Tues, Oct 10, 2017

Group B Security-only patches have been updated at AKB2000003

UPDATE: There are no Security-only .NET updates (these are not a part of Group B) listed this month.

For those who follow it, the SANS ISC have posted their chart for the October 2017 Security Updates: https://isc.sans.edu/forums/diary/October+2017+Security+Updates/22916/ .

There is Word Zero-day vulnerability.

And once again, the most secure OS – EVAR!!! – has the most vulnerabilities.

And that’s not even just on mobiles ;)!

Thanks for the update, Woody.

The October 2017 Security Update Review

20 vulnerabilities to Win 7 in the course of only one month.  Wow, the miscreants must be working overtime!

For the first time, I’m seeing Delta Updates for Win 10 1607 and 1703 along with the regular Cumulative Updates.  This is on our WSUS server.  I thought the deltas were only for non-WSUS environments.  Supposedly there are known problems if you try to install both regular and delta.  I’ve declined the deltas, but I wonder what’s going on.

Note for those who use Windows security-only updates: From both October 2017 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB 4043766) and October 2017 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 updates for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 (KB 4043767):

“All updates for .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 require the D3 Compiler to be installed. We recommend that you install the included D3 Compiler before applying this update. For more information about the D3 Compiler, see KB 4019990.”

Well, after being “updated” by KB4041676 my Win 10 1703 Home system is unable to correctly eject a USB 3 external 2 TB WD My Book Drive which I use for system backups.  When ejection is attempted, I get the following win error message:

“Problem Ejecting USB Mass Storage Device’

“Windows is unable to stop the device “USB Mass Storage Device”.  Don’t remove this device while it is still in use.  Close any programs using this device and then remove it.”

Prior to updating to the aforementioned KB, there was no problem ejecting this device.   My problem is I don’t know of any other program or app that’s using this disk, after my Reflect backup app is closed.

Edit to remove HTML

Has Microsoft had a change of heart, or is it another Microsoft screw up? According to the support page: https://support.microsoft.com/en-us/help/4041678/windows-7-update-kb4041678, which is the October Security Only update for Windows 7,  there are now 2 ways to get the update, as quoted below…

This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 7 64 bit all OK but Malicious Software Removal Tool now created two  files with the same size (MRT.exe and MRT-KB890830.exe). This is normal? Never seen that before.

“Adobe has told Brian Krebs that they have no security updates today.”

I’m confused – I just updated it. From their release notes:

“October 10, 2017

In today’s scheduled release, we’ve updated Flash Player and the Windows AIR SDK with important bug fixes.”

https://helpx.adobe.com/flash-player/release-note/fp_27_air_27_release_notes.html

From Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure (CVE-2017-11776): “We discovered a vulnerability in Outlook’s S/MIME functionality. The short version: If you used Outlook’s S/MIME encryption in the past 6 months (at least, we are still waiting for Microsoft to release detailed information and update the blog) your mails might not have been encrypted as expected. In the context of encryption this can be considered a worst-case bug.”

I switched over to Group A a couple months back, do I need to download KB 4019990?

I was watching George Pal’s 1960 movie of H.G. Wells’ The Time Machine the other day and I couldn’t help but wonder if we’ll still be patching Windows security issues in the year 802,701 A.D.?

Not as far fetched as it may seem, in my opinion.

Carl D.

https://support.microsoft.com/en-us/help/4048718/wpf-crashes-after-the-october-2017-security-and-monthly-quality-rollup

Is this Patch Tuesday also the last time Microsoft is going to patch Windows 10 Version 1511?

Group A,  Win 7 X64, Home Premium  Office 2010.  Downloaded everything.  So far nothing out of the ordinary happened.

By ‘design’, checking for updates on the Windows 10 Settings > Update & security page, download and install is triggered automatically when updates are avaialable. Of course, this is not what the user would expect, especially when running on Pro or Enterprise…

However, there’s a workaround. Open a PowerShell console, enter:
(New-Object -ComObject "Microsoft.Update.AutoUpdate").DetectNow()
and hit Enter.

Note that the DetectNow() method immediately returns to the prompt, but you can watch progress on the Windows 10 Settings > Update & security page. See https://msdn.microsoft.com/en-us/library/windows/desktop/aa385832(v=vs.85).aspx for details about the DetectNow() method.

The known issue for the W7 monthly:
After installing KB4041681, package users may see an error dialog that indicates that an application exception has occurred when closing some applications.

I am not English – can someone explain to me what package users are? Thanks!
~Annemarie

I see on your latest Woody on Windows, u talk about Security Advisory ADV170012.  Where does Microsoft post these Security Advisories at?

On the first of my two Windows 7 desktops, the .Net Framework Security and Quality  Rollup is only offered as an unchecked optional update (KB4043766). As important updates I only have KB4041681 (the usual Quality Monthly Rollup) and the usual MSRT.

My second Windows 7 desktop has the same updates offered in the same way, plus 4 updates for Office 2010 (which is only installed on that machine).

I am, of course, ignoring all of them for the time being.

Came in this morning to see people frantic as my alpha test group was blue screening machines, following our nightly maintenance cycle, with “inaccessible boot device” error messages being displayed on machines.

We believe it’s mostly Windows 10 systems. I’m just starting to investigate. Not every Windows 10 system that patched had a problem, so it definitely may be specific builds.

Microsoft is really starting to p*** my off with their lack of QA and cumulative update idiocy. They’ve basically sc***ed up every single Patch Tuesday cycle this year. I thought past years were bad. I’m just really glad we have an alpha release and beta release process, with an extended window. It’s sad that we have to be so cautious when it comes to their patches. Our process worked, but it’s going to be a nightmare day or two here.

From .NET Framework October 2017 Security and Quality Rollup:

“Today, we are releasing the October 2017 Security and Quality Rollup.

The update applies to all supported Windows versions. It includes a known issue for Windows 10 1507 (see below).

[…]

This release contains no new security updates.”

All right, Win 7 Ultimate 32 bit, just installed this month’s group B patches, 4040685 and 4041678, plus the .NET bundle, 4043766, even though it’s just recommended. So far everything seems normal.

But I keep seeing fixes added only to the bundle. There were quite a pile of IE fixes both last month and now, group A bundle only apparently, the only thing that made it through into the security-only IE patch was last month’s search bar thing, so not a fix but actually something that messed things up for some. And now I see a fix for an USB hub memory corruption causing crashes, again listed in the bundle only. Is this the norm now? Any way to just get the fixes out of the bundle? :/

But have a question, saw KB4038923 as a .NET hotfix released after the August patch Tuesday and apparently not included in the September or October .NET rollups (at least they don’t have this among what they list as replacing and it lists nothing as replacing it). Would there be any use in installing that separately?

Crystal Reports connecting to Excel stopped working. Any ideas what patch from last night would have caused this?

We’ve got a user whose CRM integration with Outlook 2010 is broken since the update. All the CRM related items in the left hand navigation pane fail to load anything, but if he tries to open a CRM record in some other way (such as clicking on a name at the bottom of Tracked email) it opens just fine.

Anyone else experiencing similar issues since the update? We’re still investigating on our end but wanted to check and see if anyone else was in the same boat.

Here are the security advisories for this month (found using this technique):

ADV170012 | Vulnerability in TPM could allow Security Feature Bypass

ADV170014 | Optional Windows NTLM SSO authentication changes

ADV170016 | Windows Server 2008 Defense in Depth

ADV170017 | Office Defense in Depth Update

MrBrian wrote:

Note for those who use Windows security-only updates: From both October 2017 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB 4043766) and October 2017 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 updates for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 (KB 4043767): “All updates for .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 require the D3 Compiler to be installed. We recommend that you install the included D3 Compiler before applying this update. For more information about the D3 Compiler, see KB 4019990.”

Currently 4043767 isn’t being offered to me.  Until it shows up in windows update, I’m not about to be overly concerned about it.  Thanks for the heads up though.  Should it appear I’ll be sure to grab the compiler.

Incidentally, after all that fun we had with the hiding of those rollups since they began in August 2016, when I went to look for .NET history I had a look at my hidden list & lo & behold all the rollups were gone.  None of them were on the installed list.  Check it out fella.

https://imgur.com/a/5kYmZ

derzeitgeist wrote:

Came in this morning to see people frantic as my alpha test group was blue screening machines, following our nightly maintenance cycle, with “inaccessible boot device” error messages being displayed on machines. We believe it’s mostly Windows 10 systems. I’m just starting to investigate. Not every Windows 10 system that patched had a problem, so it definitely may be specific builds. Microsoft is really starting to p*** my off with their lack of QA and cumulative update idiocy. They’ve basically screwed up every single Patch Tuesday cycle this year. I thought past years were bad. I’m just really glad we have an alpha release and beta release process, with an extended window. It’s sad that we have to be so cautious when it comes to their patches. Our process worked, but it’s going to be a nightmare day or two here.

I’ve collected a few details at Windows 10 V1703: Update KB4041676 install issues. This scenario occurs only in WSUS/SCCM, if both alpha and CU has been approved for install (it should have never been released, and admins never should have approved both update types).

Dear Woody,

Your work with the information about this cumulative new patching system of Microsoft is very important. Thank you very much! That being said, I wish to know if there is a way to notice if patches include telemetry updates, because MS became too “imprecise” with the way they describe the patches contents.

I have a telemetry-free (to my knowledge and for now) Windows 7 x64 Ultimate installation that works fast and flawlessly. I almost didn’t install ONE cumulative patch because it’s more difficult to really know what they contain, and have been avoiding the “conflicting” individual patches so far, following your reports and people’s feedback.

Of course I don’t want to be exposed to vulnerabilities, I have a lot of protective measures nevertheless (firewalls, etc.) and a caring user behavior regarding security, but I don’t want to mess my great Windows 7 flawless install because Microsoft want to transform every Windows in a telemetry-bugged-beacon.

Thank you again and everyone reporting here,

G.

My employer pushed the Windows 7 Rollup (KB4041681) to my work computer this morning. There were no apparent issues, but I’m not installing that update on my home system yet.

This is the Office 2007 sp3 EOL, or they extended it?

From Windows devices may fail to boot after installing October 10 version of KB4041676 or KB4041691 that contained a publishing issue (my bolding):

“Microsoft is aware of a publishing issue with the October 10th, 2017 monthly security updates for Windows 10 version 1703 (KB4041676) and version 1607 (KB4041691), and Windows Server 2016 (KB4041691) for WSUS/SCCM managed devices. Customers that download updates directly from Windows Update (Home and consumer devices) or Windows Update for Business are not impacted.“

I have to report a bug or is it a “feature” maybe, with the:
2017-10 Security Monthly Quality Rollup for Windows 7 for x64-based Systems KB4041681
2017-10 Security Only Quality Update for Windows 7 for x64-based Systems KB4041678

I work in IT and yesterday we got bombarded with the problem that we can not import an xls file into our application, which we have been doing since forever.

It gives an error: Unexpected error from external database driver (1).
We dug deeper and got to the Provider=Microsoft.Jet.OLEDB.4.0;Data Source={0};Extended Properties=\”Excel 8.0;HDR=Yes;IMEX=1\” not working anymore.

After we removed both updates everything was back to normal.

Just an FYI to everyone with the same problem.

Edit to remove HTML
Please convert to plain text before copy/paste

Last month after the automatic patching of Windows Server 2012 R2, my domain got unassigned from the network card and I lost all possibility to connect to the SQL database for the accounting package. This month, same thing, right after the automatic patching during the night. Nobody able to work in the morning. I don’t manage this server. I don’t know Windows Server, I don’t use it.

The trick was to simply disable the network card, then reenable it. Quickly realizing the network was public and not domain, I tried things for an hour with a consultant last time before finding that: restarted, registry tricks, manually assigning the domain to the private network…

Another article about October’s KB4041676 update:

Windows 10 mandatory October KB4041676 update is causing machines to BSOD

On my Win 8.1 test VM…

Windows Update service started, firewall reconfigured to allow updates, and the patches are going in Group A style as usual for this time of the month…

Also as usual, the updating process went smoothly and the VM booted right back up.

No new errors or warnings have appeared in the event log.

A quick comparison of my LogSystemInfo output before/after revealed:

• KB4043763 and KB4041693 added, KB4038792 removed from WMIC qfe list.
• Tasks in the WindowsUpdate section of the scheduler were re-enabled as usual.
• A fair number of system modules, including protocol handlers updated to new build numbers.

Fitness testing to commence next. More as I learn it.

-Noel

I have 3.5.1 and 4.5.2 .NET  installed on my Windows 7 x64 machine, & even though I’m still Group B Security-only, I’ve been installing the .NET Framework Security and Quality Rollup when it’s offered to me in the monthly windows updates. The most recent one being the September 2017 update. Now after reading the various messages in this topic about the October 2017 .NET Security and Quality Rollup, I’ve been trying to determine if I need to install this new October .NET update, even though it didn’t show up in this months updates…

According to what “abbodi86” wrote in message “#136676”,  “3.5 & 4.5.2 patches have not changed, same as September rollup. only 4.7 got new “quality” patch”

The thing is when I compared the October 2017.NET Framework Security and Quality Rollup information to that of the September 2017 .NET Framework Security and Quality Rollup information: ( https://blogs.msdn.microsoft.com/dotnet/2017/10/10/net-framework-october-2017-security-and-quality-rollup/ & https://blogs.msdn.microsoft.com/dotnet/2017/09/12/net-framework-september-2017-security-and-quality-rollup/ ) there is an additional WPF Quality and Reliability Improvement in the October update that wasn’t listed in the September update.

Considering that the October update States the following: “The update applies to all supported Windows versions”, does this additional October improvement (shown below) mean that there is a difference between the September & October 3.5 & 4.5.2 patches? And if so, should the October patch be installed on machines having 3.5.1 and 4.5.2 .NET Framework installed even if the September update was previously installed?

The quality and reliability improvement that’s listed in the October update, but not the September update, is the following: Rendering of WPF UI Elements is disabled in Windows Services. [497334]

On my Win 7 test VM…

Windows Update service started, firewall reconfigured to allow updates, and the patches are going in Group A style as usual for this time of the month…

As usual, the update process went smoothly and the VM booted back up quickly and smoothly.

The event log is clean of warnings and errors.

The running process count settled to the usual count of 39 to support my otherwise idle desktop.

A comparison of before/after LogSystemInfo output reveals:

• “Unknown” status for several scheduled jobs, which previously reported “Ready”.
• KB4041681 added and KB4038777 removed in WMI qfe list.
• Quite a few components updated, showing new build numbers.

I’ll update this thread with a response once I do more testing.

-Noel

I have Windows 7 Home Edition 64-bit system.  I have not seen KB4043766 in my Window update listing for October.  In stead, KB3186497 Microsoft .NET Framework 4.7 for Windows 7 and Windows Server 2008 R2 — Published 6/27/17 showed up. When the Ok is given to install October updates, do I install KB3186497 or ignore it.

KB4041678 (Security-Only Update) for Windows 7

“ICS”(Internet Connection Sharing) / SMB Funktion is broken…

WLAN Connection and SMB(File & Printer) transmission problems.

– Laptop(ICS Server) / Windows 7 pro x64
– Intel WiFi WLAN-Adapter
– 3G+ Mobilfunk-Stick / USB

Absolute unusable…!

For those who still require the Jave Runtime Environment (JRE), Oracle have issued an update, version 8u151: “This Critical Patch Update contains 22 new security fixes for Oracle Java SE.  20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.”

The full 2017.10 Critical Patch Update Advisory is at http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html . Java can be manually updated through its Control Panel (if not set to do so automatically) or the off-line (full) installer may be downloaded at http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html (enterprise version; clean).

CVE-2017-11826 | Microsoft Office Memory Corruption Vulnerability – fixed in October 2017 – is now listed as a “Top 10” vulnerability at Threat Landscape Dashboard.

OK so where are we regarding October updates for Windows 7 users?

There is so much cross talk about Windows 10 and Net xxx that I can no longer find what is happening with Windows 7 x64 (and Microsoft Office 2010, especially the latest Outlook 2010 update KB4011196).

Are these good to install?

Is it time to monthly updates by Windows version vs all versions muddled together with primaily Windows 10 issues?

Issue added to Cumulative security update for Internet Explorer: October 10, 2017: “After installing this KB, Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a drop-down menu by using the scroll bar.”

ADV170012 | Vulnerability in TPM could allow Security Feature Bypass has been revised multiple times, most recently 6 days ago.