Here’s hoping it’s been a happy new year thus far, for all my friends and readers in the IT world. January got off to a rough start, security-wise, with two serious vulnerabilities affecting computer/device processors hitting the headlines and causing Microsoft to release a rare out-of-band patch. I wrote about these vulnerabilities in the article titled Is your processor facing the spectre of a meltdown?

Unfortunately, Microsoft acknowledged today (Patch Tuesday) that those fixes are causing performance slowdowns on some older Intel-based PCs and servers, and even caused some AMD-based computers to freeze up completely and be unable to boot.  The performance hit wasn’t entirely unexpected; many experts had warned of it, but the more serious issue with some older AMD chips came as a surprise to many. Microsoft and AMD are reported to be working together to resolve it. In the meantime, Microsoft started preventing AMD machines from installing the update.

If you have a system with an AMD processor, please read the following Microsoft support article to find out which security updates are being blocked: Windows operating system security update block for some AMD based devices.

In related news, some antivirus programs are incompatible with the Meltdown and Spectre patches and are causing problems. In response to that, Microsoft reportedly will not distribute the January Patch Tuesday updates to anyone whose antivirus software hasn’t been updated to add a special registry key to make it compatible.

Unfortunately, Spectre and Meltdown aren’t the only vulnerabilities out there as we kick off the 2018 patching season. Microsoft’s release notes for today’s updates show a total of ninety-three patches for Internet Explorer, Microsoft Edge, Microsoft Windows,Microsoft Office/Microsoft Office Services/Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, ASP.NET Core, and Adobe Flash.

Let’s take a closer look at some of those update summaries.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

Out of band update released January 4:

  • KB4056888 , KB4056890. KB4056891, KB4056892, and KB405689 for Windows 10 and Server 2016 operating systems to address processor vulnerabilities in Intel, AMD, and ARM processors. This is the fix for the Meltdown and Spectre vulnerabilities discussed above. Updates for Windows 7 and 8.1 were subsequently released.

Products Updated on Patch Tuesday

The good news here is that none of the vulnerabilities in Windows OS are rated critical. All are rated important. The only critical issues are in the web browsers, Internet Explorer and Edge.  The following is a breakdown of the number of vulnerabilities patched in each product:

  • Windows 7: 7 vulnerabilities
  • Windows 8.1: 10 vulnerabilities
  • Windows 10 (all builds): 11 vulnerabilities
  • Windows Server 2008 and Windows Server 2008 R2: 7 vulnerabilities
  • Windows Server 2012 and 2012 R2: 10 vulnerabilities
  • Windows Server 2016: 9 vulnerabilities
  • Internet Explorer 11: 2 critical vulnerabilities
  • Microsoft Edge: 17 vulnerabilities with 14 rated as critical, and the remaining 3 as important

Cumulative Updates/Rollups

Additional updates

Security updates for .NET Framework:

KB4054173 — Security Only Update for .NET Framework 4 on WES09 and POSReady 2009

KB4054178 —.NET Framework 2.0 on WES09 and POSReady 2009

KB4055229 —.NET Framework 3.0 on WES09 and POSReady 2009

KB4055265 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded 8 Standard and Windows Server 2012

KB4055266 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4055267 —.NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008

KB4055269 —.NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4055270 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded 8 Standard and Windows Server 2012

KB4055271 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows 8.1 and Windows Server 2012 R2

KB4055272 —.NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008

KB4055532 —.NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.

You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (December 12, 2017 to December 12, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).