Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook

Credit to Author: Woody Leonhard| Date: Fri, 19 Jan 2018 09:28:00 -0800

On the heels of the Jan. 17 release of 14 Windows and .NET patches, we now have a huge crop of new patches, revised older patches, warnings about bugs, and a bewildered ecosystem of Microsoft customers who can’t figure out what in the blue blazes is going on.

Let’s step through the, uh, offerings on Jan. 18.

Win10 Fall Creators Update version 1709 — Cumulative update KB 4073291 brings the Meltdown/Spectre patches to 32-bit machines. What, you thought 32-bit machines already had Meltdown/Spectre patches? Silly mortal. Microsoft’s Security Advisory ADV180002 has the dirty details in the fine print, point 7:

Q: I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?

A: Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

It appears as if this is the first 32-bit version of Windows that has a patch for the Meltdown vulnerability. Surprise.

Like most of the patches I talked about yesterday, this one is available only through the Update Catalog — it won’t be pushed onto your machine.

Win10 Fall (“November”) Update version 1511 (Enterprise/Education only) — The cumulative update KB 4075200 continues in the illustrious tradition of the 1703 and 1607 updates I discussed yesterday. It’s the second cumulative update for 1511 so far this month. This patch “addresses [an] issue where some customers with AMD devices get into an unbootable state.” Like all of the Meltdown/Spectre patches, you need to use antivirus software that sets the correct registry key before KB 4075200 will install. KB 4075200 isn’t being pushed out Windows Update; it’s available only by manually downloading it from the Update Catalog.

Win10 RTM (“Initial version”) version 1507 (Enterprise LTSC) — Cumulative update KB 4075199. Same story as 1511 above.

Win8.1 — Microsoft officially acknowledged what we’ve suspected — that it released two versions of its Win8.1 Security-only update, KB 4056898: one on Jan. 3 and the other on Jan. 5. Except the warning’s buried in Security Advisory ADV180002:

On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1/3/2018 should reinstall the update.

I warned you about the switcheroo back on Jan. 10. Now we have official acknowledgment, but still no description of the “known issue.” The KB article still doesn’t acknowledge, or describe, the swicheroo.

According to Catalin Cimpanu at Bleepingcomputer, Microsoft has started pushing five of the patches that it pulled because they bricked AMD machines. Details are sketchy at this point, but Cimpanu says Microsoft has started pushing all of these patches onto AMD machines:

But, per Cimpanu, these patches are still being withheld from AMD machines:

As best I can tell, there have been no changes made to any of the five patches that are now going out to AMD machines. It’s not at all clear — and Microsoft certainly hasn’t said anything — why these patches are going out now, and how they fixed the manifest problems with the earlier version.

Of course, we haven’t received any answer to last week’s question: Microsoft reinstates Meltdown/Spectre patches for some AMD processors — but which ones?

Trust us. We’re from Microsoft, and we’re here to help.

I found out more about the “Unbootable state for AMD devices” patches that I discussed yesterday. We still don’t have any official answers to the chicken-and-egg nature of a patch specifically issued for machines that have already been bricked by an earlier patch. It still isn’t clear if, after unbricking your machine and installing the new patch, you need to re-install the old patch.

But one bit of enlightenment appeared yesterday on, not any Microsoft site, but on the Symantec Endpoint Protection site. Of course. It seems Symantec Endpoint Protection has been suffering from a tray icon bug brought on by Microsoft’s Jan. 3 patches. Symantec issued a hotfix to clear the problem, but that’s been pulled… because Microsoft fixed the bug.

According to Symantec, the tray icon bug — introduced by Microsoft on Jan. 3 — has been fixed in:

But the barely documented fun ‘n games don’t end there.

Yesterday, Microsoft changed its documentation for these .NET patches:

The files ndp47-kb4074880-x64[…].exe and ndp47-kb4074880-x86[…].exe currently in the catalog for KB4055532 (January 2018 .NET Framework monthly rollup for Windows 7) have a digital signature of January 11, 2018, which is newer than the original release date. Also, despite the fact that I installed the January 2018 .NET Framework monthly rollup for Windows 7 on Monday (I have .NET Framework 4.7), it is being offered again in Windows Update (it’s ticked).

Deep in the Revisions list of CVE-2018-0764, there’s an explanation:

To address a regression issue after installing security update 4055002, Microsoft has released security update 4074880 for Microsoft .NET 4.6/4.6.1/4.6.2/4.7/4.7.1 installed on supported editions of Windows 7 and Windows Server 2008 R2. Customers who have already installed KB4055002 should install KB4074880 to be protected from this vulnerability.

If you’re keeping a January patch scorecard, it’s official. Your collection of scorecards now need an index.

This month’s patches aren’t all about Meltdown and Spectre. Even our good old friend Word has joined the now well-worn “oops we did it again” chorus line. Remember earlier this month when Microsoft fixed the Office Online Server security hole CVE-2018-0792? Yeah, me neither, but on Jan. 9, Microsoft rolled out patch KB 4011021.

Except, well, it didn’t install on some machines. No explanation why. Instead, we get this posted nine days later:

To address a known issue with installing security update 4011021, Microsoft is announcing the availability of security update 4011022 as a replacement. Customers who experienced problems installing 4011021 should install 4011022.

And just to put icing on your buggy patching cake, there’s a reported bug in the KB 4011626 update for Outlook 2016. Microsoft has acknowledged at least part of the problem:

After you install this security update, attachments are removed when you forward plain text emails. To work around this issue, save the attachments locally, reattach, and then send the email.  

But of course there’s no fix. I see continuing discussions on the Microsoft TechNet forum and on Reddit.

With (hundreds of?) thousands of PCs bricked by bad patches this month and (hundreds of?) millions of Windows customers bewildered by the avalanche of patches — we’ve seen bucketloads of patches on Jan. 3, 4, 8, 9, 11, 12, 17 and now Jan. 18 — you have to wonder when it will all straighten out. Best I can tell you is to turn off Automatic Update, and wait for some semblance of sanity to return.

Thanks to GW, @MrBrian, @abbodi86, @PKCano and many others.

Join us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss