Virtual Administrator’s April 2018 Patch Recommendations
***************************
Update on patching Windows 10 Version 1709 “Fall Creators Update” (OS Build 16299)
Kaseya released patch 9.5.0.8 which fixes the problem where patch scans were not accurately detecting the monthly cumulative update. Our on-prem KServers were patched on April 19 and SaaS was patched on April 21.
9.5.0.8 Patch Release – 17 April 2018
Patch Management
Resolved an issue associated with patches not appearing for the latest Windows 10 Version 1709 cumulative update. Re-running a new patch scan will retrieve the latest updates. (NINEFIVEPT-571/SDP-4129)
***************************
This month Microsoft released patches for 66 vulnerabilities with 24 of them rated “Critical” and 42 rated “Important”.
All April patches have been approved in our patch policy.
A lot of the big news this month happened before Patch Tuesday. Last week Microsoft released a fix (KB4099950) for the NIC card issues which caused us to deny last month’s rollup for Windows 7/Server 2008 R2. They also released KB4100480 which patches the newly discovered “Total Meltdown” bug affecting Windows 7/Server 2008 R2. As of last night both were included in the month rollup KB4093118/KB4093108. Released on Tuesday were Remote Code Execution Vulnerabilities in the Windows VBScript Engine and Font Library/Microsoft Graphics. Both are included in the monthly cumulative/rollup. A vulnerability in Microsoft Malware Protection Engine (CVE-2018-0986) was patched. Microsoft Defender updates itself automatically.
Denied last month KB4088875/KB4088878
Both of these have been superceded by this month’s update KB4093118/KB4093108. The “NIC settings are replaced or static IP address settings are lost after you install KB4088875 or KB4088878” was corrected.
“Total Meltdown” bug
Windows kernel update for CVE-2018-1038
https://support.microsoft.com/en-in/help/4100480/windows-kernel-update-for-cve-2018-1038
The Spectre/Meltdown patches for Windows 7/Server 2008 R2 created a vulnerability that left a crucial kernel memory table readable and writable for normal user processes. This means a user (or malware) can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM. Anyone who applied the rollups this year is affected. This was patched with KB4100480 and included in the monthly rollup KB4093118/KB4093108.
UPDATE: Spectre/Meltdown
The registry key antivirus check has been removed on all operating systems.
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Affected software include:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- Adobe Flash Player
- Microsoft Malware Protection Engine
- Microsoft Visual Studio
Known Issues per Microsoft: KB4093112, KB4093118, KB4093108
Cumulative Update for Windows 10 Version 1709
https://support.microsoft.com/en-us/help/4093112/windows-10-update-kb4093112
Monthly Windows 7, Windows Server 2008 R2
https://support.microsoft.com/en-us/help/4093118/windows-7-update-kb4093118
https://support.microsoft.com/en-us/help/4093108/windows-7-update-kb4093108
Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
KB4093118 – Windows 7, Windows Server 2008 R2
KB4093114 – Windows 8.1, Windows Server 2012 R2
KB4093123 – Windows Server 2012
Security Only Update
KB4093108 – Windows 7, Windows Server 2008 R2
KB4093115 – Windows 8.1, Windows Server 2012 R2
KB4093122 – Windows Server 2012
Cumulative Update for Windows 10
KB4093111 – Original release version 1507 (OS Build 10240)
KB4093109 – Version 1511 (OS Build 10586)
KB4093119 – Version 1607 “Anniversary Update” (OS Build 14393)
KB4093107 – Version 1703 “Creators Update” (OS Build 15063)
KB4093112 – Version 1709 “Fall Creators Update” (OS Build 16299)
Note: Server 2016 uses the same KB as Windows 10 Version 1607
KB4092946 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
.NET Framework – None this month
KB4093110 – Security Update for Adobe Flash Player
April 2018 updates for Microsoft Office
https://support.microsoft.com/en-sg/help/4098622/april-2018-updates-for-microsoft-office
IMPORTANT: Windows 10 Version 1709 “Fall Creators Update” (OS Build 16299)
Kaseya patch management is not detecting the cumulative monthly updates on the latest Windows 10 Version 1709 “Fall Creators Update”
Kaseya uses the Windows Updates API to determine which patches are needed. For some reason this is not accurately detecting the monthly cumulative update for version 1709. Other patches are detected normally. Your Kaseya patch scans will not show the cumulative patch as missing or installed. As such the agent may show fully patched when it is not.
Kaseya is working with Microsoft to correct this. Until the is fixed we will be releasing agent procedures to install the monthly updates. You can also turn Windows updates back ON from Patch Management> Configure> Windows Auto Update.
You can create a Custom View to find those agents on Windows 10 Version 1709 by adding the build number – Under “OS Info” add “OS Type: Windows 10” and “OS version filter: *16299*” We will update all partners once this problem is corrected.
Notable News:
Windows 10 1803 Spring Creators Update scheduled for release on April 10 has been delayed due to a “blocking bug.”
Notable CVEs
CVE-2018-0986 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0986
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2018-1004 | Windows VBScript Engine Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1004
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2018-1010 (-1012,-1013,-1015,-1016) | Microsoft Graphics Remote Code Execution Vulnerability
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1010
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1012
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1013
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1015
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1016
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
