Virtual Administrator’s June 2018 Patch Recommendations

This month Microsoft released patches for 51 vulnerabilities with 11 of them rated “Critical” and 40 rated “Important”.

All June patches have been approved in our patch policy.

Security Update for Adobe Flash Player (KB4287903) was released on June 7th. There are reports of this being actively exploited. Another variant of the Spectre/Meltdown vulnerabilities known as “Spectre Variant 4” (see: ADV180012) has been disclosed. Windows 10 version 1607 and Windows Server 2016 users must install KB4132216 prior to installing the June 2018 cumulative security update (KB4284880). The problems with NIC cards losing settings after installing the monthly rollup persists. (see Warning and Known Issues below)

4 Microsoft Security Advisories were released. ADV180012 and ADV180013 are variants of Spectre and Meltdown. ADV180014 is the Adobe vulnerability.  ADV180015 is for Microsoft Office (links below)

Zero Day: KB4287903 On June 7 Adobe released an out-of-band update for a Flash Player vulnerability which has been actively exploited

WARNING: Windows 7 SP1, Windows Server 2008 R2 SP1 may lose NIC settings when KB4284826/KB4284867 is installed. Microsoft is either unable or unwilling to fix this problem. The workaround is listed in Know Issues below. Because this is a rollup and the problem affects a limited number of machines with third-party software we do not feel we can deny it in patch policy.  If you do not want to install this rollup you should set KB4284826/KB4284867 to ignore.

 

Heads Up!

On Windows 10 version 1607 and Windows Server 2016 KB4132216 must be installed prior to installing KB4284880. Because of this it may take two patching cycles to get those machines fully patched. KB4284880 may not be detected as a needed patch until KB4132216 is installed.

 

Spectre/Meltdown:

The new Spectre Variant 4 protections are not enabled by default on Servers. As with previous updates you must take further action to be protected from Spectre/Meltdown vulnerabilities.

Windows Server guidance to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player

 

Microsoft Security Advisories

 

Known Issues

KB4284880, KB4284819, KB4284835, KB4284826, KB4284867

 

KB4284880 Applies to:Windows 10 Version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4284880/windows-10-update-kb4284880

The KB states “Microsoft is not currently aware of any issues with this update.” We think the warning to install KB4132216 before KB4284880 is the reason for the Known Issue listing.

Important When installing both the servicing stack update (SSU) (KB4132216) and the latest cumulative update (LCU) from the Microsoft Update Catalog, install the SSU before installing the LCU.

 

KB4284819 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4284819/windows-10-update-kb4284819

Symptom: Some non-English platforms may display the following string in English instead of the localized language: ”Reading scheduled jobs from file is not supported in this language mode.” This error appears when you try to read the scheduled jobs you’ve created and Device Guard is enabled

Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Symptom: When Device Guard is enabled, some non-English platforms may display the following strings in English instead of the localized language:

  • “Cannot use ‘&’ or ‘.’ operators to invoke a module scope command across language boundaries.”
  • “‘Script’ resource from ‘PSDesiredStateConfiguration’ module is not supported when Device Guard is enabled. Please use ‘Script’ resource published by PSDscResources module from PowerShell Gallery.”

Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4284835 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4284835/windows-10-update-kb4284835

Symptom: Some users running Windows 10 version 1803 may receive an error “An invalid argument was supplied” when accessing files or running programs from a shared folder using the SMBv1 protocol.

Workaround: Enable SMBv2 or SMBv3 on both the SMB server and the SMB client, as described in KB2696547.

Microsoft is working on a resolution that will be available later in June.

 

 

KB4284826/KB4284867 Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1

https://support.microsoft.com/en-us/help/4284826/windows-7-update-kb4284826

https://support.microsoft.com/en-us/help/4284867/windows-7-update-kb4284867

Symptom: A stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).

Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

Workaround: 1) To locate the network device, launch devmgmt.msc; it may appear under Other Devices.

2) To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.

  1. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

 

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4284826 – Windows 7, Windows Server 2008 R2
  • KB4284815 – Windows 8.1, Windows Server 2012 R2
  • KB4284855 – Windows Server 2012

 

Security Only Update

  • KB4284867 – Windows 7, Windows Server 2008 R2
  • KB4284878 – Windows 8.1, Windows Server 2012 R2
  • KB4284846 – Windows Server 2012

 

Cumulative Update for Windows 10

  • KB4284860 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4284880 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4284874 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4284819 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4284835 – Version 1803 “Spring Creators Update” (OS Build 17134)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

 

KB4230450 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

KB4287903 – Security Update for Adobe Flash Player

 

June 2018 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4299875/june-2018-updates-for-microsoft-office

 

Notable CVEs

CVE-2018-8140 | Cortana Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140

Affects Windows 10 Version 1709/1803, Windows Server 1709/1803

KB# – Cumulative Update

An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.

 

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8225

Affects All OS

KB# – Monthly Rollup/Cumulative Update

A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.

 

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231

Affects Windows 10, Windows Server 2016 1703/1709/1803

KB# – Cumulative Update

A remote code execution vulnerability exists when HTTP Protocol Stack (Http.sys) improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system.

 

CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267

Affects Internet Explorer 11

KB# – Monthly Rollup/Cumulative Update

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.