Header Ads

Breaking News

This month's Windows and Office security patches: Bugs and solutions


The patching pace this month returned to normal: We had the Patch Tuesday patches on April 14, followed by the “optional, non-security, C/D Week” patches one week later (Monthly Rollup Preview for you Win8.1 afficionados). With a bit of luck, that’s the last round of confusing “optional” Win10 patches: Microsoft promises we won’t see any more of them.

We also had an out-of-band patch for Office 2016 Click-to-Run, Office 2019 (which is only available as Click-to-Run) and Microsoft 365 Apps for Enterprise (previously known as Office 365 ProPlus). The big concern with those patches falls into the “it’s not a bug, it’s a feature” column.

More big, scary zero-day vulnerabilities

For the Chicken Little crowd, we had three zero-day patches – ones identified by Microsoft as being “Exploited” when issued – and, as best I can tell, none of those have found their way into mainstream attacks. Same old story.

As a perplexing sidenote, many reports included a fourth zero-day patch, CVE-2020-0968, which was issued with an indication of “Exploited: Yes” but is now listed as “Exploited: No.” Long story, but the divergent reports on the web have largely been updated. (Thx, @campuscodi, @dangoodin001)

I’m not aware of any widespread attacks based on any of the three (or four) “Exploited” patches. As usual, the exploits at this point are limited to extremely targeted attacks.

VBA libraries get blocked with the Office Click-to-Run patches

If you use one of the recent Click-to-Run versions of Office and you start getting “Compile error: / Can’t find project or library” error messages (see screenshot), there’s a reason why. You’re running a VBA command – whether you realize it or not – that’s trying to open something out on the wild, wild web.

Source Link

No comments