![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security12-100734741-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Thu, 12 Apr 2018 06:40:00 -0700<\/strong><\/p>\n With all of the problems in the <\/span>January<\/span><\/a>, <\/span>February <\/span><\/a>and <\/span>March <\/span><\/a>patches for Windows and Office, you\u2019d think we would catch a break in April. In one sense we did \u2014 some of the worst bugs in the earlier patches now seem to be behind us. But we\u2019re definitely not out of the woods just yet.<\/span><\/p>\n Tuesday, Microsoft released 177 <\/span>separate patches<\/span><\/a> covering 66 security holes (CVEs), 24 of which are rated \u201ccritical.\u201d The <\/span>SANS Internet Storm Center says<\/span><\/a> that only one of the patches, <\/span>CVE 2018-1034<\/span><\/a>, covers a security hole that\u2019s been documented, and it isn\u2019t being exploited.<\/span><\/p>\n Further details, compliments of <\/span>Martin Brinkman on ghacks<\/span><\/a>:<\/span><\/p>\n As Dustin Childs notes on <\/span>the Zero Day Initiative site<\/span><\/a>, five of the critical bugs are variations on an old, tired theme: a \u201cbad\u201d font can take over your machine, if you\u2019re running in admin mode. And it doesn\u2019t matter where the font appears \u2014 on a web page, in a document, in an email. Don\u2019t you just love it when fonts get rendered inside the Windows kernel?<\/span><\/p>\n As of early Thursday morning, there are no known exploits for the font phunnies.<\/span><\/p>\n Top points, from my point of view, anyway:<\/span><\/p>\n If you\u2019ve been following along, you know that Win7\/Server 2008 R2 has left a <\/span>trail of tears<\/span><\/a>, starting with the January security patches, which introduced the Total Meltdown gaping security hole, followed by an SMB server bug introduced in March that may render it inoperable, and buggy patches that created phantom Network Interface Cards (NICs) and shot down static IP addresses. <\/span><\/p>\n This month, it appears as if some of those problems have been solved. In particular, the Win7\/Server 2008R2 Monthly Rollup <\/span>KB 4093118<\/span><\/a> and the manually installed <\/span>KB 4093108<\/span><\/a> Security-only patch supersede the sketchy <\/span>KB 4100480<\/span><\/a> that\u2019s <\/span>supposed to fix the Total Meltdown bugs<\/span><\/a> in this year\u2019s Win7 patches. KB 4093118 and KB 4093108 also contain the fix in <\/span>KB 4099467,\u00a0<\/span><\/a>which eliminates the Stop 0xAB error when you log off. Not so coincidentally, both of those bugs were introduced by security fixes released earlier this year.<\/span><\/p>\n According to <\/span>MrBrian<\/span><\/a>, installing this month\u2019s Win7 Monthly Rollup or Security-only patch obliterates those bugs: <\/span><\/p>\n Or at least it\u2019s <\/span>supposed <\/span><\/i>to obliterate those bugs.<\/span><\/p>\n That leaves us with two other significant bugs in the old Win7 patches. Microsoft describes them like this:<\/span><\/p>\n As of this moment, it looks as if the manual Win7 Security-only patch KB 4093108 fixes the phantom NIC bug and static IP zapping bug \u2014 but the Monthly Rollup, KB 4093118, does not. That puts us in a surreal situation where Microsoft recommends that those installing the (automatically pushed) Monthly Rollup first install the (manual download) Security-only patch.<\/span><\/p>\n I didn\u2019t believe that either until I read the <\/span>newly updated KB article<\/span><\/a>:<\/span><\/p>\n Microsoft is working on a resolution and will provide an update in an upcoming release.<\/span><\/p>\n In the meantime, please apply<\/span> KB4093108<\/span><\/a> (Security-only update) to stay secure, or use the Catalog release of<\/span> KB4093118<\/span><\/a> to stage the update for WU or WSUS. \u00a0<\/span><\/p>\n Although the description isn\u2019t crystal clear, it looks to me as if Microsoft is saying that anyone who uses Windows Update to install this month\u2019s Win7 Monthly Rollup is required to dive into the Windows Catalog, download and install the Security-only patch, prior to letting Windows Update do the dirty deed. If you don\u2019t do that, your <\/span>NIC may fall over and play dead <\/span><\/a>and\/or any static IP addresses you\u2019ve assigned will be wiped out.<\/span><\/p>\n Bizarre.<\/span><\/p>\n Those of you who control Update Servers have yet another cute twist. Two of them. <\/span><\/p>\n Reading between the lines again, it appears as if WSUS and SCCM won\u2019t queue up the Security-only patch prior to installing the Monthly Rollup. You have to do that manually. There was a notice <\/span>sent out on Wednesday<\/span><\/a> that urged admins to download a separate patch, KB 4099950, and install it prior to installing this month\u2019s Win7 Monthly Rollup. Now, it seems, installing the Security-only patch first is the recommended course of action.<\/span><\/p>\n Susan Bradley says<\/span><\/a>:<\/span><\/p>\n For standalone computers that use the B patching process of applying security only updates – again you should be in wait and see mode right now. If you have a spare computer and want to live on the edge, install now. Otherwise get the popcorn out and wait to see what happens.<\/span><\/p>\n Again reading between the lines, it appears as if KB 4099950 prevents the phantom NIC and static IP zapping bugs. If you\u2019ve already installed it, there\u2019s no need to uninstall it, you\u2019re good to go \u2014 and you don\u2019t need to manually install this month\u2019s Security-only patch. If you haven\u2019t installed KB 4099950, Microsoft now says that the preferred method for fending off the IP problems is to install this month\u2019s Security-only patch. Which means those of you at the helm of WSUS and SCCM servers need to make sure your users get the Security-only patch prior to receiving the Monthly Rollup. Clear as mud, right?<\/span><\/p>\n More than that, I\u2019m getting reports that the Win10 1607 April cumulative update, KB 4093119, is dishing out a retrograde version of Credssp.dll. The March cumulative update installed version 10.0.14393.2125, whereas the April version installs version 10.0.14393.0. <\/span><\/p>\n For details, I strongly urge you overworked and underappreciated admins to subscribe to Shavlik\u2019s <\/span>Patchmanagement newsletter<\/span><\/a>.<\/span><\/p>\n Microsoft released a handful of patches for Word 2007, 2010, 2013, 2016 and Office 2010 under the heading <\/span>CVE-2018-0950<\/span><\/a>, where:<\/span><\/p>\n An information disclosure vulnerability exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a message is opened or previewed. This vulnerability could potentially result in the disclosure of sensitive information to a malicious site.<\/span><\/p>\n To exploit the vulnerability, an attacker would have to send an RTF-formatted email to a user and convince the user to open or preview the email. A connection to a remote SMB server could then be automatically initiated, enabling the attacker to brute-force attack the corresponding NTLM challenge and response in order to disclose the corresponding hash password.<\/span><\/p>\n But according to Will Dorman at CERT\/CC, who originally reported the vulnerability to Microsoft 18 months ago, Microsoft\u2019s fix doesn\u2019t fix the whole problem. <\/span>He says<\/span><\/a>:<\/span><\/p>\n Microsoft released a fix for the issue of Outlook automatically loading remote OLE content (CVE-2018-0950). Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. … It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above<\/span><\/p>\n Dorman\u2019s advice? Use complex passwords and a password manager, and those of you managing servers need to jump through even more hoops.<\/span><\/p>\n Brad Sams <\/span>reports<\/span><\/a> that <\/span>KB 4093112<\/span><\/a>, the cumulative update to 1709, has messed up File Explorer \u2014 he can\u2019t open File Explorer at all, even after two restarts.<\/span><\/p>\n We <\/span>have reports<\/span><\/a> that the same update is causing Windows to complain that it hasn\u2019t been activated. Multiple reboots solved the problem.<\/span><\/p>\n And we have <\/span>another report <\/span><\/a>of a blue screen PAGE_FAULT_IN_NONPAGED_AREA error 0x800f0845 with the same patch.<\/span><\/p>\n Commenters on<\/span> Brian Krebs\u2019 site<\/span><\/a> have reported problems with installing KB 4093118, the Win7 Monthly Rollup. <\/span>Peacelady explains<\/span><\/a>:<\/span><\/p>\n Two people who installed it on Windows 7 Professional computers now can\u2019t access the computer getting message on Startup \u201cuser profile not found.\u201d \u00a0Then underneath it says okay \u2014 they click okay and it logs off. Then it comes back and the same thing happens.<\/span><\/p>\n AskWoody poster Bill C has <\/span>further details<\/span><\/a>. Samak proposes a <\/span>suggested fix<\/span><\/a> for the \u201cuser profile not found\u201d problem, detailed in KB 947215.<\/span><\/p>\n Wait. <\/span><\/p>\n We\u2019re <\/span>seeing reports<\/span><\/a> of Win7 patches that are checked, unchecked, sometimes disappearing, occasionally reappearing, and vanishing into thin air. Don\u2019t be concerned. Microsoft doesn\u2019t know why, either.<\/span><\/p>\n For the non-Win7 patches, there\u2019s no immediate need to install anything. If the font phunnies heat up, we\u2019ll keep you posted, but for now the situation\u2019s unbelievably complex and devolving rapidly.<\/span><\/p>\n Thanks, as always, to MrBrian, abbodi86, PKCano, and all of the people at AskWoody who hold Microsoft\u2019s patching feet to the fire.<\/span><\/i><\/p>\n Join us for the latest commiseration on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Thu, 12 Apr 2018 06:40:00 -0700<\/strong><\/p>\n With all of the problems in the <\/span>January<\/span><\/a>, <\/span>February <\/span><\/a>and <\/span>March <\/span><\/a>patches for Windows and Office, you\u2019d think we would catch a break in April. In one sense we did \u2014 some of the worst bugs in the earlier patches now seem to be behind us. But we\u2019re definitely not out of the woods just yet.<\/span><\/p>\n<\/p>\n