Jump to content


MS Security Updates - Jan 2018

  • Please log in to reply
2 replies to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,079 posts

Posted 09 January 2018 - 12:45 PM


>> https://doublepulsar...ou-a852ba0292ec
Jan 8, 2018 - "... the Microsoft knowledge base articles have had extensive edits since publishing. There’s some really important things you should know before trying to apply the patches..."
>> https://support.micr...ivirus-software
Last Updated: Jan 6, 2018

- https://docs.google....haring&sle=true
CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility
Last update: 8th January 2018 @20.30 GMT

> https://blogs.techne...update-release/
Jan 9, 2018 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."

Release Notes - Jan 2018 Security Updates
> https://portal.msrc....57-000d3a33cf99
Jan 09, 2018 - "The January security release consists of security updates for the following software:
    Internet Explorer
    Microsoft Edge
    Microsoft Windows
    Microsoft Office and Microsoft Office Services and Web Apps
    SQL Server
    .NET Framework
    .NET Core
    ASP.NET Core
    Adobe Flash ..."

Known Issues:
4056890: https://support.micr...om/help/4056890
4056891: https://support.micr...om/help/4056891
4056892: https://support.micr...om/help/4056892
4056893: https://support.micr...om/help/4056893
4056888: https://support.micr...om/help/4056888
4056895: https://support.micr...om/help/4056895
4056898: https://support.micr...om/help/4056898
4056894: https://support.micr...om/help/4056894
4056897: https://support.micr...om/help/4056897
4056896: https://support.micr...om/help/4056896
4056899: https://support.micr...om/help/4056899

Security Updates: https://portal.msrc....curity-guidance

Security Update Summary: https://portal.msrc....uidance/summary

January 2018 Office Update Release
- https://blogs.techne...update-release/
Jan 9, 2018 - "The January 2018 Public Update releases for Office are now available! This month, there are 36 security updates and 25 non-security updates. All of the security and non-security updates are listed in KB article 4058103*.
A new version of Office 2013 Click-To-Run is available: 15.0.4997.1000
A new version of Office 2010 Click-To-Run is available: 14.0.7193.5000"
* https://support.micr...om/help/4058103

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- https://portal.msrc....isory/ADV180002
Security Advisory
Published: 01/03/2018  | Last Updated : 01/09/2018
... Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions: Version / Date / Description
 1.0 01/03/2018 Information published.
 2.0 01/03/2018 Revised ADV180002 to announce release of SQL 2016 and 2017 updates.
 3.0 01/05/2018 The following updates have been made: Revised the Affected Products table to include Windows 10 Version 1709 for x64-based Systems because the update provides mitigations for ADV180002. Corrected the security update numbers for the 2016 and 2017 SQL Server Cumulative Updates. Removed Windows Server 2012 and Windows Server 2012 (Server Core installation) from the Affected Products table because there are no mitigations available for ADV180002 for these products. Revised the Affected Products table to include Monthly Rollup updates for Windows 7 and Windows Server 2008 R2. Customers who install monthly rollups should install these updates to receive the mitigations against the vulnerabilities discussed in this advisory. In the Recommended Actions section, added information for Surface customers. Added an FAQ to explain why Windows Server 2008 and Windows Server 2012 will not receive mitigations for these vulnerabilities. Added an FAQ to explain the protection against these vulnerabilties for customers using x86 architecture.
 4.0 01/09/2018 Revised the Affected Products table to include updates for the following supported editions of SQL Server because the updates provide mitigations for ADV180002: Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3 (QFE), Microsoft SQL Server 2008 for 32-bit Systems Service Pack 4 (QFE), Microsoft SQL Server 2008 for Itanium-Based Systems Service Pack 3 (QFE), Microsoft SQL Server 2008 for Itanium-Based Systems Service Pack 4 (QFE), Microsoft SQL Server 2016 for x64-based Systems, Microsoft SQL Server 2016 for x64-based Systems (CU).

- https://www.ghacks.n...y-2018-release/
Jan 9, 2018

Qualys blog: https://blog.qualys....s-1-adobe-patch
Jan 9, 2018 - "... It is important to note that OS-level and BIOS (microcode) patches that are designed to mitigate Meltdown and Spectre may lead to performance issues. It is important to test all patches before deploying.
Some of these updates are incompatible with third-party antivirus software, and may require updating AV on workstations and servers. Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.
Microsoft has also halted the deployment of patches for some AMD systems, as there have been issues with systems after installation.
Aside from these patches, today Microsoft has released patches covering 59 vulnerabilities. Of these vulnerabilities, 16 are ranked as “Critical,” with 20 potentially leading to remote code execution.
In today’s release there are patches for both Microsoft Word and Outlook, which should also be prioritized for workstation-type devices. Most of the patches released today are for browsers and involve the Scripting Engine. These patches should be prioritized  for systems that access the internet via a browser..."

- https://www.us-cert....ecurity-Updates
Jan 09, 2018
- https://support.micr...-january-9-2018

:ninja: :ninja: :ninja:

Edited by AplusWebMaster, 09 January 2018 - 04:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

#2 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,079 posts

Posted 15 January 2018 - 05:14 PM


BIOS Updates to Patch CPU Flaws
- http://www.securityw...patch-cpu-flaws
Jan 15, 2018 - "Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.
The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected...
(Much more detail at the URL above.)

> https://www.sans.org...ewsbites/xx/3#1
"CPU Patches - (January 9, 10, & 11, 2018)
Some vendor patches for the Spectre and Meltdown CPU vulnerabilities have been causing problems for users. Microsoft said that systems running incompatible anti-virus products would not receive any further updates; anti-virus vendors must confirm compatibility by setting a registry key. Linux has released microcode to address the CPU problems for certain processors. Canonical had to release a new patch after Ubuntu Xenial 16.04 users reported that the first fix rendered their systems unable to boot. Google says it applied patches for the flaws last year and that they have not slowed down its cloud services.  
 The patches are complicated and some require steps beyond just clicking install to complete the mitigation. They are also changing rapidly as issues surface and are resolved. Test not only for stability after application but also for performance impact.
 There are patches and then there are PATCHES. It is pretty clear that software/firmware PATCHES for Spectre/Meltdown are complex and will, at a minimum, have performance impact. They will require significantly more QA testing than routine monthly Microsoft vulnerability Tuesday patches, probably even more than quarterly Oracle CPU PATCHES. Spinning up production environments (with obfuscated data) on IaaS services has enabled many organizations to increase depth of patch/PATCH testing while minimizing increases in time to patch. But, shielding, mitigation and monitoring will be needed in the interim..."

- http://www.zdnet.com...r-meltdown-fix/
Jan 10, 2018

- https://www.computer...which-ones.html
Jan 11, 2018

> https://www.askwoody...at-ms-defcon-2/
"...Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it."

:ninja: :ninja: :ninja:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

#3 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,079 posts

Posted 16 January 2018 - 09:58 AM


GRC test utility for 'Meltdown and Spectre' vulnerabilties
- https://www.grc.com/inspectre.htm
Jan 15, 2018 - "This is the Initial Release of InSpectre - We did not wish to delay this application's release while building additional confidence in its conclusions and output. It has been carefully tested under as many different scenarios as possible. But new is new, and it is new. We may well have missed something. So please use and enjoy InSpectre now. But you may wish to check back in a few days to see whether we may have found and fixed some last bits of debris.... Protection from these two significant vulnerabilities requires updates to every system's hardware – its BIOS which reloads updated processor firmware – and its operating system – to use the new processor features. To further complicate matters, newer processors contain features to minimize the performance impact of these important security improvements. But older processors, lacking these newer features, will be significantly burdened and system performance will suffer under some workloads.
This InSpectre utility was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance."
(Download the utility from the URL above.) - Thank you, Steve!!!


... Added Jan 16, 2018: "High incidence of -false-positive- A/V warnings:
People are reporting that their 3rd-party anti-virus systems are quarantining InSpectre under the mistaken belief that it's malicious. This did not occur during early work, and is almost certainly due to the end-of-project inclusion of the protection enable/disable buttons and the presence of the registry key they use. I would rather not remove that feature... I will explore obscuring the use of that key to see whether false positive anti-virus warnings can be eliminated. At that time I will clarify some of the conflicting language the app can produce and also explain why the enable/disable buttons may be disabled (there's nothing for them to enable or disable in specific circumstances.)"

Windows 7 SP1 and Windows Server 2008 R2 SP1
January 4, 2018 — KB4056894 (Monthly Rollup)

Applies to: Windows Server 2008 R2 Service Pack 1Windows 7 Service Pack 1
- https://support.micr...pdate-kb4056894
Last Updated: Jan 12, 2018

Patch Watch: Tracking Issues with the Spectre Patches on AMD Machines
> https://windowssecre...n-amd-machines/
Jan 11, 2018 - "Beware, AMD chip owners. For you Windows Secrets readers who have computers with AMD inside, these Spectre/Meltdown patches are causing more issues than they are preventing. So much so that Microsoft has halted release of the updates on machines that have AMD chipsets. Some of the relevant security posts include the following:
  Microsoft’s KB4073707 on the issues with AMD chip sets and how Microsoft is blocking the patches until the issue is resolved:
- https://support.micr...d-based-devices
  Microsoft’s KB4073757 recapping the overall guidance:
- https://support.micr...pectre-meltdown
Let’s recap the big picture:
> Intel CPU chips have a bug in their very architecture.
Researchers found a way for attackers to possibly steal passwords and other confidential information from our machines. As of publication, the attack has not been used in the wild. However, the potential is there and it’sreally concerning up in cloud servers as it could mean that fellow virtual servers could read information from a tenant next door.
It won’t be enough to patch for the Windows operating system, you’ll need to patch the firmware on your computer as well.
It’s not a Microsoft bug, but because everything uses CPUs, pretty much everything needs to be patched ranging from phones to firewalls. So after you get your patches for Windows, go look for updates for anything else that has a CPU included in it (I’m not kidding or overstating the issue).
A bigger concern to many will be the performance hit this “fix” will make on your system as discussed in a Microsoft blog[2].
2] https://cloudblogs.m...indows-systems/

The older your computer the more the “hit” will be. If you have a computer that is a 2015-era PC with Haswell or older CPU – you will notice a difference.
CERT goes so far as to recommend replacing the CPU hardware in their blog post[1]. I’m not ready to go that far, but it would be wise to review how old your computer hardware is, evaluate the performance hit and plan accordingly.
1] https://web.archive..../vuls/id/584653
Check That Your Antivirus Is Supported:
Because this is a kernel update, antivirus vendors who have hooked into the kernel for additional protection could trigger blue screens of death if they are not updated for the change introduced by this patch. Thus Microsoft is requiring that before the January Windows and .NET updates are installed that a registry entry is made by the vendor – or by you if your vendor doesn’t provide the registry key in an update – before the January updates are installed.
Make sure you review the antivirus listing page that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn’t support these updates, it’s time to find a new vendor...

Make sure you review the antivirus listing page*** that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn’t support these updates, it’s time to find a new vendor...
*** https://docs.google....mlview?sle=true

Protect your Windows devices against Spectre and Meltdown
Applies to: Windows 10, Windows 10 Mobile, Windows 8.1, Windows 7, HoloLens, Windows Server 2016, Windows Server 2012 Standard, Windows Server 2012 R2 Standard, Windows Server 2008 R2 Standard
> https://support.micr...pectre-meltdown
Last Updated: Jan 10, 2018

:ninja: :ninja:  :oops:

Edited by AplusWebMaster, 16 January 2018 - 05:21 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!