Virtual Administrator’s April 2017 Patch Recommendations

Microsoft Fixes 45 Vulnerabilities with 644 patches this month

We have not uncovered any widespread problems with any of these patches and are releasing all of them. (AMD users read “Heads Up” below)

The top priority would be the zero day vulnerability exploited when a user opens a Word attachment (KB4014793). Next would be a vulnerability in Internet Explorer (KB4014661). Both of these are being actively exploited. Hyper-V and .NET are also priorities as well as the Adobe Flash update (KB4018483).

Microsoft’s summary of the April 2017 releases can be found here:
https://portal.msrc.microsoft.com/en-us/security-guidance

Details on top priorities

Security update for the Microsoft Office remote code execution vulnerability KB4014793 (CVE-2017-0199)
https://support.microsoft.com/en-us/help/4014793/title

Cumulative security update for Internet Explorer KB4014661
https://support.microsoft.com/en-us/help/4014661/cumulative-security-update-for-internet-explorer-april-11-2017

Security update for Hyper-V Remote Code Execution Vulnerability Monthly Rollup/Security Only/Win10, KB3211308
(CVE-2017-0162, CVE-2017-0163, CVE-2017-0180, CVE-2017-0181)

.NET Remote Code Execution Vulnerability (CVE-2017-0160)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0160

Security Update for Adobe Flash Player KB4018483
https://support.microsoft.com/en-us/help/4018483/security-update-for-adobe-flash-player-april-11-2017

This SUGs!

Microsoft has replaced the security bulletin ID numbers (e.g. MS17-XXX) with a new guide using vulnerability ID numbers and KB Article ID numbers. “The ”Security Updates Guide” (SUG) portal, the database’s content can be sorted and filtered by the affected software, the patch’s release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or ‘knowledge base’ support document.”

This is actually a very useful database but without the familiar Security Bulletins it is difficult to gather concise information for this blog. The confusion appears to be universal. Depending on what you read there are 44 or 45 or 46 vulnerabilities. We will continue to work on improving the information we provide over the coming months.

Security Update Guide dashboard and API: Frequently Asked Questions
https://technet.microsoft.com/en-us/security/mt791750

Heads Up!

The rollup patch for Windows 7,8 and Server 2008R2/2012R2 cause problems with AMD processors
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99
Symptom: If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.
Workaround/Resolution: Microsoft is working on a resolution and will provide an update in an upcoming release

These AMD machines will function normally outside of future update being blocked. Uninstalling the rollup will fix and we will provide additional guidance once Microsoft releases a fix.

Notable News

Windows 10 Version 1703 “Creators Update” was released 4/11/2017
https://technet.microsoft.com/en-us/itpro/windows/whats-new/whats-new-windows-10-version-1703

Windows Vista support has ended
https://support.microsoft.com/en-us/help/22882/windows-vista-end-of-support

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

April 2017 security monthly quality rollup
KB4015549 – Windows 7, Windows Server 2008 R2
KB4015550 – Windows 8.1, Windows Server 2012 R2
KB4015551 – Windows Server 2012

April 2017 security only quality update
KB4015546 – Windows 7, Windows Server 2008 R2
KB4015547 – Windows 8.1, Windows Server 2012 R2
KB4015548 – Windows Server 2012

April 2017 Security and Quality Rollup for .NET Framework
April 2017 Security Only Update for .NET Framework
The KB numbers for .Net are different for each version and in some cases each OS installed.

Cumulative update for Windows 10
KB4015221 – Original release version 1507 (OS Build 10240.17354)
KB4015219 – Version 1511 (OS Build 10586.873)
KB4015217 – Version 1607 “Anniversary Update” (OS Build 14393.1066 and 14393.1083)
KB4015583 – Version 1703 “Creators Update” (OS Build 15063.138)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

Release Notes April 2017 Security Updates
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99

Release Date: April 11, 2017

The April security release consists of security updates for the following software:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Visual Studio for Mac
  • .NET Framework
  • Silverlight
  • Adobe Flash Player

Please note the following information regarding the security updates:

  • Beginning with the October 2016 release, Microsoft is changing the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For more information, please see this Microsoft Technet article, Further simplifying servicing models for Windows 7 and Windows 8.1.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Starting in March 2017, there will be a Windows 10 1607 delta package that contains just the delta changes between the previous month and the current release.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features

Note As a reminder, the Security Updates Guide will be replacing security bulletins. Please see the Microsort blog post, Furthering our commitment to security updates, for more details.

Known Issues

  • 4015549
  • 4015546
  • 4015550
  • 4015547
  • 3172540