December Patch Tuesday round-up: Winding down for the year


At last, we have the final updates for 2020 from Microsoft. For anyone keeping count, we ended up with 1,250 CVEs (Common Vulnerabilities and Exposures) for the year. That’s almost 50% more than the 800 we had to deal with in 2019. Given the way we get updates delivered in a cumulative fashion, I don’t think of it as about the number of vulnerabilities; I think more about how many times I had to deal with post-release issues in 2020. I’ll recap the year’s major patching issues later this month. For now, I’ll summarize the issues to watch out for in December.

First, a reminder if you’re running Windows 10 1903: This is the last official release for that version. You must be on Windows 10 1909 (or later) to continue to receive security updates. In the past, I have recommended setting the deferral for feature updates for 365 days. Now, I recommend using the targetreleaseversion setting to specify the exact feature release version you want. So if you set the value at 1909, you’ll receive 1909; if you set it at 2004 — even if you are on 1903 — you’ll get offered 2004, not 1909. (For Windows 10 Home users, I continue to recommend you upgrade from Home to Professional to better control updates.) 

As always, before installing any updates, make sure you backup your computer to ensure you are protected from any failure of a hard drive, ransomware, issues with updates or myriad other problems that can crop up.


For those running Windows 8.1 or Server 2012 R2, as always, there are two sets of updates: the monthly rollup in the form of KB4592484 and the security-only update, KB4592495, which is only available from the Microsoft catalog site or other corporate patching platforms. For nearly an entire year the one known issue of “renaming  files or folders that are on a Cluster Shared Volume (CSV)” has never been fixed, which means it’s such a minor issue Microsoft never prioritized fixing it. While I don’t anticipate issues on this rock-solid platform, I don’t recommend you install updates until we can be sure we are again trouble free. This week the week I watch for issues and test on spare machines only. 

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” or “Download and do not install” and click OK.

Windows 7 patchers need to decide whether they want to again repurchase the Extended Servicing Update package or migrate to a supported platform. It’s expected to double in price and will need to be reapplied to the operating system. (Remember what a hassle it was to use the command line to enter the product key the last time? Well, you need to redo it again in January to keep the operating system patched. If you did purchase Windows 7 ESUs last year, you should get an email in 2021 to remind you to repurchase them to keep your machines patched after January.  Alternatively, you can use the 0patch service to ensure your machine is protected. 

For Windows 7 users, there are two sets of updates: the monthly rollup in the form of KB4592471 and as the security-only update of KB4592503

— the latter is only available from the Microsoft catalog site or other corporate patching platforms. Remember you’ll need a servicing stack update (KB4592510) before you install the January updates.

Windows 10 gets its usual dose of releases (KB4592438 for 20H2/2004, KB4592449 for 1909/1903).  Microsoft has fixed the issue that caused havoc with VPNs when updating from version 1809 or later where certificates were lost. (The only way to “fix” that issue was to roll back to before the feature update was installed.) Microsoft has now re-released the media so the issue will not occur. The good news: if you used the Windows update process to install the feature releases, you will not see this issue.

As always, it’s generally better to rely on the Pause updates feature introduced in version 1903. Alternatively, you can use the defer patches until a certain date option. I tend to look at the calendar and pick a date that I know I will have time to deal with issues, should anything arise. Click on Start > Settings > Update & Security, then on advanced options and review your deferral dates.

All Windows updates offer fixes including one that indicates it prevents applications that run on a SYSTEM account from printing to “FILE:” ports. If you have an older line of business apps that use such a printing process, you should test out printing to be sure there are no side effects from these updates.

There’s also a change for corporate patchers used to manually approving the Windows 10 updates as well as the servicing stack updates. Microsoft is now combining Servicing Stack Updates and the latest cumulative updates (SSUs and LCUs) into one bundle. There’s more info in the Microsoft blog.

Note: we are now in the last few days of support for Adobe Flash. Microsoft has indicated that Flash will be officially removed from all browsers on Windows platforms by Dec. 31, but I’m not seeing that it will be truly removed from your machine until January, per the Chromium road map blog. Even with that, Adobe is releasing a final bug fix for Adobe Flash Player.

Those who, like me, handle both home patching and office patching, have had to keep track of several office patches that will have big impact next year (while keeping an eye out for potential side effects this year). Only affecting firms with Active Domain controllers, this CVE 2020-16996 impacts domains with Protected users and Resource-Based Constrained Delegation. The update will be installed now, but the enforcement won’t be until Feb. 9, 2021.

For those in charge of Exchange 2010, 2013, 2016 or 2019 and SharePoint updating, you’ll want to pay attention to several patches if you are charge of those corporate communication platforms. 

Microsoft is once again releasing updates for Office 2010, even though that platform is officially out of support. Excel, Office, Outlook and PowerPoint are all receiving security updates fixing various remote code-execution bugs; these are the worst kind of bugs, so be careful when opening up files and emails until you are patched.  Office 2013, 2016, 2019 and click-to-run versions are receiving similar updates.

As always we’re watching for side effects and issues on