. The exception is Windows 10, which along with IE and Edge, will resolve 88 CVEs.”
Of the 99 vulnerabilities that were fixed across various flavors of Windows and other Microsoft products, 12 of them were rated as critical and 87 as important. However, one stood out for me; for all the wrong reasons.
The somewhat confusing fix for CVE-2020-0689
The important-rated “Microsoft Secure Boot Security Feature Bypass Vulnerability” (CVE-2020-0689) allows an attacker who exploited it, as the name suggests, to bypass the secure boot protection offered by Windows 10. Which means they could then load untrusted and potentially malicious software, simply by running a specially crafted application. The good news, part one, is that there is no evidence that this vulnerability has been exploited in the wild. The good news, part two, is that Microsoft has included a fix for this in the Patch Tuesday rollout that blocks vulnerable third-party bootloaders. I’m guessing you are now waiting for the bad news, and here it comes: there are some prerequisites for successfully installing that patch.
In the security update guide FAQ for CVE-2020-0689, Microsoft states that there is a Servicing Stack Update (SSU) prerequisite for specific Knowledge Base (KB) numbers. If that SSU thing sounds familiar, that’s because you may have stumbled across my reporting of it before. You can find out more from Microsoft itself, but the too long didn’t read of the matter is that they fix problems associated with the component that installs Windows updates. As I reported back in October 2019, Microsoft released a critical servicing stack update (SSU) that it strongly recommended was installed before the latest cumulative updates were applied. The feedback I received following that report confirmed what I already knew: the average Windows 10 is very confused by this ‘update ordering’ requirement. The bad news, then, is that the CVE-2020-0689 fixes are “standalone security updates” that need to be installed as well as the normal security updates to protect against the secure boot vulnerability. If you do not have the correct SSU package installed, which was released either in November 2019 or February 2020 depending upon your version of Windows 10, and need to install a standalone update and the general February Patch Tuesday update, then specific ordering becomes a thing again.
The Microsoft guidance for those users who need to install the three updates is that they are installed in the following order:
1. The Servicing Stack Update
2. The standalone Secure Boot CVE-2020-0689 update
3. The February security update
The Trend Micro Zero Day Initiative analysis of the Windows February security update, warns that those users who also have the Windows Defender Credential Guard (Virtual Secure Mode) enabled will “need to go through two additional reboots as well.”
Get reading, get downloading and fix Windows 10 ASAP
All of which is not only recommended but in my never humble opinion essential as the secure boot vulnerability has been publicly disclosed, so there will be threat actors eager to exploit it on unpatched systems. My advice is to go read the Microsoft February 2020 security updates release notes, the security update guide, and the KB articles for your Windows 10 version that are linked from the CVE-2020-0689 details page. The last thing anyone wants is to see this vulnerability end up on the list of ancient Microsoft security flaws that are driving cybercrime in 2020, after all. I’d also advise every user to go read my securing Windows 10 in eight easy steps guide, to ensure you are covering the security basics.