Here’s hoping it’s been a happy new year thus far, for all my friends and readers in the IT world. January got off to a rough start, security-wise, with two serious vulnerabilities affecting computer/device processors hitting the headlines and causing Microsoft to release a rare out-of-band patch. I wrote about these vulnerabilities in the article titled Is your processor facing the spectre of a meltdown?
Unfortunately, Microsoft acknowledged today (Patch Tuesday) that those fixes are causing performance slowdowns on some older Intel-based PCs and servers, and even caused some AMD-based computers to freeze up completely and be unable to boot. The performance hit wasn’t entirely unexpected; many experts had warned of it, but the more serious issue with some older AMD chips came as a surprise to many. Microsoft and AMD are reported to be working together to resolve it. In the meantime, Microsoft started preventing AMD machines from installing the update.
If you have a system with an AMD processor, please read the following Microsoft support article to find out which security updates are being blocked: Windows operating system security update block for some AMD based devices.
In related news, some antivirus programs are incompatible with the Meltdown and Spectre patches and are causing problems. In response to that, Microsoft reportedly will not distribute the January Patch Tuesday updates to anyone whose antivirus software hasn’t been updated to add a special registry key to make it compatible.
Unfortunately, Spectre and Meltdown aren’t the only vulnerabilities out there as we kick off the 2018 patching season. Microsoft’s release notes for today’s updates show a total of ninety-three patches for Internet Explorer, Microsoft Edge, Microsoft Windows,Microsoft Office/Microsoft Office Services/Web Apps, SQL Server, ChakraCore, .NET Framework, .NET Core, ASP.NET Core, and Adobe Flash.
Let’s take a closer look at some of those update summaries.
The following security advisory was released on Patch Tuesday this month:
- ADV180001 – Adobe Flash Security Update for Windows, Microsoft Edge, and Internet Explorer 11. Addresses an important out-of-bounds read vulnerability that could lead to information exposure. Priority rating 2.
- ADV180002 – Guidance to mitigate speculative execution side-channel vulnerabilities. This is the in regard to the Intel, AMD and ARM processor vulnerabilities discussed above. It addresses addresses the following vulnerabilities: CVE-2017-5753 – Bounds check bypass, CVE-2017-5715 – Branch target injection and CVE-2017-5754 – Rogue data cache load.
- ADV180003 – Microsoft Office Defense in Depth Update for Office 2007 SP2, 2010 SP2, 2013 RT SP1, 2013 SP1, and 2016.
Out of band update released January 4:
- KB4056888 , KB4056890. KB4056891, KB4056892, and KB405689 for Windows 10 and Server 2016 operating systems to address processor vulnerabilities in Intel, AMD, and ARM processors. This is the fix for the Meltdown and Spectre vulnerabilities discussed above. Updates for Windows 7 and 8.1 were subsequently released.
Products Updated on Patch Tuesday
The good news here is that none of the vulnerabilities in Windows OS are rated critical. All are rated important. The only critical issues are in the web browsers, Internet Explorer and Edge. The following is a breakdown of the number of vulnerabilities patched in each product:
- Windows 7: 7 vulnerabilities
- Windows 8.1: 10 vulnerabilities
- Windows 10 (all builds): 11 vulnerabilities
- Windows Server 2008 and Windows Server 2008 R2: 7 vulnerabilities
- Windows Server 2012 and 2012 R2: 10 vulnerabilities
- Windows Server 2016: 9 vulnerabilities
- Internet Explorer 11: 2 critical vulnerabilities
- Microsoft Edge: 17 vulnerabilities with 14 rated as critical, and the remaining 3 as important
- Windows 7 SP1 and Windows Server 2008 R2 SP1 Monthly Rollup: Security updates to Windows SMB Server, Windows Kernel, Microsoft Graphics Component, Internet Explorer, and Windows Graphics. https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894
- Windows 8.1 and Windows Server 2012 R2 cumulative update: Security updates to Windows Kernel, Windows Datacenter Networking, Windows Graphics, and Internet Explorer. https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895
- Windows 10 version 1511 cumulative update: Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows Graphics, Windows Kernel, Windows Datacenter Networking, Windows Virtualization and Kernel, and the Windows SMB Server. https://support.microsoft.com/en-us/help/4056888/windows-10-update-kb4056888
- Windows 10 version 1607 cumulative update: Security updates to Microsoft Edge, Internet Explorer, Windows Graphics, Windows Kernel, Windows Datacenter Networking, and Windows SMB Server. https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
- Windows 10 version 1703 cumulative update: Security updates to Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows Graphics, Windows Kernel, Windows Subsystem for Linux, and the Windows SMB Server. https://support.microsoft.com/en-us/help/4056891/windows-10-update-kb4056891
- Windows 10 version 1709 cumulative update: Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine. https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
- Cumulative security update for Internet Explorer (Jan. 3): resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. https://support.microsoft.com/en-us/help/4056568/cumulative-security-update-for-internet-explorer
- Security Update for Adobe Flash Player for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012. https://support.microsoft.com/en-us/help/4056887/security-update-for-adobe-flash-player
Security updates for .NET Framework:
KB4054173 — Security Only Update for .NET Framework 4 on WES09 and POSReady 2009
KB4054178 —.NET Framework 2.0 on WES09 and POSReady 2009
KB4055229 —.NET Framework 3.0 on WES09 and POSReady 2009
KB4055265 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded 8 Standard and Windows Server 2012
KB4055266 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
KB4055267 —.NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008
KB4055269 —.NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4055270 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded 8 Standard and Windows Server 2012
KB4055271 —.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows 8.1 and Windows Server 2012 R2
KB4055272 —.NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008
KB4055532 —.NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.
You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (December 12, 2017 to December 12, 2017) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).