There are 87 different security breaches fixed in this months rollout of Microsoft bug fixes, including an important one for Windows. Also a Critical fix for Outlook and patches for Word, Excel.
We’ll start with a very critical Windows bug that’s important to patch right away.
Vital Windows 10 bug fix
It’s possible to run code and take control of a Windows 10/Windows Server computer simply by sending signals to it over the network.
No ‘specially crafted emails’, ‘bad web pages’ or ‘malicious documents’ are needed. Just an unprotected computer connected to a network. Ouch … big Ouch.
It’s called CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
A hacker can send ICMPv6 Router Advertisement packets over the network to an unprotected computer.
The good news is that the Windows bug wasn’t publicly known and hasn’t been used by hackers ‘in the wild’. But now that will change because the security breach is public knowledge.
Even Microsoft, who usually downplay the risks, rate this bug as ‘Critical’ and ‘Exploitation more likely’ with no mitigating factors.
The recommended fix is to apply the patch. Unfortunately, these days you can’t pick individual patches. All the months bug fixes are bundled into a single ‘Cumulative Update’ for that Windows version.
In Settings | Windows Update looks for “2020-10 Cumulative Update for Windows 10 Version ….” In the list of updates to be installed or recently applied.
There’s also a PowerShell command for Windows 1709+ which disables the vulnerable part of IP6 (scroll down to Workarounds).
But wait, there’s more ….
The same ‘all in one’ update has some other ‘Critical’ (though repetitive) bug fixes. Yet again, the Windows Graphics system needs fixing from another security hole which could allow a hacked image to give access to your computer. These types of security bugs happen way too often.
There’s even a NTFS (Windows file system) security bug.
Critical Outlook security hole
Another security breach in Outlook which can get into your computer via the Reading Pane (Preview Pane).
Microsoft rates this bug as ‘Critical’ and needs a patch to Microsoft 365, Office 2019 and Outlook 2016 for Windows.
Word for Windows and Mac security bug
Word for Mac users don’t miss out on the ‘fun’ because there’s a Word security breach which affects all supported Word releases.
CVE-2020-16933 | Microsoft Word Security Feature Bypass Vulnerability works via a hacked .LNK file. .LNK files are usually tiny Windows shortcuts. The bug is rated ‘Important’.
Word for Windows is affected from the latest Word 365, Word 2019, Word 2016, Word 2013 and Word 2010. Even Word 2013 RT (for early Surface machines) needs a patch.
Also Windows for Mac – Office 2019, Office 2016 are affected. No mention of Office 365 for Mac in Microsoft’s list which seems strange. Probably a good idea to update Office 365 for Mac (any Office app Help | Check for Updates).
Last chance for Office 2010 …
Support for Office 2010 has now ended. This months security patches are the last ones Office 2010 users will get.
Ignore the scare tactics, Office 2010 isn’t ending
When and how to switch from Office 2010 – your questions answered
April 2020 Office security bug fixes
New Word security bugs are more ‘interesting’ than usual
RAT in Word document pretending to be Norton security email
NSA discovered security bug that can affect Microsoft Office