Virtual Administrator’s November 2017 Patch Recommendations

Update 11/21/17 Agent Procedures for known issue with Windows 10 version 1607 “Anniversary Update”

Agent procedures are available on ClubMSP which enable/disable CDPSvc CDPUserSvc service. On-prem partners will find them in the Shared> Patch Deployment folder.

Script Name: Disable CDPSvc CDPUserSvc
Script Name: Enable (auto) CDPSvc CDPUserSvc

Issue: “CDPUserSvc_XXXX has stopped working” message appears at login
Applies to: Windows 10 version 1607 “Anniversary Update”
Problem was first noticed on some machines last month and continues to be a problem this month.
Workaround: Disable the service.

Note: Microsoft probably won’t fix this and will recommend upgrading to Windows 10 version 1709 “Fall Creators Update” as a fix.

******************************************************************************************************************************************************************

This month Microsoft released patches for 53 vulnerabilities with 19 of them rated Critical.

All November patches have been approved in our patch policy.

The top priority this month are the Internet Explorer and Edge patches addressing a memory corruption vulnerability in the scripting engine. 4 CVEs are public but are not currently being exploited. Those are: CVE-2017-8700,CVE-2017-11827,CVE-2017-11848 and CVE-2017-11883. Also Adobe released patches for 9 advisories fixing 62 CVEs for Acrobat and Reader alone.

A Microsoft Security Advisory was release (details below). This is an old vulnerability in Dynamic Data Exchange (DDE) fields. The workaround is to disable DDE. Microsoft is not likely to patch this as they consider DDE a product feature and not a vulnerability.

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET Core and .NET Core
  • Chakra Core

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Microsoft Security Advisory 4053440 (Published: November 8, 2017)
Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
https://technet.microsoft.com/library/security/4053440
Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

Disable Office DDEAUTO to mitigate attacks
https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks/
(Note: We are working to create a script for this to post on ClubMSP.)

Known Issues per Microsoft

  • KB4048954
  • KB4048953
  • KB4048955
  • KB4048952
  • KB4048956
  • KB4048958
  • KB4048961
  • KB4048957
  • KB4048960

Issue 1 and 4 below affect all of the cumulative rollups/updates. The other 2 affect the Windows 10 update. See the Security Update Guide Release Notes for further details (https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bae9d0d8-e497-e711-80e5-000d3a32fc99).

Issue 1: Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a dropdown menu using the scroll bar. (Fix: Change the document mode.)
Status/Workaround: Using the scroll wheel on a mouse works as expected. This issue only applies to document mode 11, so attempting to load the page with document mode 10 may work around the issue. Microsoft is working on a resolution and will provide an update in an upcoming release.

Issue 2: Universal Windows Platform (UWP) applications that use JavaScript and asm.js may stop working. (Fix: Uninstall, then reinstall the application.)
Status/Workaround: Uninstall the application. Once this is complete, reinstall it. Microsoft is working on a resolution and will provide an update in an upcoming release.

Issue 3: May change Czech and Arabic languages to English for Microsoft Edge and other applications. (Fix: We’re working on it.)
Status: Microsoft is working on a resolution and will provide an update in an upcoming release

Issue 4: After installing this update, some Epson SIDM (Dot Matrix) and TM (POS) printers cannot print on x86 and x64-based systems.
Status/Workaround: Uninstall cumulative rollup/update. Microsoft and Epson have determined the cause of the issue and are working on a solution. This problem is not related to the printer driver, so installing current or older print drivers will not resolve the issue. Microsoft will provide an update in an upcoming release.

Other Known Issues

CDPUsersvc fails
Issue: “CDPUserSvc_XXXX has stopped working” message appears at login
Applies to: Windows 10 version 1607 “Anniversary Update”
Problem was first noticed on some machines last month and continues to be a problem this month.
Workaround: Disable the service:
1. Open regedit and locate the service. For instance: HKLM\System\CurrentControlSet\Services\CDPUserSvc & CDPSvc
2. Change the Start value from 2 to 4 (Hexadecimal or Decimal) and click OK.
3. Restart the machine.
(Note: We are working to create a script for this to post on ClubMSP.)

Excel cursor flickers
Issue: Some devices may experience the cursor flickering when you open an Excel workbook and move over workbook cells after updating to the Windows 10 Fall Creators Update.
Applies to: Windows 10 version 1709 “Fall Creators Update”
STATUS: INVESTIGATING Microsoft is aware of and investigating the issue. We will provide an update to this forum as soon as available.

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB4048957 – Windows 7, Windows Server 2008 R2
  • KB4048958 – Windows 8.1, Windows Server 2012 R2
  • KB4048959 – Windows Server 2012

Security Only Update

  • KB4048960 – Windows 7, Windows Server 2008 R2
  • KB4048961 – Windows 8.1, Windows Server 2012 R2
  • KB4048962 – Windows Server 2012

Cumulative update for Windows 10

  • KB4048956 – Original release version 1507 (OS Build 10240)
  • KB4048952 – Version 1511 (OS Build 10586)
  • KB4048953 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4048954 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4048955 – Version 1709 “Fall Creators Update” (OS Build 16299)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

KB4047206 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

.NET Framework
Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7

  • KB4049016 – Windows 7, Windows Server 2008 R2
  • KB4049017 – Windows 8.1, Windows Server 2012 R2
  • KB4049018 – Windows Server 2012

Notable CVEs

CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873
Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2017-11848 | Internet Explorer Information Disclosure Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11848
An information disclosure vulnerability exists when Internet Explorer improperly handles page content, which could allow an attacker to detect the navigation of the user leaving a maliciously crafted page.

CVE-2017-11827 | Microsoft Browser Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11827
A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2017-11883 | ASP.NET Core Denial Of Service Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11883
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

CVE-2017-8700 | ASP.NET Core Information Disclosure Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8700
An information disclosure vulnerability exists in ASP.NET Core that allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.