{"id":11177,"date":"2018-01-19T10:30:25","date_gmt":"2018-01-19T18:30:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/19\/news-4948\/"},"modified":"2018-01-19T10:30:25","modified_gmt":"2018-01-19T18:30:25","slug":"news-4948","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/19\/news-4948\/","title":{"rendered":"Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 19 Jan 2018 09:28:00 -0800<\/strong><\/p>\n

On the heels of the Jan. 17 release of 14 Windows and .NET patches<\/a>, we now have a huge crop of new patches, revised older patches, warnings about bugs, and a bewildered ecosystem of Microsoft customers who can\u2019t figure out what in the blue blazes is going on.<\/p>\n

Let\u2019s step through the, uh, offerings on Jan. 18.<\/p>\n

Win10 Fall Creators Update version 1709 \u2014<\/strong>\u00a0Cumulative update KB 4073291<\/a> brings the Meltdown\/Spectre patches to 32-bit machines. What, you thought 32-bit machines already had Meltdown\/Spectre patches? Silly mortal. Microsoft\u2019s Security Advisory ADV180002 <\/a>has the dirty details in the fine print, point 7:<\/p>\n

Q: I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?<\/p>\n

A: Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.<\/p>\n

It appears as if this is the first 32-bit version of Windows that has a patch for the Meltdown vulnerability. Surprise.<\/p>\n

Like most of the patches I talked about yesterday, this one is available only through the Update Catalog<\/a> \u2014 it won\u2019t be pushed onto your machine.<\/p>\n

Win10 Fall (\u201cNovember\u201d) Update version 1511 (Enterprise\/Education only)<\/strong> \u2014 The cumulative update KB 4075200 <\/a>continues in the illustrious tradition of the 1703 and 1607 updates I discussed yesterday<\/a>. It\u2019s the second cumulative update for 1511 so far this month. This patch \u201caddresses [an] issue where some customers with AMD devices get into an unbootable state.\u201d Like all of the Meltdown\/Spectre patches, you need to use antivirus software that sets the correct registry key<\/a> before KB 4075200 will install. KB 4075200 isn\u2019t being pushed out Windows Update; it\u2019s available only by manually downloading it from the Update Catalog<\/a>.<\/p>\n

Win10 RTM (\u201cInitial version\u201d) version 1507<\/strong> (Enterprise LTSC) <\/strong>\u2014 Cumulative update KB 4075199<\/a>. Same story as 1511 above.<\/p>\n

Win8.1 <\/strong>\u2014\u00a0Microsoft officially acknowledged what we\u2019ve suspected \u2014\u00a0that it released two versions of its Win8.1 Security-only update, KB 4056898<\/a>: one on Jan. 3 and the other on Jan. 5. Except the warning’s buried in Security Advisory ADV180002<\/a>:<\/p>\n

On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1\/3\/2018 should reinstall the update.<\/p>\n

I warned you about the switcheroo<\/a> back on Jan. 10. Now we have official acknowledgment, but still no description of the \u201cknown issue.\u201d The KB article<\/a> still doesn\u2019t acknowledge, or describe, the swicheroo.<\/p>\n

According to Catalin Cimpanu at Bleepingcomputer<\/a>, Microsoft has started pushing five of the patches that it pulled because they bricked AMD machines<\/a>. Details are sketchy at this point, but Cimpanu says Microsoft has started pushing all of these patches onto AMD machines:<\/p>\n

But, per Cimpanu, these patches are still being withheld from AMD machines:<\/p>\n

As best I can tell, there have been no changes made to any of the five patches that are now going out to AMD machines. It\u2019s not at all clear \u2014 and Microsoft certainly hasn\u2019t said anything \u2014 why these patches are going out now, and how they fixed the manifest problems with the earlier version.<\/p>\n

Of course, we haven\u2019t received any answer to last week\u2019s question: Microsoft reinstates Meltdown\/Spectre patches for some AMD processors \u2014 but which ones?<\/a><\/p>\n

Trust us. We\u2019re from Microsoft, and we\u2019re here to help.<\/p>\n

I found out more about the “Unbootable state for AMD devices” patches that I discussed yesterday<\/a>. We still don\u2019t have any official answers to the chicken-and-egg nature of a patch specifically issued for machines that have already been bricked by an earlier patch. It still isn\u2019t clear if, after unbricking your machine and installing the new patch, you need to re-install the old patch.<\/p>\n

But one bit of enlightenment appeared yesterday on, not any Microsoft site, but on the Symantec Endpoint Protection site<\/a>. Of course. It seems Symantec Endpoint Protection has been suffering from a tray icon bug brought on by Microsoft\u2019s Jan. 3 patches. Symantec issued a hotfix to clear the problem, but that\u2019s been pulled\u2026 because Microsoft fixed the bug.<\/p>\n

According to Symantec, the tray icon bug \u2014 introduced by Microsoft on Jan. 3 \u2014 has been fixed in:<\/p>\n

But the barely documented fun ‘n games don\u2019t end there.<\/p>\n

Yesterday, Microsoft changed its documentation for these .NET patches:<\/p>\n

The files ndp47-kb4074880-x64[\u2026].exe and ndp47-kb4074880-x86[\u2026].exe currently in the catalog for KB4055532<\/a> (January 2018 .NET Framework monthly rollup for Windows 7) have a digital signature of January 11, 2018, which is newer than the original release date. Also, despite the fact that I installed the January 2018 .NET Framework monthly rollup for Windows 7 on Monday (I have .NET Framework 4.7), it is being offered again in Windows Update (it\u2019s ticked).<\/p>\n

Deep in the Revisions list of CVE-2018-0764<\/a>, there\u2019s an explanation:<\/p>\n

To address a regression issue after installing security update 4055002, Microsoft has released security update 4074880 for Microsoft .NET 4.6\/4.6.1\/4.6.2\/4.7\/4.7.1 installed on supported editions of Windows 7 and Windows Server 2008 R2. Customers who have already installed KB4055002 should install KB4074880 to be protected from this vulnerability.<\/p>\n

If you\u2019re keeping a January patch scorecard, it\u2019s official. Your collection of scorecards now need an index.<\/p>\n

This month\u2019s patches aren\u2019t all about Meltdown and Spectre. Even our good old friend Word has joined the now well-worn \u201coops we did it again\u201d chorus line. Remember earlier this month when Microsoft fixed the Office Online Server security hole CVE-2018-0792? Yeah, me neither, but on Jan. 9, Microsoft rolled out patch KB 4011021<\/a>.<\/p>\n

Except, well, it didn\u2019t install on some machines. No explanation why. Instead, we get this posted <\/a>nine days later:<\/p>\n

To address a known issue with installing security update 4011021, Microsoft is announcing the availability of security update 4011022 as a replacement. Customers who experienced problems installing 4011021 should install 4011022.<\/p>\n

And just to put icing on your buggy patching cake, there\u2019s a reported bug in the KB 4011626 update for Outlook 2016. Microsoft has acknowledged<\/a> at least part of the problem:<\/p>\n

After you install this security update, attachments are removed when you forward plain text emails. To work around this issue, save the attachments locally, reattach, and then send the email. \u00a0<\/p>\n

But of course there\u2019s no fix. I see continuing discussions on the Microsoft TechNet forum<\/a> and on Reddit<\/a>.<\/p>\n

With (hundreds of?) thousands of PCs bricked by bad patches this month and (hundreds of?) millions of Windows customers bewildered by the avalanche of patches \u2014 we\u2019ve seen bucketloads of patches on Jan. 3, 4, 8, 9, 11, 12, 17 and now Jan. 18 \u2014 you have to wonder when it will all straighten out. Best I can tell you is to turn off Automatic Update, and wait for some semblance of sanity to return.<\/p>\n

Thanks to GW, @MrBrian, @abbodi86, @PKCano and many others.<\/p>\n

Join us on the <\/em>AskWoody Lounge<\/em><\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 19 Jan 2018 09:28:00 -0800<\/strong><\/p>\n

\n
\n

On the heels of the Jan. 17 release of 14 Windows and .NET patches<\/a>, we now have a huge crop of new patches, revised older patches, warnings about bugs, and a bewildered ecosystem of Microsoft customers who can\u2019t figure out what in the blue blazes is going on.<\/p>\n

Let\u2019s step through the, uh, offerings on Jan. 18.<\/p>\n

Windows 10 patches<\/h2>\n

Win10 Fall Creators Update version 1709 \u2014<\/strong>\u00a0Cumulative update KB 4073291<\/a> brings the Meltdown\/Spectre patches to 32-bit machines. What, you thought 32-bit machines already had Meltdown\/Spectre patches? Silly mortal. Microsoft\u2019s Security Advisory ADV180002 <\/a>has the dirty details in the fine print, point 7:<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11177","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11177"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11177\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11177"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}