March 2018 Patch Tuesday

The patches are starting to appear. I’ll keep this post updated as the situation becomes more clear.

OF COURSE We’re still at MS-DEFCON 2. You’d have to be a real glutton for punishment — and a daft one at that — to install any of these patches just yet.

SANS Internet Storm Center has its visual analysis. There are no “critical” vulnerabilities that have been disclosed, or used in the wild.

Martin Brinkmann has his usual in-depth look on ghacks.net. And it’s a busy Tuesday:

Windows 7: 21 vulnerabilities of which 21 are rated important
Windows 8.1: 20 vulnerabilities of which 20 are rated important
Windows 10 version 1607: 29 vulnerabilities of which 29 are rated important
Windows 10 version 1703: 28 vulnerabilities of which 28 are rated important
Windows 10 version 1709: 24 vulnerabilities of which 24 are rated important
Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important

Don’t tell me how Edge is so much more secure than IE.

@PKCano has updated the list in AKB2000003, for those of you who apply Win7 and 8.1 Security-only patches manually.

I’ve updated the list of recently revised KB articles, KBNew. Quick check confirms that this month’s new KBs are listed there.

The master list — the Security Update Guide — is up on the MSRC Security TechCenter blog. Looks like there are 157 separately identified patches.

John Cable has the official Patch Tuesday announcement on the Windows blog.

Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update.

(Note that the antivirus check is still in effect for Win7 and 8.1.)

Microsoft has updated its Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities:

The following updates have been made: 1. Microsoft has released security updates for Windows Server 2008 and Windows Server 2012 to provide mitigations against the vulnerabilities discussed in this advisory. See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update. 2. Microsoft has also released security updates to provide additional protections for the 32-bit (x86) versions of Windows 7 and Windows 8.1. These updates are included in the March Security Only and Monthly Rollup updates. See the Affected Products table for links to download and install the updates. 3. Updated FAQ #14 to announce that the following stand-alone updates for Windows 10 are available via the Microsoft Update Catalog. These updates include microcode updates from Intel: For devices running Windows 10 Version 1703, for the latest available microcode updates see Microsoft Knowledge Base Article 4091663 (https://support.microsoft.com/en-us/help/4091663). For devices running Windows 10 Version 1607 and Windows Server 2016, for the latest available microcode updates see Microsoft Knowledge Base Article 4091664 (https://support.microsoft.com/en-us/help/4091664). For devices running Windows 10, for the the latest available microcode updates see Microsoft Knowledge Base Article 4091666 (https://support.microsoft.com/en-us/help/4091666). 4. Corrected FAQ #12 to better describe what customers need to do if they have not installed the January or February 2018 Security Only updates, and they want to be protected from the vulnerabilities described in this advisory.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1703. For more information and the latest available microcode update for devices running Windows 10 Version 1703, see Microsoft Knowledge Base Article 4091663.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1607 and Windows Server 2016. For more information and the latest available microcode update for devices running Windows 10 Version 1607 or Windows Server 2016, see Microsoft Knowledge Base Article 4091664.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10. For more information and the latest available microcode update for devices running Windows 10, see Microsoft Knowledge Base Article 4091666.

Microsoft will make available Intel microcode updates for Windows operating systems as they become available.

Worth noting: “Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. ”

Ed Bott’s overview is up on ZDNet:

a variety of security updates for all supported Windows versions, as well as removing a compatibility check for antivirus software. A separate release significantly expands available microcode updates for affected Intel CPUs… includes security updates that defend against the Meltdown vulnerability on PCs running x86 versions of Windows 7 and 8.1. With those updates, all currently supported Windows releases now include defense against this vulnerability.

Trend Micro’s ZeroDay Initiative posted its analysis:

Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

The official Office Update page is up:

The March 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 26 non-security updates. All of the security and non-security updates are listed in KB article 4090988.

Thx @PKCano, @sb