With all of a problems in a January, February and March patches for Windows and Office, you’d consider we would locate a mangle in April. In one clarity we did — some of a misfortune bugs in a progressing rags now seem to be behind us. But we’re really not out of a woods usually yet.
Patch Tuesday by a numbers
Tuesday, Microsoft expelled 177 separate patches covering 66 confidence holes (CVEs), 24 of that are rated “critical.” The SANS Internet Storm Center says that usually one of a patches, CVE 2018-1034, covers a confidence hole that’s been documented, and it isn’t being exploited.
Further details, compliments of Martin Brinkman on ghacks:
- Win7: 21 vulnerabilities, 6 rated critical
- Win8.1: 23 vulnerabilities, 6 rated critical
- Win10 chronicle 1607: 25 vulnerabilities, 6 critical. (Note that this is a final designed confidence refurbish for Win10 1607.)
- Win10 chronicle 1703: 28 vulnerabilities, 6 critical
- Win10 chronicle 1709: 28 vulnerabilities, 6 critical
- Server 2008 R2: 21 vulnerabilities, 6 critical
- Server 2012 and 2012 R2: 23 vulnerabilities, 6 critical
- Server 2016: 27 vulnerabilities, 6 critical
- IE 11: 13 vulnerabilities, 8 critical
- Edge: 10 vulnerabilities, 8 critical
As Dustin Childs records on the Zero Day Initiative site, 5 of a vicious bugs are variations on an old, sleepy theme: a “bad” rise can take over your machine, if you’re using in admin mode. And it doesn’t matter where a rise appears — on a web page, in a document, in an email. Don’t we usually adore it when fonts get rendered inside a Windows kernel?
As of early Thursday morning, there are no famous exploits for a rise phunnies.
Top points, from my indicate of view, anyway:
- Every chronicle of Windows gets patched. All have 6 “critical” patches.
- The aged limitation on concordant antivirus products has been carried on Win7 and 8.1 — it was already carried on Win10. The aged constraints are still in effect for final month’s patches.
- Windows 7 and Server 2008R2 are still a mess. We’re entering a area of surreal patching sequences. See a subsequent dual sections.
- The aged Win7/Server 2008R2 SMB server memory trickle is still there — that’s a showstopper for many folks using 2008R2 servers.
- The aged Win7/Server 2008R2 bluescreens for SSE2 are still there.
- Microsoft thinks it bound an aged data-stealing bug in Outlook, though a hole’s still one click away.
- There’s no refurbish that we can see on a Word 2016 Mar confidence patch KB 4011730 that taboo Word from opening and saving docs.
- We’re still removing Office 2007 patches, 6 months after it was ostensible to strike finish of life.
- We even got a bizarre hardware fix, for a Microsoft Wireless 850 Keyboard.
Some swell on a Win7 Keystone Kops patches
If you’ve been following along, we know that Win7/Server 2008 R2 has left a trail of tears, starting with a Jan confidence patches, that introduced a Total Meltdown gaping confidence hole, followed by an SMB server bug introduced in Mar that might describe it inoperable, and cart rags that combined haunt Network Interface Cards (NICs) and shot down immobile IP addresses.
This month, it appears as if some of those problems have been solved. In particular, a Win7/Server 2008R2 Monthly Rollup KB 4093118 and a manually commissioned KB 4093108 Security-only patch substitute a rough KB 4100480 that’s supposed to repair a Total Meltdown bugs in this year’s Win7 patches. KB 4093118 and KB 4093108 also enclose a repair in KB 4099467, which eliminates a Stop 0xAB blunder when we record off. Not so coincidentally, both of those bugs were introduced by confidence fixes expelled progressing this year.
According to MrBrian, installing this month’s Win7 Monthly Rollup or Security-only patch obliterates those bugs:
- KB4093118 and KB4093108 enclose v6.1.7601.24094 of files ntoskrnl.exe and ntkrnlpa.exe, that is newer than a v6.1.7601.24093 files ntoskrnl.exe and ntkrnlpa.exe contained in a Total Meltdown repair KB4100480. (My research of KB4100480.) Thus, KB4093118 and KB4093108 really expected repair Total Meltdown though wanting to implement KB4100480.
- KB4093118 and KB4093108 enclose v6.1.7601.24093 of record win32k.sys, that is newer than a v6.1.7601.24061 record win32k.sys contained in KB4099467. (abbodi86’s research of KB4099467.) Thus, KB4093118 and KB4093108 really expected repair a same emanate bound by KB4099467 though wanting to implement KB4099467.
Or during slightest it’s supposed to erase those bugs.
The haunt NIC and immobile IP bugs enter a Twilight Zone
That leaves us with dual other poignant bugs in a aged Win7 patches. Microsoft describes them like this:
- A new Ethernet Network Interface Card (NIC) that has default settings might reinstate a formerly existent NIC, causing network issues after we request this update. Any tradition settings on a before NIC insist in a registry, though are unused.
- Static IP residence settings are mislaid after we request this update.
As of this moment, it looks as if a primer Win7 Security-only patch KB 4093108 fixes a haunt NIC bug and immobile IP zapping bug — though a Monthly Rollup, KB 4093118, does not. That puts us in a surreal conditions where Microsoft recommends that those installing a (automatically pushed) Monthly Rollup initial implement a (manual download) Security-only patch.
I didn’t trust that possibly until we review a newly updated KB article:
Microsoft is operative on a fortitude and will yield an refurbish in an arriving release.
Although a outline isn’t transparent clear, it looks to me as if Microsoft is observant that anyone who uses Windows Update to implement this month’s Win7 Monthly Rollup is compulsory to dive into a Windows Catalog, download and implement a Security-only patch, before to vouchsafing Windows Update do a unwashed deed. If we don’t do that, your NIC might tumble over and play passed and/or any immobile IP addresses you’ve reserved will be wiped out.
But that’s not all for a Update Server folks
Those of we who control Update Servers have nonetheless another lovable twist. Two of them.
Reading between a lines again, it appears as if WSUS and SCCM won’t reserve adult a Security-only patch before to installing a Monthly Rollup. You have to do that manually. There was a notice sent out on Wednesday that urged admins to download a apart patch, KB 4099950, and implement it before to installing this month’s Win7 Monthly Rollup. Now, it seems, installing a Security-only patch initial is a endorsed march of action.
For standalone computers that use a B patching routine of requesting confidence usually updates – again we should be in wait and see mode right now. If we have a gangling mechanism and wish to live on a edge, implement now. Otherwise get a popcorn out and wait to see what happens.
Again reading between a lines, it appears as if KB 4099950 prevents a haunt NIC and immobile IP zapping bugs. If you’ve already commissioned it, there’s no need to uninstall it, you’re good to go — and we don’t need to manually implement this month’s Security-only patch. If we haven’t commissioned KB 4099950, Microsoft now says that a elite process for fending off a IP problems is to implement this month’s Security-only patch. Which means those of we during a helm of WSUS and SCCM servers need to make certain your users get a Security-only patch before to receiving a Monthly Rollup. Clear as mud, right?
More than that, I’m removing reports that a Win10 1607 Apr accumulative update, KB 4093119, is dishing out a opposing chronicle of Credssp.dll. The Mar accumulative refurbish commissioned chronicle 10.0.14393.2125, since a Apr chronicle installs chronicle 10.0.14393.0.
For details, we strongly titillate we busy and underappreciated admins to allow to Shavlik’s Patchmanagement newsletter.
An Outlook confidence patch that doesn’t
Microsoft expelled a handful of rags for Word 2007, 2010, 2013, 2016 and Office 2010 underneath a streamer CVE-2018-0950, where:
An information avowal disadvantage exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a summary is non-stop or previewed. This disadvantage could potentially outcome in a avowal of supportive information to a antagonistic site.
To feat a vulnerability, an assailant would have to send an RTF-formatted email to a user and remonstrate a user to open or preview a email. A tie to a remote SMB server could afterwards be automatically initiated, enabling a assailant to brute-force conflict a analogous NTLM plea and response in sequence to divulge a analogous crush password.
But according to Will Dorman during CERT/CC, who creatively reported a disadvantage to Microsoft 18 months ago, Microsoft’s repair doesn’t repair a whole problem. He says:
Microsoft expelled a repair for a emanate of Outlook automatically loading remote OLE calm (CVE-2018-0950). Once this repair is installed, previewed email messages will no longer automatically bond to remote SMB servers. … It is critical to comprehend that even with this patch, a user is still a singular click divided from descending plant to a forms of attacks described above
Dorman’s advice? Use formidable passwords and a cue manager, and those of we handling servers need to burst by even some-more hoops.
In other news
We have reports that a same refurbish is causing Windows to protest that it hasn’t been activated. Multiple reboots solved a problem.
And we have another news of a blue shade PAGE_FAULT_IN_NONPAGED_AREA blunder 0x800f0845 with a same patch.
Two people who commissioned it on Windows 7 Professional computers now can’t entrance a mechanism removing summary on Startup “user form not found.” Then underneath it says fine — they click fine and it logs off. Then it comes behind and a same thing happens.
What to do?
We’re seeing reports of Win7 rags that are checked, unchecked, infrequently disappearing, spasmodic reappearing, and declining into skinny air. Don’t be concerned. Microsoft doesn’t know why, either.
For a non-Win7 patches, there’s no evident need to implement anything. If a rise phunnies feverishness up, we’ll keep we posted, though for now a situation’s unbelievably formidable and devolving rapidly.
Thanks, as always, to MrBrian, abbodi86, PKCano, and all of a people during AskWoody who reason Microsoft’s patching feet to a fire.
Join us for a latest compassion on a AskWoody Lounge.