Virtual Administrator’s June 2017 Patch Recommendations

July 6 **Update** “Current Status for June’s Outlook issues”

Outlook known issues in the June 2017 security updates – https://support.office.com/en-us/article/Outlook-known-issues-in-the-June-2017-security-updates-3f6dbffd-8505-492d-b19f-b3b89369ed9b?ui=en-US&rs=en-US&ad=US&fromAR=1

  • Outlook 2007 (Issue #1 and #2) Workaround posted
  • Outlook 2010 (Issue #1 and #2) NEW PATCH KB4011042 – original KB3015545 replaced
  • Outlook 2013 (Issue #2 and #3) Original fix KB3191849
  • Outlook 2016 (Issue #2 and #3) NEW PATCH KB3213654

Issue #1
Symptom: When you open an attachment in an email, contact, or task formatted as Rich Text you get the following error:

“The program used to create this object is Outlook. That program is either not installed on your computer or it is not responding. To edit this object, install Outlook or ensure that any dialog boxes in Outlook are closed”.

Issue #2
Symptom: When opening an attachment that includes consecutive periods (…), or an exclamation point (!), the files are blocked and you receive an Opening Mail Attachment warning.

Issue #3
Symptom: If you set ShowLevel1Attach to allow Outlook to display Level 1 attachments, you may see the error:

“One or more objects in this file have been disabled due to your policy settings”.

 ======================

June 30 **Update** “Current Status for June’s Outlook issues”

Outlook known issues in the June 2017 security updates

https://support.office.com/en-us/article/Outlook-known-issues-in-the-June-2017-security-updates-3f6dbffd-8505-492d-b19f-b3b89369ed9b?ui=en-US&rs=en-US&ad=US&fromAR=1

Issues #1, #2 and #3 have been fixed on some versions of Outlook. Agent procedures* to deploy them are posted on ClubMSP (On-Prem users check VA Shared folder). This update is only available for manual download and installation from the Microsoft Download Center.

Issues #5 and #7 Microsoft posted patches for these to the Windows Updates catalog. Windows 7/8 are the June Preview of Monthly Rollup – KB4022168 and KB4022720. Windows 10 is an update – KB4022716. The “Preview of Monthly Rollup” include early releases of July’s rollup. In effect you are beta testing next month’s patches. Windows 10 update KB4022716 includes a number of other fixes and there has not been enough time to vet it thoroughly. For these reasons we have not approved them in VA patch policy.

Issue #1

Symptom: When you open an attachment in an email, contact, or task formatted as Rich Text you get the following error: “The program used to create this object is Outlook. That program is either not installed on your computer or it is not responding. To edit this object, install Outlook or ensure that any dialog boxes in Outlook are closed”.

Affects: Outlook 2007 and Outlook 2010

Status: Fixed 2010. Workaround posted.

Advice: Use VA Script “Procedure KB3015545 install (Outlook 2010)”*

Issue #2

Symptom: When opening an attachment that includes consecutive periods (…), or an exclamation point (!), the files are blocked and you receive an Opening Mail Attachment warning.

Affects: Outlook 2007, Outlook 2010, Outlook 2013, and Outlook 2016.

Status: Fixed 2010/2013. Workaround posted.

Advice: Use VA Script “Procedure KB3015545 install (Outlook 2010)”* and/or “Procedure KB3191849 install (Outlook 2013)”

 Issue #3

Symptom: If you set ShowLevel1Attach to allow Outlook to display Level 1 attachments, you may see the error: “One or more objects in this file have been disabled due to your policy settings”.

Affects: Outlook 2013 and Outlook 2016.

Fixed 2013. Workaround posted.

Advice: Use VA Script “Procedure KB3191849 install (Outlook 2013)”

 Issue #4

Symptom: When you use a custom form that you have created for Outlook, you see the following two symptoms: “VBScript does not run” and “You get a malicious code warning”

Affects: Outlook 2007, Outlook 2010, Outlook 2013, and Outlook 2016.

Status: No fix. No workaround

Advice: None

 Issue #5

Symptom: When searching in Outlook, you get this error: “Something went wrong and your search couldn’t be completed.”, or “Search results may be incomplete because items are still being indexed”.

Affects: All Outlook versions on Windows 7, Windows 8, Windows 10.

Status: Fixed Windows 7, Windows 8, Windows 10. Workaround posted.

Advice: Manually push out patch to affected machines. (see below)

 Issue #6

Symptom: iCloud fails to load properly. When accessing Calendar, Contacts, or Tasks in Outlook 2007, you get the following error:The set of folders cannot be opened. MAPI was unable to load the information service C:PROGRA~2COMMON~1AppleInternet ServicesAPLZOD.dll. Be sure the service is correctly installed and configured.”

Affects: Outlook 2007

Status: No fix. Workaround posted

Advice: Use workaround

Issue #7

Symptom: When you print a specific iframe or frame in a web page, the print output may be blank, or text is printed that resembles the following: 404 – Not Found

Affects: All Outlook versions on Windows 7, Windows 8, Windows 10.

Status: Fixed Windows 7, Windows 8, Windows 10. No workaround.

Advice: Manually push out patch** to affected machines.

 * The 32 bit version of KB3015545 was released then pulled by Microsoft then next day.  Our Script should work once the revised patch is available.

 ** To manually push out a patch go to Patch Management> Manage Updates> Machine Update and Schedule. Make sure to Uncheck “Hide patches denied by Patch Approval” to view all missing patches.

 ======================

June 16 **UPDATE**

Microsoft released a fix for those experiencing problems printing an iFrame or frame in Internet Explorer 11

“Only customers who are experiencing print issues” should install KB4032782. VA is working on an agent procedure to deploy this. We hope to have it posted early next week. If you need to install this sooner the downloads are here: https://www.catalog.update.microsoft.com/search.aspx?q=KB4032782

“The update is available via the Microsoft Update Catalog only” and cannot be pushed out through Kaseya patch management.

A blank page or “404” error prints when you try to print a frame in Internet Explorer 11

https://support.microsoft.com/en-us/help/4032782/a-blank-page-or-404-error-prints-when-you-try-to-print-a-frame-in-inte

Revision Information:

=====================

https://portal.msrc.microsoft.com/en-us/security-guidance

– Version: 3.0

– Reason for Revision: Microsoft is announcing the release of update 4032782 for Internet Explorer 11 on Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows Server 2012 R2 to address a known issue customers may experience when printing from Internet Explorer. Only customers who are experiencing print issues after installing Internet Explorer Cumulative update 4021558 should install update 4032782 because update 4032782addresses the known issue by removing the protection from CVE-2017-8529. The update is available via the Microsoft Update Catalog only.

– Originally posted: June 23, 2017

– Aggregate CVE Severity Rating: Critical

—————————————————-

This month Microsoft released patches for 92 vulnerabilities with 17 of them rated critical and 75 rated important.

CVE-2017-8464 and CVE-2017-8543 are being actively exploited and should be prioritized.  Both are listed in Security Advisory 4025685 and included in the monthly rollups.

We have not uncovered any widespread problems with any of these patches and are releasing all of them. (Exception: See “Heads Up!” below regarding .NET Framework 4.7 and Exchange Server.)

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Silverlight
  • Skype for Business and Lync
  • Adobe Flash Player

Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Being Exploited

CVE-2017-8464 | LNK Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.

 

CVE-2017-8543 | Windows Search Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543

To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

 

Microsoft Security Advisory 4025685

Guidance related to June 2017 security update release

https://technet.microsoft.com/en-us/library/security/4025685

This addresses WannaCry and similar threats. It is a “laundry list” of “the critical security updates that are at heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.” Most are older patches but some are new. CVE-2017-8464 and CVE-2017-8543 are included.

 

Microsoft security advisory 4025685: Guidance for older platforms: June 13, 2017

https://support.microsoft.com/en-ca/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

Microsoft has released patches for unsupported systems running Windows XP, Windows Vista, Windows 8, or Windows Server 2003. These will need to be downloaded and installed manually. Windows Updates will not find them.

 

Heads Up!

.NET Framework 4.7 and Exchange Server

https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/

“At this time, .NET Framework 4.7 is not supported by Exchange Server. Please resist installing it on any of your systems after its release to Windows Update.”

.NET Framework 4.7 is listed as an Optional Feature Pack and VA’s policy has always been to deny all patches in this category.

 

Blocking the automatic deployment of .NET 4.7

https://blogs.msdn.microsoft.com/dotnet/2017/06/13/microsoft-net-framework-4-7-is-available-on-windows-update-wsus-and-mu-catalog/

Agent procedures to block (and unblock) .NET Framework 4.7 are available on ClubMSP and in the VA Shared folder on our onprem KServer under Patch Deployment.

https://clubmsp.com/msp/script/block-dot-net-4-7-wau-install-block/

https://clubmsp.com/msp/script/block-dot-net-4-7-wau-install-unblock/

 

 

KNOWN ISSUES

Symptom: Printing through IE fails with when the user clicks the Printer icon the resulting print shows 404 Page Not Found. The workaround it to use print using Print Preview.

KB4022719, KB4021558 and KB4022715 are known to cause this but as they are cumulative updates we cannot deny the entire package

Symptom: If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected.

 

KB4022717, KB4022726, and KB4022715

Windows 8.1 and Windows Server 2012 R2

June 13, 2017—KB4022717 (Security-only update)

https://support.microsoft.com/en-us/help/4022717/windows-8-update-kb4022717

June 13, 2017—KB4022726 (Monthly Rollup)

https://support.microsoft.com/en-us/help/4022726/windows-8-update-kb4022726

 

Windows 10 Version 1607 and Windows Server 2016

June 13, 2017—KB4022715 (OS Build 14393.1358)

https://support.microsoft.com/en-us/help/4022715/windows-10-update-kb4022715

 

Update on AMD Carrizo DDR4 processor

Mentioned in our April blog April’s rollup patch for Windows 7,8 and Server 2008R2/2012R2 will block downloading and installing future Windows updates.

Microsoft providinded instuctions for manually install this months rollups which should correct the Windows updates problem going forward.

 

Installation steps for systems using AMD Carrizo DDR4 processor:

1.Download June’s rollup patch from Microsoft update catalog.

2.Extract the CAB file from the downloaded .msu file from step 1. Note the path where you stored the CAB file for use in step 3.

3.Run the DISM /Online /Add-Package command to install the update: DISM.exe /Online /Add-Package /PackagePath: CAB file path from step 2.

 

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

 

May 2017 security monthly quality rollup

  • KB4022719 – Windows 7, Windows Server 2008 R2
  • KB4022726 – Windows 8.1, Windows Server 2012 R2
  • KB4022724 – Windows Server 2012

 

May 2017 security only quality update

  • KB4022722 – Windows 7, Windows Server 2008 R2
  • KB4022717 – Windows 8.1, Windows Server 2012 R2
  • KB4022718 – Windows Server 2012

 

.NET Framework

  • May, 2017 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
  • May, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2
  • The KB numbers for .Net are different for each version and in some cases each OS installed.

 

Cumulative update for Windows 10

  • KB4022727 – Original release version 1507 (OS Build 10240.17354)
  • KB4022714 – Version 1511 (OS Build 10586.873)
  • KB4022715 – Version 1607 “Anniversary Update” (OS Build 14393.1066 and 14393.1083)
  • KB4022725 – Version 1703 “Creators Update” (OS Build 15063.138)

Note: Server 2016 uses the same KB as Windows 10 Version 1607