Yesterday Microsoft released security patches for 63 separately identified vulnerabilities and three new Security Advisories. Microsoft rates 12 of the security holes as “critical,” and 8 of those are for the Edge scripting engine. Only one has an actively known exploit, discovered by Kaspersky, on 32-bit Win7 and Server 2008 systems in the Middle East.
Martin Brinkmann has his monthly summary on ghacks.net for an overview of the numbers and links. Dustin Childs picks up all the nuances in his Zero Day Initiative post. Short version: As usual, if you avoid Internet Explorer and Edge, you should be fine for now. But, again as usual, you’ll have to patch eventually.
Two new Security Advisories contain some worthwhile updates:
- ADV180002, Guidance to mitigate speculative execution side-channel vulnerabilities, has been updated to include even more information about even more Spectre-like problems with Intel, AMD and ARM chips.
- ADV990001, Latest Servicing Stack Updates, finally (finally!) lists the latest SSU for every version of Windows. It’s a long, ugly list, but if you insist on installing updates manually (or if you got bit by error 0x8000FFF when installing a Win7 Monthly Rollup), you can now confirm if you have the latest version of the Windows Update updater. Remember, the updater isn’t smart enough to update itself, if you’re applying patches manually.
The Servicing Stack Update spray
There are new Servicing Stack Updates for Win10 that address the Bitlocker Device Encryption vulnerability CVE-2018-8566.
If you install the November Cumulative Updates using other than Windows Update, you will need to install the Servicing Stack Update first.
If you are using Windows Update, the SSU will be offered automatically.
Win10 v1809 Build 17763.134 KB4465646
Win10 v1803 KB4465663
Win10 v1709 KB4465661
Win10 v1703 KB4465660
Win10 v1607 KB4465659
There’s a German-language report of a bug in the interaction between the latest Servicing Stack Update for Server 2016, KB 4465659 and this month’s Server 2016 cumulative update, KB 4467691. Poster Gaius Julius on the deskmodder.de forum reports (translated by deepl.com):
One of the two updates tries to write into the UEFI of the server. This works for virtual machines as well. For physical machines of the brands DELL and HP this does not work, at least if CPUs of the series Xeon E5-26 ... of the versions v1 and v2 are still installed there. On Fujitsu machines it does not work with the above Xeon CPUs of versions E5-26 ... v3 and v4.
The UEFI is totally shot up, hardware raids are torn apart etc. pp. Remotely you can't reach the boxes anymore, because the Intel management machine is also totally torn apart, if it wasn't switched off by the ADMIN for security reasons. No network adapter is detected anymore.
No confirmation on that report, as yet.
WSUS hiccups again
There’s a report of a persistent failure by WSUS to download this month’s patches:
We are seeing multiple independent WSUS servers failing to download content (patches) from Microsoft for this month’s batch. … WSUS servers have been established for years and no changes on them have been made recently nor have firewalls been touched. Content downloads started and were successful for a fraction of the patches, but then halted. This started afternoon hours EST. Eventlog error 364 is seen.
1809 under the microscope
Of course, it’s much too early to install 1809, and Microsoft recommends that you wait until it gets pushed onto your machine rather than seeking it out, but if you’re feeling lucky (and don’t mind risking your machine for a paltry list of new features), installation from the Media Creation Tool will bring you to build 17763.107, and the first cumulative update (that is, the latest first cumulative update) will bring you to build 17763.134. EdTittel reports on Tenforums:
I was able to transition from 17763.107 to 17763.134 by leaving the Insider Preview program (updates only flavor), restarting a couple of times, then updating to the KB that brings the PC up to 17763.134 level. All good now. All of my 1809 machines are now at 17763.134.
What concerns me the most are the sporadic, but vocal, reports of problems with the just re-released Win10 version 1809, the September-October-November 2018 Update.
We already know about the acknowledged bug with filename extensions not being assignable to specific programs, a bug first publicized last week by Chris Hoffman in HowToGeek. The same problem now appears as a known bug for Win10 version 1803, as well — going back all the way to the Sept. 26 re-release of the “Fourth Tuesday” patch for 1803.
I’m also seeing reports of the Mapped Drive Connection to Network Share May Be Lost bug, but that one’s not unique to 1809. It’s been around a long time.
@NetDef reports munged video with 1809 and AutoCad:
I’m seeing some seriously nasty things with video (current drivers) and acceleration in the ’18 and ’19 versions in our test bed. Thinking we might be passing on this feature update entirely and stick with 1803 for the next year. Toolbar windows that leave ghosts behind when moved. Sudden dark screens in the drawings (but the application menu UI stays intact.) Odd flickering randomly.
I haven’t yet heard any loud screams of pain stemming from this month’s Monthly Rollups and Cumulative Updates, but the day is still young.
Thx to @PKCano, @NetDef
Got a problem? Don’t we all. AskWoody Lounge.