UPDATE: KRACK Wi-Fi threat

Is a weakness in Wi-Fi’s WPA2 security protocol makes it possible for attackers steal data flowing between your wireless device and the targeted Wi-Fi network. It’s also possible to inject and manipulate data – i.e. ransomware or other malware into websites. The attacker must be within range of your Wi-Fi to capture the data. Https traffic uses Secure Sockets Layer (SSL) encryption in addition to WAP2 so it should remain secure.

Windows Patch – Microsoft announced the KRACK vulnerability on Monday October 16th but the patch had already been released (10/10/17) with its October cumulative update/rollups. The KBs are listed in the link below. There is no new or separate patch for KRACK.

If you have installed Octobers’ cumulative patch you are protected.

CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

You can run a report to find which machines are missing October cumulative update/rollups. On-prem partners can use the Shared> VA_Reports “Patch Management KRACK missing”. SaaS partners need to create a New> Legacy Report> Patch> Patch Management. Show “Table of Missing Patches” plus “Missing Patches for each machine” and add this string to the “KB Article Numbers / Security Bulletin Numbers” box at the bottom.

4042895,4041689,4041691,4041676,4041681,4041693,4041687,4042723,4041678,4041690,4041679

Your Wi-Fi hardware may need patching
Vendor Information for VU#228519
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

*******************************************************************************************************************************************

 

This month Microsoft released patches for 62 vulnerabilities with 28 of them rated Critical and 34 rated Important.

All October patches have been approved in our patch policy.

The top priority this month would be CVE-2017-11826 a Microsoft Office Memory Corruption Vulnerability. After that CVE-2017-11771 which is a Windows Search Remote Code Execution Vulnerability. See “Notable CVEs” below.
Unfortunately there a number of known issues this month affecting the cumulative updates. We have approved these cumulative updates as the known issues are not great enough to merit leaving system exposed to all of the vulnerabilities they patch. See “Known Issues Heads Up!” below. Take note of “Windows devices may fail to boot” for KB4041691 and KB4041676.

Surprisingly there is no Adobe security patch this month.

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Skype for Business and Lync
  • Chakra Core

Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup
KB4041681 – Windows 7, Windows Server 2008 R2
KB4041693 – Windows 8.1, Windows Server 2012 R2
KB4041690 – Windows Server 2012

Security Only Update
KB4041678 – Windows 7, Windows Server 2008 R2
KB4041687 – Windows 8.1, Windows Server 2012 R2
KB4041679 – Windows Server 2012

Cumulative update for Windows 10
KB4042895 – Original release version 1507 (OS Build 10240)
KB4041689 – Version 1511 (OS Build 10586)
KB4041691 – Version 1607 “Anniversary Update” (OS Build 14393)
KB4041676 – Version 1703 “Creators Update” (OS Build 15063)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

Cumulative Security Update for Internet Explorer 9/10/11
KB4040685 – This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

.NET Framework
Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
KB4043768 – Windows Server 2008
KB4043766 – Windows 7, Windows Server 2008 R2
KB4043767 – Windows 8.1, Windows Server 2012 R2
KB4043769 – Windows Server 2012

Last Months Denied patches have been released

KB4011039 Have been fixed
After installing KB 3213656 or KB 4011039, merged table cells don’t work correctly in Word or Outlook
https://support.office.com/en-us/article/After-installing-KB-3213656-or-KB-4011039-merged-table-cells-don-t-work-correctly-in-Word-or-Outlook-8c7af9eb-9e48-4e1e-8c13-6340ede4acdc

KB4011089 Was broken intentionally
The cause of problems with the September 12 2017 update is intentional: Microsoft disabled custom form script functionality. If you need it enabled, you’ll need to set two keys, one to enable scripting and a second one with the message class name of each form that has code behind it.
https://www.slipstick.com/outlook/custom-form-security/

Known Issues Heads Up!

  • KB4041691/KB4041676 affects the Delta release of the patch. Microsoft has pulled that version so those using Kaseya patch management (or installed patches after October 11) should not be affected.
  • KB4041676 affects systems using USB Type-C Connectors
  • KB4042895, KB4041681 and KB4040685 all appear to be the same bug which affects “applications that use mshtml.dll to load web content”.

KB4041691/KB4041676 Cumulative update for Windows 10 (version 1607/1703 and Server 2016)
Symptom: Windows devices may fail to boot
Workaround https://support.microsoft.com/en-us/help/4049094/windows-devices-may-fail-to-boot-after-installing-october-10-version-o
Other resources:
The October 2017 Update – “Inaccessible Boot Device”
https://blog.workinghardinit.work/2017/10/11/quick-fix-publish-vm-wont-boot-after-october-2017-updates-for-windows-server-2016-and-windows-10-kb4041691/

KB4041691 Cumulative update for Windows 10 (version 1607)
https://support.microsoft.com/en-us/help/4041691/windows-10-update-kb4041691
Symptom: After installing this update, downloading updates using express installation files may fail.
Symptom: After installing a delta update package, the KB numbers appear twice under Installed Updates. This issue doesn’t occur when you install a full update package.
Symptom: After installing KB4041691, package users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. The failure only occurs when a process is already shutting down and will not impact application functionality
Workaround: See link above.

KB4042895 Cumulative update for Windows 10 (version 1507)
https://support.microsoft.com/en-us/help/4042895/windows-10-update-kb4042895
Symptom: After installing KB4042895, package users may receive an error message that states that an application exception has occurred when some applications are closed. This can affect applications that use mshtml.dll to load web content. This problem occurs only when a process is already shutting down. It does not affect application functionality.
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

KB4041676 Cumulative update for Windows 10 (version 1703)
https://support.microsoft.com/en-us/help/4041676/windows-10-update-kb4041676
Symptom: Systems with support enabled for USB Type-C Connector System Software Interface (UCSI) may experience a blue screen or stop responding with a black screen when a system shutdown is initiated.
Workaround: If available, disable UCSI in the computer system’s BIOS. This will also disable UCSI features in the Windows operating system.
Microsoft is working on a resolution and will provide an update in an upcoming release.

KB4041681 Security and Quality Rollup for Windows 7, Windows Server 2008 R2
https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681
Symptom: After installing KB4041681, package users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. The failure only occurs when a process is already shutting down and will not impact application functionality.
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

KB4040685 Cumulative security update for Internet Explorer
https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer
Symptom: After installing KB4040685, Internet Explorer 11 package users may receive an error message that states that an application exception has occurred when some applications are closed. This can affect applications that use mshtml.dll to load web content. This problem occurs only when a process is already shutting down. It does not affect application functionality.
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.

Notable CVEs

CVE-2017-11826 Microsoft Office Memory Corruption Vulnerability (Publicly Disclosed\Exploited) Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

CVE-2017-8703 Windows Subsystem for Linux Denial of Service Vulnerability (Publicly Disclosed) An attacker can execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.

CVE-2017-11777 Microsoft Office SharePoint XSS Vulnerability (Publicly Disclosed) An attacker can send a specially crafted request to an affected SharePoint server.

CVE-2017-11771 Windows Search Remote Code Execution Vulnerability An attacker who successfully exploited this vulnerability could take control of the affected system.

Notable News

Fall Creators Update, version 1709, is due on October 17.