Patch Tuesday brings some surprises, some early crashes, and a surreal solution
Credit to Author: Woody Leonhard| Date: Thu, 12 Apr 2018 06:40:00 -0700
With all of the problems in the January, February and March patches for Windows and Office, you’d think we would catch a break in April. In one sense we did — some of the worst bugs in the earlier patches now seem to be behind us. But we’re definitely not out of the woods just yet.
Tuesday, Microsoft released 177 separate patches covering 66 security holes (CVEs), 24 of which are rated “critical.” The SANS Internet Storm Center says that only one of the patches, CVE 2018-1034, covers a security hole that’s been documented, and it isn’t being exploited.
Further details, compliments of Martin Brinkman on ghacks:
As Dustin Childs notes on the Zero Day Initiative site, five of the critical bugs are variations on an old, tired theme: a “bad” font can take over your machine, if you’re running in admin mode. And it doesn’t matter where the font appears — on a web page, in a document, in an email. Don’t you just love it when fonts get rendered inside the Windows kernel?
As of early Thursday morning, there are no known exploits for the font phunnies.
Top points, from my point of view, anyway:
If you’ve been following along, you know that Win7/Server 2008 R2 has left a trail of tears, starting with the January security patches, which introduced the Total Meltdown gaping security hole, followed by an SMB server bug introduced in March that may render it inoperable, and buggy patches that created phantom Network Interface Cards (NICs) and shot down static IP addresses.
This month, it appears as if some of those problems have been solved. In particular, the Win7/Server 2008R2 Monthly Rollup KB 4093118 and the manually installed KB 4093108 Security-only patch supersede the sketchy KB 4100480 that’s supposed to fix the Total Meltdown bugs in this year’s Win7 patches. KB 4093118 and KB 4093108 also contain the fix in KB 4099467, which eliminates the Stop 0xAB error when you log off. Not so coincidentally, both of those bugs were introduced by security fixes released earlier this year.
According to MrBrian, installing this month’s Win7 Monthly Rollup or Security-only patch obliterates those bugs:
Or at least it’s supposed to obliterate those bugs.
That leaves us with two other significant bugs in the old Win7 patches. Microsoft describes them like this:
As of this moment, it looks as if the manual Win7 Security-only patch KB 4093108 fixes the phantom NIC bug and static IP zapping bug — but the Monthly Rollup, KB 4093118, does not. That puts us in a surreal situation where Microsoft recommends that those installing the (automatically pushed) Monthly Rollup first install the (manual download) Security-only patch.
I didn’t believe that either until I read the newly updated KB article:
Microsoft is working on a resolution and will provide an update in an upcoming release.
In the meantime, please apply KB4093108 (Security-only update) to stay secure, or use the Catalog release of KB4093118 to stage the update for WU or WSUS.
Although the description isn’t crystal clear, it looks to me as if Microsoft is saying that anyone who uses Windows Update to install this month’s Win7 Monthly Rollup is required to dive into the Windows Catalog, download and install the Security-only patch, prior to letting Windows Update do the dirty deed. If you don’t do that, your NIC may fall over and play dead and/or any static IP addresses you’ve assigned will be wiped out.
Bizarre.
Those of you who control Update Servers have yet another cute twist. Two of them.
Reading between the lines again, it appears as if WSUS and SCCM won’t queue up the Security-only patch prior to installing the Monthly Rollup. You have to do that manually. There was a notice sent out on Wednesday that urged admins to download a separate patch, KB 4099950, and install it prior to installing this month’s Win7 Monthly Rollup. Now, it seems, installing the Security-only patch first is the recommended course of action.
For standalone computers that use the B patching process of applying security only updates – again you should be in wait and see mode right now. If you have a spare computer and want to live on the edge, install now. Otherwise get the popcorn out and wait to see what happens.
Again reading between the lines, it appears as if KB 4099950 prevents the phantom NIC and static IP zapping bugs. If you’ve already installed it, there’s no need to uninstall it, you’re good to go — and you don’t need to manually install this month’s Security-only patch. If you haven’t installed KB 4099950, Microsoft now says that the preferred method for fending off the IP problems is to install this month’s Security-only patch. Which means those of you at the helm of WSUS and SCCM servers need to make sure your users get the Security-only patch prior to receiving the Monthly Rollup. Clear as mud, right?
More than that, I’m getting reports that the Win10 1607 April cumulative update, KB 4093119, is dishing out a retrograde version of Credssp.dll. The March cumulative update installed version 10.0.14393.2125, whereas the April version installs version 10.0.14393.0.
For details, I strongly urge you overworked and underappreciated admins to subscribe to Shavlik’s Patchmanagement newsletter.
Microsoft released a handful of patches for Word 2007, 2010, 2013, 2016 and Office 2010 under the heading CVE-2018-0950, where:
An information disclosure vulnerability exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a message is opened or previewed. This vulnerability could potentially result in the disclosure of sensitive information to a malicious site.
To exploit the vulnerability, an attacker would have to send an RTF-formatted email to a user and convince the user to open or preview the email. A connection to a remote SMB server could then be automatically initiated, enabling the attacker to brute-force attack the corresponding NTLM challenge and response in order to disclose the corresponding hash password.
But according to Will Dorman at CERT/CC, who originally reported the vulnerability to Microsoft 18 months ago, Microsoft’s fix doesn’t fix the whole problem. He says:
Microsoft released a fix for the issue of Outlook automatically loading remote OLE content (CVE-2018-0950). Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. … It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above
Dorman’s advice? Use complex passwords and a password manager, and those of you managing servers need to jump through even more hoops.
Brad Sams reports that KB 4093112, the cumulative update to 1709, has messed up File Explorer — he can’t open File Explorer at all, even after two restarts.
We have reports that the same update is causing Windows to complain that it hasn’t been activated. Multiple reboots solved the problem.
And we have another report of a blue screen PAGE_FAULT_IN_NONPAGED_AREA error 0x800f0845 with the same patch.
Commenters on Brian Krebs’ site have reported problems with installing KB 4093118, the Win7 Monthly Rollup. Peacelady explains:
Two people who installed it on Windows 7 Professional computers now can’t access the computer getting message on Startup “user profile not found.” Then underneath it says okay — they click okay and it logs off. Then it comes back and the same thing happens.
AskWoody poster Bill C has further details. Samak proposes a suggested fix for the “user profile not found” problem, detailed in KB 947215.
Wait.
We’re seeing reports of Win7 patches that are checked, unchecked, sometimes disappearing, occasionally reappearing, and vanishing into thin air. Don’t be concerned. Microsoft doesn’t know why, either.
For the non-Win7 patches, there’s no immediate need to install anything. If the font phunnies heat up, we’ll keep you posted, but for now the situation’s unbelievably complex and devolving rapidly.
Thanks, as always, to MrBrian, abbodi86, PKCano, and all of the people at AskWoody who hold Microsoft’s patching feet to the fire.
Join us for the latest commiseration on the AskWoody Lounge.