Out of Band KB4578013

Pete_F · August 21, 2020, 11:59am

https://www.bleepingcomputer.com/news/security/microsoft-issues-out-of-band-kb4578013-windows-security-update/
Will this one be created by HCL or should we grab it and "roll our own: ?

fermt · August 21, 2020, 12:48pm

Isn’t it part of cumulative/rollup updates?

Pete_F · August 21, 2020, 12:58pm

Apparently not…
Microsoft has issued an emergency out of band Windows security update designed to address privilege escalation bugs found to impact the Windows Remote Access service.

“An out of band security update has been released for Windows 8.1 and Windows Server 2012 R2,” Microsoft says. “We recommend that you install these updates promptly.”

trn · August 21, 2020, 1:24pm

Good spot - Microsoft seem rather coy about this non-PT critical patch, but there is nothing in the PT fixlets that addresses either vulnerability for Windows 8.1 or Server 2012R2.

brolly33 · August 21, 2020, 3:02pm

Not even sure it is a “critical” MS pages have conflicting information when I checked.
I passed this along to HCL content team.

trn · August 21, 2020, 3:19pm

Perhaps I’ve jumped to the wrong conclusion, but a search for other fixlets with CVE-2020-1530 or CVE-2020-1537 in the cve id list has a source severity of ‘Critical’, and every other OS seems to have a fixlet (and hence a security patch actually issued by Microsoft on Patch Tuesday).

Perhaps Windows 8.1 & Server 2012R2 are less susceptible and/or less compromised by this vulnerability than earlier & later versions of Windows and Microsoft thought it OK to release this one 8 days later.

To quote the message centre “An out of band security update has been released for Windows 8.1 and Windows Server 2012 R2. This update addresses two Windows Remote Access Elevation of Privilege vulnerabilities. We recommend that you install these updates promptly” adds weight to my assumption that this is a critical update.

Thanks for passing it along to the content team.

brolly33 · August 21, 2020, 3:42pm

Both CVE links list all severity for all OS as Important
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1530
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1537

But Catalog lists severity as Critical
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4578013
(Drill in to see severity)

Support URL does not list severity.
https://support.microsoft.com/help/4578013

I would rate it medium on a scale of 1 to confusing. I will following up with the content team.

trn · August 21, 2020, 3:54pm

Seems fair

bma · August 21, 2020, 5:53pm

Fixlets for KB4578013 have been released in Patches for Windows version 3600.

trn · August 21, 2020, 8:05pm

@bma

Thank you.

…