Virtual Administrator’s July 2018 Patch Recommendations
This month Microsoft released patches for 54 vulnerabilities with 17 of them rated “Critical”, 35 “Important”, 1 “Moderate” and 1 “Low”.
We are releasing all delayed cumulative/rollup patches.
Earlier this week Microsoft released new patches to fix the issues with the monthly patches. The fixes appear to be safe and effective. However we have seen reports that “Microsoft Azure Active Directory Connect (AADConnect) stopped working after installation of the updates on Server 2016 and 2012 R2 machines. Those using AADConnect should be on the lookout for problems and uninstall the patch if necessary – see below. Also note these fixes addressed issues with Exchange Servers causing the Exchange Transport service to stop functioning – see below.
For some reason Microsoft included the fixes for Windows 10 and Server 2016 in Windows Updates. However the other fixes for Windows 7/8 and Server 2008/2008R2/2012/2012R2 need to be installed manually. Kaseya cannot install these manual patches through Patch Management as the Windows Update scan does not show them as needed.
What you need to do
Windows 10 and Server 2016 you don’t need to do anything. The fixes are actually cumulative patches so everything (bugs and fixes) should be installed all at once.
Windows 7/8 and Server 2008/2008R2/2012/2012R2 you will need to run agent procedures to install the fixes. We are finishing scripts which we hope to have posted by early next week on ClubMSP and in the Shared folder on our on-prem KServers — will update here when they become available.
Note: The August Preview patches for these systems include the fix. So you can wait for the August patches to apply the fixes automatically. Our advice would be to run Kaseya patching on Servers only then manually install the patch fix with our agent procedure. From what we seen and read most systems will not have problems with original bugs so waiting a few weeks for the workstations to get the fixes is fine in most cases. Servers however should be fully patched now.
AADConnect problems
Azure AD Connect Health Sync Monitor High CPU Usage
Exchange Server disruption to the MSExchangeTransport service which may have been impacted by the July 10th update.
Issue with July Updates for Windows on an Exchange Server
Details of the bug and the fix
The notes for all patch fixes list the four issues below. The exception being Windows 10 1703 and Windows 7/8.1 don’t list the DHCP Failover bug.
- Addressed issue in which some devices may experience stop error 0xD1 when you run network monitoring workloads.
- Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
- Addresses an issue that may cause the restart of the SQL Server service to fail with the error, “Tcp port is already in use”.
- Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.
These are this links to all the patch notes:
- Windows 10 (1803) – https://support.microsoft.com/en-us/help/4345421
- Windows 10 (1709) – https://support.microsoft.com/en-us/help/4345420
- Windows 10 (1703) – https://support.microsoft.com/en-us/help/4345419
- Windows 10 (1607) – https://support.microsoft.com/en-us/help/4345418
- Windows 10 (1507) – https://support.microsoft.com/en-us/help/4338829
- Server 2016 – https://support.microsoft.com/en-us/help/4345418
- Server 2012 – https://support.microsoft.com/en-us/help/4345425
- Server 2008 R2 – https://support.microsoft.com/en-us/help/4345459
- Windows 7 – https://support.microsoft.com/en-us/help/4345459
- Server 2008 – https://support.microsoft.com/en-us/help/4345397
- Server 2012 R2 – https://support.microsoft.com/en-us/help/4345424
- Windows 8 – https://support.microsoft.com/en-us/help/4345424
Microsoft pulled then re-released a number of patches last night. We have seen that a known issue symptom “After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.” noted in some of Microsoft’s patch KBs are now appearing in all cumulative/rollup patch notes.
We are releasing all other patches including Adobe Flash Security update.
1 Microsoft Security Advisories was released. ADV180017 an Adobe vulnerability (link below).
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
New resource! Morphus Labs started publishing a great patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- Adobe Flash Player
- .NET Framework
- ASP.NET
- Microsoft Research JavaScript Cryptography Library
- Skype for Business and Microsoft Lync
- Visual Studio
- Microsoft Wireless Display Adapter V2 Software
- PowerShell Editor Services
- PowerShell Extension for Visual Studio Code
- Web Customizations for Active Directory Federation Services
Microsoft Security Advisories
ADV180017 | July 2018 Adobe Flash Security Update (Published: 07/10/2018)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180017
This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB18-24: CVE-2018-5007, CVE-2018-5008.
Known Issues
KB4338825, KB4338818, KB4340557/KB4340558, KB4338814 – All Cumulative/Rollups
KB4338825 Applies to: Windows 10 Version 1709
https://support.microsoft.com/en-us/help/4338825/windows-10-update-kb4338825
Symptom: Some non-English platforms may display the following string in English instead of the localized language: ”Reading scheduled jobs from file is not supported in this language mode.” This error appears when you try to read the scheduled jobs you’ve created and Device Guard is enabled
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.
Symptom: When Device Guard is enabled, some non-English platforms may display the following strings in English instead of the localized language:
- “Cannot use ‘&’ or ‘.’ operators to invoke a module scope command across language boundaries.”
- “‘Script’ resource from ‘PSDesiredStateConfiguration’ module is not supported when Device Guard is enabled. Please use ‘Script’ resource published by PSDscResources module from PowerShell Gallery.”
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.
Symptom: After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
Symptom: After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
KB4338818 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
https://support.microsoft.com/en-us/help/4338818
Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.
Workaround: 1) To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
2) To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
- Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.
Symptom: After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
KB4340557/KB4340558 Applies to: Microsoft .NET Framework
Symptom: Users receive a “0x80092004” error when they try to install the July 2018 Security and Quality Rollup update KB4340557 or KB4340558 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 after they install the June 2018 .NET Framework Preview of Quality Rollup updates KB4291497 or KB4291495 on systems that are running on .NET Framework 4.7.2, 4.7.1, 4.7, 4.62, 4.6.1, or 4.6.
Workaround: See “0x80092004” error occurs and July 2018 .NET Security and Quality Rollup update KB4340557 or KB4340558 does not install after you apply June update KB4291497 or KB4291495 https://support.microsoft.com/en-us/help/4345232/0x80092004-error-and-updates-kb4340557-and-kb4340558-don-t-install-aft
KB4338814 Applies to: Windows 10, version 1607, Windows Server 2016
https://support.microsoft.com/en-us/help/4338814/windows-10-update-kb4338814
Symptom: After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
Symptom: After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
All Cumulative/Rollups
Symptom: After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.
Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-July.
Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4338818 – Windows 7, Windows Server 2008 R2
- KB4338815 – Windows 8.1, Windows Server 2012 R2
- KB4338830 – Windows Server 2012
Security Only Update
- KB4338823 – Windows 7, Windows Server 2008 R2
- KB4338824 – Windows 8.1, Windows Server 2012 R2
- KB4338820 – Windows Server 2012
Cumulative Update for Windows 10
- KB4338829 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4338814 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4338826 – Version 1703 “Creators Update” (OS Build 15063)
- KB4338825 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4338819 – Version 1803 “Spring Creators Update” (OS Build 17134)
Note: Server 2016 uses the same KB as Windows 10 Version 1607
KB4339093 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
.NET Framework
Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
- KB4340556 (KB4340004)- Windows 7, Windows Server 2008 R2
- KB4340558 (KB4340006)- Windows 8.1, Windows Server 2012 R2
- KB4340557 (KB4340005)- Windows Server 2012
- KB4340559 (KB4340007)- Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)
KB4338832 – Security Update for Adobe Flash Player
July 2018 updates for Microsoft Office
https://support.microsoft.com/en-ca/help/4340798/july-2018-updates-for-microsoft-office
