With all of the problems in the January, February and March patches for Windows and Office, you’d think we would catch a break in April. In one sense we did — some of the worst bugs in the earlier patches now seem to be behind us. But we’re definitely not out of the woods just yet.
Patch Tuesday by the numbers
Tuesday, Microsoft released 177 separate patches covering 66 security holes (CVEs), 24 of which are rated “critical.” The SANS Internet Storm Center says that only one of the patches, CVE 2018-1034, covers a security hole that’s been documented, and it isn’t being exploited.
Further details, compliments of Martin Brinkman on ghacks:
- Win7: 21 vulnerabilities, 6 rated critical
- Win8.1: 23 vulnerabilities, 6 rated critical
- Win10 version 1607: 25 vulnerabilities, 6 critical. (Note that this is the last planned security update for Win10 1607.)
- Win10 version 1703: 28 vulnerabilities, 6 critical
- Win10 version 1709: 28 vulnerabilities, 6 critical
- Server 2008 R2: 21 vulnerabilities, 6 critical
- Server 2012 and 2012 R2: 23 vulnerabilities, 6 critical
- Server 2016: 27 vulnerabilities, 6 critical
- IE 11: 13 vulnerabilities, 8 critical
- Edge: 10 vulnerabilities, 8 critical
As Dustin Childs notes on the Zero Day Initiative site, five of the critical bugs are variations on an old, tired theme: a “bad” font can take over your machine, if you’re running in admin mode. And it doesn’t matter where the font appears — on a web page, in a document, in an email. Don’t you just love it when fonts get rendered inside the Windows kernel?
As of early Thursday morning, there are no known exploits for the font phunnies.
Top points, from my point of view, anyway:
- Every version of Windows gets patched. All have 6 “critical” patches.
- The old restriction on compatible antivirus products has been lifted on Win7 and 8.1 — it was already lifted on Win10. The old constraints are still in effect for last month’s patches.
- Windows 7 and Server 2008R2 are still a mess. We’re entering the realm of surreal patching sequences. See the next two sections.
- The old Win7/Server 2008R2 SMB server memory leak is still there — that’s a showstopper for many folks running 2008R2 servers.
- The old Win7/Server 2008R2 bluescreens for SSE2 are still there.
- Microsoft thinks it fixed an old data-stealing bug in Outlook, but the hole’s still one click away.
- There’s no update that I can see on the Word 2016 March security patch KB 4011730 that prohibited Word from opening and saving docs.
- We’re still getting Office 2007 patches, six months after it was supposed to hit end of life.
- We even got a strange hardware fix, for the Microsoft Wireless 850 Keyboard.
Some progress on the Win7 Keystone Kops patches
If you’ve been following along, you know that Win7/Server 2008 R2 has left a trail of tears, starting with the January security patches, which introduced the Total Meltdown gaping security hole, followed by an SMB server bug introduced in March that may render it inoperable, and buggy patches that created phantom Network Interface Cards (NICs) and shot down static IP addresses.
This month, it appears as if some of those problems have been solved. In particular, the Win7/Server 2008R2 Monthly Rollup KB 4093118 and the manually installed KB 4093108 Security-only patch supersede the sketchy KB 4100480 that’s supposed to fix the Total Meltdown bugs in this year’s Win7 patches. KB 4093118 and KB 4093108 also contain the fix in KB 4099467, which eliminates the Stop 0xAB error when you log off. Not so coincidentally, both of those bugs were introduced by security fixes released earlier this year.
According to MrBrian, installing this month’s Win7 Monthly Rollup or Security-only patch obliterates those bugs:
- KB4093118 and KB4093108 contain v6.1.7601.24094 of files ntoskrnl.exe and ntkrnlpa.exe, which is newer than the v6.1.7601.24093 files ntoskrnl.exe and ntkrnlpa.exe contained in the Total Meltdown fix KB4100480. (My analysis of KB4100480.) Thus, KB4093118 and KB4093108 very likely fix Total Meltdown without needing to install KB4100480.
- KB4093118 and KB4093108 contain v6.1.7601.24093 of file win32k.sys, which is newer than the v6.1.7601.24061 file win32k.sys contained in KB4099467. (abbodi86’s analysis of KB4099467.) Thus, KB4093118 and KB4093108 very likely fix the same issue fixed by KB4099467 without needing to install KB4099467.
Or at least it’s supposed to obliterate those bugs.
The phantom NIC and static IP bugs enter the Twilight Zone
That leaves us with two other significant bugs in the old Win7 patches. Microsoft describes them like this:
- A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry, but are unused.
- Static IP address settings are lost after you apply this update.
As of this moment, it looks as if the manual Win7 Security-only patch KB 4093108 fixes the phantom NIC bug and static IP zapping bug — but the Monthly Rollup, KB 4093118, does not. That puts us in a surreal situation where Microsoft recommends that those installing the (automatically pushed) Monthly Rollup first install the (manual download) Security-only patch.
I didn’t believe that either until I read the newly updated KB article:
Microsoft is working on a resolution and will provide an update in an upcoming release.
Although the description isn’t crystal clear, it looks to me as if Microsoft is saying that anyone who uses Windows Update to install this month’s Win7 Monthly Rollup is required to dive into the Windows Catalog, download and install the Security-only patch, prior to letting Windows Update do the dirty deed. If you don’t do that, your NIC may fall over and play dead and/or any static IP addresses you’ve assigned will be wiped out.
But that’s not all for the Update Server folks
Those of you who control Update Servers have yet another cute twist. Two of them.
Reading between the lines again, it appears as if WSUS and SCCM won’t queue up the Security-only patch prior to installing the Monthly Rollup. You have to do that manually. There was a notice sent out on Wednesday that urged admins to download a separate patch, KB 4099950, and install it prior to installing this month’s Win7 Monthly Rollup. Now, it seems, installing the Security-only patch first is the recommended course of action.
For standalone computers that use the B patching process of applying security only updates – again you should be in wait and see mode right now. If you have a spare computer and want to live on the edge, install now. Otherwise get the popcorn out and wait to see what happens.
Again reading between the lines, it appears as if KB 4099950 prevents the phantom NIC and static IP zapping bugs. If you’ve already installed it, there’s no need to uninstall it, you’re good to go — and you don’t need to manually install this month’s Security-only patch. If you haven’t installed KB 4099950, Microsoft now says that the preferred method for fending off the IP problems is to install this month’s Security-only patch. Which means those of you at the helm of WSUS and SCCM servers need to make sure your users get the Security-only patch prior to receiving the Monthly Rollup. Clear as mud, right?
More than that, I’m getting reports that the Win10 1607 April cumulative update, KB 4093119, is dishing out a retrograde version of Credssp.dll. The March cumulative update installed version 10.0.14393.2125, whereas the April version installs version 10.0.14393.0.
For details, I strongly urge you overworked and underappreciated admins to subscribe to Shavlik’s Patchmanagement newsletter.
An Outlook security patch that doesn’t
Microsoft released a handful of patches for Word 2007, 2010, 2013, 2016 and Office 2010 under the heading CVE-2018-0950, where:
An information disclosure vulnerability exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a message is opened or previewed. This vulnerability could potentially result in the disclosure of sensitive information to a malicious site.
To exploit the vulnerability, an attacker would have to send an RTF-formatted email to a user and convince the user to open or preview the email. A connection to a remote SMB server could then be automatically initiated, enabling the attacker to brute-force attack the corresponding NTLM challenge and response in order to disclose the corresponding hash password.
But according to Will Dorman at CERT/CC, who originally reported the vulnerability to Microsoft 18 months ago, Microsoft’s fix doesn’t fix the whole problem. He says:
Microsoft released a fix for the issue of Outlook automatically loading remote OLE content (CVE-2018-0950). Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. … It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above
Dorman’s advice? Use complex passwords and a password manager, and those of you managing servers need to jump through even more hoops.
In other news
We have reports that the same update is causing Windows to complain that it hasn’t been activated. Multiple reboots solved the problem.
And we have another report of a blue screen PAGE_FAULT_IN_NONPAGED_AREA error 0x800f0845 with the same patch.
Two people who installed it on Windows 7 Professional computers now can’t access the computer getting message on Startup “user profile not found.” Then underneath it says okay — they click okay and it logs off. Then it comes back and the same thing happens.
What to do?
We’re seeing reports of Win7 patches that are checked, unchecked, sometimes disappearing, occasionally reappearing, and vanishing into thin air. Don’t be concerned. Microsoft doesn’t know why, either.
For the non-Win7 patches, there’s no immediate need to install anything. If the font phunnies heat up, we’ll keep you posted, but for now the situation’s unbelievably complex and devolving rapidly.
Thanks, as always, to MrBrian, abbodi86, PKCano, and all of the people at AskWoody who hold Microsoft’s patching feet to the fire.
Join us for the latest commiseration on the AskWoody Lounge.