Critical Windows 10 Update

Status
Not open for further replies.
Joined
Jun 3, 2002
Messages
9,564
Location
MI
I received this notice at my workplace yesterday:
Recently, a critical security vulnerability was discovered among all Windows 10 and Windows Server 2016/2019 systems. Microsoft reports that the vulnerability leaves these systems open to cyber attacks. A software patch has been released to remedy the issue and is available for you to install immediately.

Check your computer for updates status. Link removed by OP request
 
Never take a link like this. They can be spoofed. Go to Microsoft, and update. Better is to set automatic updates and leave computer on one night a week, and the reboot the next morning.
 
Originally Posted by ragtoplvr
Never take a link like this. They can be spoofed. Go to Microsoft, and update. Better is to set automatic updates and leave computer on one night a week, and the reboot the next morning.
Originally Posted by Donald
It should have be done for you via automatic updates earlier this week.

I would go to Windows update and see if there is anything waiting.

Was thinking the same thing. Who has to "update" the PCs (at least those running Windows 10) anymore ? If you are one of those that insist in being in control, well, good luck.... Exploits like this aren't going to wait and Microsoft may push a critical update outside of their scheduled days/times when it's bad enough.
 
Originally Posted by ragtoplvr
Never take a link like this. They can be spoofed. Go to Microsoft, and update. Better is to set automatic updates and leave computer on one night a week, and the reboot the next morning.

Excellent point; but the link provided by OP does go to Microsoft.
 
Originally Posted by uc50ic4more
Originally Posted by ragtoplvr
Never take a link like this. They can be spoofed. Go to Microsoft, and update. Better is to set automatic updates and leave computer on one night a week, and the reboot the next morning.

Excellent point; but the link provided by OP does go to Microsoft.

I was about to say this as well, but I realized that I can tell the destination of the link because I'm using a device with a mouse. Hover the mouse over the link and you can see where you will be taken to. If a person is using a mouse-less device, say a phone, tablet, Surface, or other touch-enabled device, then there is no hover / mouseover that I know of.
 
Only go to update on your PC, who knows what people are capable of.
 
Originally Posted by Variant_S
Hover the mouse over the link and you can see where you will be taken to.

That can also be faked.
 
Originally Posted by mk378
Originally Posted by Variant_S
Hover the mouse over the link and you can see where you will be taken to.

That can also be faked.


Good point. I've never done it but I wonder if this would work:

Code



onmouseover="this.href='http://www.MY_REALLY_INNOCENT_SITE.com';"

onmouseout="this.href='http://www.EVIL_SITE.com';"

onclick="this.href='http://www.EVIL_SITE.com';">GO TO MY REALLY INNOCENT SITE
​​​​​​​


HOWEVER that would have to be hand-coded; and forums and other dynamic sites wouldn't do that. I am extremely comfortable hovering over a URL on BITOG and knowing that's where I'd be headed.

EDIT: That code did NOT work on my wife's Win10 machine in Firefox with and without a script blocker nor, oddly, Internet Explorer; but worked on Microsoft Edge and, oddly, Chrome! (So I'd presume, too, all Chromium-based browsers? ANOTHER EDIT: I couldn't help myself so I downloaded and installed Brave, a Chromium-based browser, and the code worked there, too.)
You can test this yourself by coping and pasting that code into Notepad or some other and saving it as test.html, then opening it with various browsers. Don't worry, there is no "evil_site.com" to be accidentally taken to! :^)
 
Last edited:
Yeah we pushed this to our 2016 servers last night at work. Sort of a large file I believe it was around 1.4GB, it is a rollup of 50 patches in one.
 
Excellent advice to ignore my link. I should have just recommended to check your updates, as stated by several posters above. I requested moderators to edit my OP.

I just moved from Windows 7 to Win 10 a few days ago and this recent update was not installed when I checked yesterday. I will check my settings.

Off topic, but if I had known that the Win 10 upgrade was so painless, I would have done it earlier. I remember the rants and complaints early on (tiles, etc.) when people were actually installing apps. to make Win 10 look more like Win 7.


Have a great weekend everyone. In the Midwest, make sure you have your snow shovels ready to go!
 
Done with my auto updates in KD4530684 on 12/11 thankfully. Reminds me I gotta double check my company's GPO settings.
 
Last edited:
If you use Google Chrome you want to update it also.

Google was fast addressing this - with the latest release of Chrome, released today (Thursday, 16/1/2020) they added additional checks for Chrome so make sure you update Chrome as well!

Mozilla Firefox does not use Crypt32.dll to verify certificates and does not have the same bug.
 
To echo others, this is a very significant vulnerability and was discovered by the NSA. Make sure your machine is set to auto-update. Also, good idea to manually check within Updates to get it as soon as possible. Weaponization of this vulnerability is expected very, very soon.
 
I guess that's why my laptop was requesting a reboot this morning. Well I did it and it rebooted to a blank screen. I waited an hour for something to change. Nothing so I power cycled it. It didn't like. Because it spent in an unusually long time coming up but at least I have the screen back. Hopefully that upgrade worked
 
Originally Posted by uc50ic4more
Originally Posted by mk378
Originally Posted by Variant_S
Hover the mouse over the link and you can see where you will be taken to.

That can also be faked.


Good point. I've never done it but I wonder if this would work:

Code



onmouseover="this.href='http://www.MY_REALLY_INNOCENT_SITE.com';"

onmouseout="this.href='http://www.EVIL_SITE.com';"

onclick="this.href='http://www.EVIL_SITE.com';">GO TO MY REALLY INNOCENT SITE
​​​​​​​


HOWEVER that would have to be hand-coded; and forums and other dynamic sites wouldn't do that. I am extremely comfortable hovering over a URL on BITOG and knowing that's where I'd be headed.

EDIT: That code did NOT work on my wife's Win10 machine in Firefox with and without a script blocker nor, oddly, Internet Explorer; but worked on Microsoft Edge and, oddly, Chrome! (So I'd presume, too, all Chromium-based browsers? ANOTHER EDIT: I couldn't help myself so I downloaded and installed Brave, a Chromium-based browser, and the code worked there, too.)
You can test this yourself by coping and pasting that code into Notepad or some other and saving it as test.html, then opening it with various browsers. Don't worry, there is no "evil_site.com" to be accidentally taken to! :^)


Wow. I learn something new every day. Thanks!
 
Status
Not open for further replies.
Back
Top