This month’s massive bundle of Patch Tuesday patches almost certainly contains more than a few surprises, and they’re only starting to surface. Here’s a rundown of what I’ve seen in the wee hours of Wednesday morning.
There are lots of reports of delayed, failed and rolled back installations of KB 4041676, the Win10 Creators Update (version 1703) monthly cumulative update, which brings 1703 up to build 15063.674. A quick glance at the KB article confirms that there are dozens and dozens of fixes in this cumulative update — a remarkable state of affairs, considering the Fall Creators Update, version 1709, is due on Oct. 17.
Overnight, Günter Born and Bogdan Popa accumulated long lists of people reporting problems with the update, including reports of hangs, uncontrolled restarts, and exceedingly slow downloads. Born reports that the source of some problems may be attributable to Norton. If you’re having problems, my long-standing advice for cleaning things up and running the Update Troubleshooter may help.
For those of you wondering what happened to this month’s Flash security patches, there’s a surprising answer: You aren’t seeing any Adobe security patches this month because there aren’t any! All of this month’s patches are quality updates, er, bug fixes.
@PKCano on AskWoody has confirmed that there were no .NET Security-only updates this month. All of the .NET updates contain non-security patches only.
@MrBrian found this little gem in two Microsoft posts:
All updates for .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 require the D3 Compiler to be installed. We recommend that you install the included D3 Compiler before applying this update. For more information about the D3 Compiler, see KB 4019990.
MrBrian goes on to note
On a Windows 7 x64 virtual machine with no Windows monthly rollups installed, and .NET Framework 4.6.1 installed, Windows Update does not list the October 2017 .NET Framework monthly rollup… But the manual installer for the October 2017 .NET Framework monthly rollup successfully installed. Ugh!
Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remedation.
And ZDI illuminates:
This is just a stop-gap measure and still requires manual intervention. When the actual firmware updates roll out from TPM vendors, the process will need to happen all over again — except this time, new TPM firmware needs to be installed on every affected device.
Which is enough to tie any admin in knots. Alhonen offers some insight:
If your hardware is a Surface device, firmware updates are yet not available as of October 10, 2017. Surface Laptop and the Surface Pro (released in June 2017) are NOT affected… [for Surface Pro 3] Infineon firmware version 5.0 TPM is not safe. Please update your firmware.
If you’re patching the 2015 LTSC version of Windows 10, you need to see Microsoft’s admission that the Windows Presentation Framework may get munged. WPF crashes after the October 2017 Security and Monthly Quality Rollup is applied on Windows 10 version 1507 that has Microsoft .NET Framework 4.6.2 installed.
There’s also a lot of confusion about Microsoft’s explanation for its fix of CVE-2017-11776. Microsoft says: “An attacker who exploited the vulnerability could use it to obtain the email content of a user,” when in fact no attack is necessary. The SEC-Consult blog has a detailed explanation:
If you used Outlook’s S/MIME encryption in the past 6 months (at least, we are still waiting for Microsoft to release detailed information and update the blog) your mails might not have been encrypted as expected. In the context of encryption this can be considered a worst-case bug.
Kevin Beaumont (@GossiTheDog) has tied the pieces together and concluded:
Outlook S/MIME bug is absolutely reproducible, I just did it. Does not need an attacker. Microsoft have classified it wrong.
So if you used Outlook’s S/MIME encryption for text emails in the past six months, your emails haven’t been encrypted at all. The “encrypted” emails went out in plain text, no antivirus backdoor required. Gotcha.
No definitive word as yet on whether the Win 8.1 Monthly Rollup, KB 4041693, or the Security-only update, KB 4041687, fix the baffling problem where Win 8.1 customers can’t sign in with a Microsoft account. That bug was introduced in the September Monthly Rollup. The topic isn’t even mentioned in the KB articles.
… and it’s been less than a day since the patches rolled out.
Got a patching problem? Hit us on the AskWoody Lounge.