Virtual Administrator’s January 2018 Patch Recommendations

This month Microsoft released patches for 59 vulnerabilities with 17 of them rated Critical.

33 CVEs were released out-of-band on January 3, 2018

All January patches have been approved in our patch policy.

A lot of action this month. Microsoft released updates on January 3 to address the much written about Meltdown and Spectre security flaws. They also release a zero-day vulnerability patch for Microsoft Office (CVE-2018-0802) on Patch Tuesday. The Meltdown/Spectre patches were included in the monthly update/rollups. Please read “Spectre/Meltdown updates” below. The Office (CVE-2018-0802) should really be your greatest concern near-term. Attackers could exploit this zero-day vulnerability in Office simply by getting a user to open a compromised Office document or visiting a malicious web site.

Out-of-band security updates on 01/03/2018 and 01/09/2018 – see “Notable CVEs” and “Spectre/Meltdown updates” below.

3 Microsoft Security Advisories were release (details below).

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • ChakraCore
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • Adobe Flash

Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance

Microsoft Security Advisories

ADV180001 | January 2018 Adobe Flash Security Update (Published: 01/09/2018)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180001

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities (Published: 01/03/2018)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

ADV180003 | Microsoft Office Defense in Depth Update (Published: 01/09/2018)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180003

Known Issues per Microsoft

KB4056890, KB4056891, KB4056892, KB4056893, KB4056888, KB4056895, KB4056898, KB4056894, KB4056897, KB4056896, KB4056899

This isn’t as bad as it looks. All of these KBs mention AV incompatibilities and AMD chips issues with Spectre/Meltdown updates and the issue below.

Known issues in this update

Symptom:

When calling CoInitializeSecurity, the call will fail if passing RPC_C_IMP_LEVEL_NONE under certain conditions.
When calling CoInitializeSecurity, the call may fail when passing RPC_C_AUTHN_LEVEL_NONE as the authentication level. The error returned on failure is STATUS_BAD_IMPERSONATION_LEVEL.

Workaround:

Change the authentication level parameter to RPC_C_AUTHN_LEVEL_CALL.
Microsoft is working on a resolution and will provide an update in an upcoming release.
Other Known Issues
None

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

Security Only Update

Cumulative Update for Windows 10

  • KB4056893 – Original release version 1507 (OS Build 10240)
  • KB4056888 – Version 1511 (OS Build 10586)
  • KB4056890 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4056891 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4056892 – Version 1709 “Fall Creators Update” (OS Build 16299)

Note: Server 2016 uses the same KB as Windows 10 Version 1607

KB4056568 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

.NET Framework
Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1

  • KB4055532 – Windows 7, Windows Server 2008 R2
  • KB4055266 – Windows 8.1, Windows Server 2012 R2
  • KB4055265 – Windows Server 2012
  • KB4055267 – Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)

KB4056887 – Security Update for Adobe Flash Player

January 2018 updates for Microsoft Office
https://support.microsoft.com/en-my/help/4058103/january-2018-updates-for-microsoft-office

Spectre/Meltdown updates

Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance
https://www.us-cert.gov/ncas/alerts/TA18-004A

Basically most CPUs are vulnerable to side-channel attacks. Spectre is the hardware side of this and should be addressed by the manufacturers with firmware updates. Meltdown is the software side and the patches should mitigate the exposure to the vulnerability.

Do not panic! There are no known cases of this being exploited yet. Both are hard exploit with Spectre considered extremely hard to exploit. However the Meltdown patches were included in the monthly update/rollups so you really can’t delay too long provided your systems are compatible.

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Antivirus

Certain Antivirus software will cause issues with the Meltdown patches. Microsoft incorporated a registry key check to see if your machine will have problems. So if the AV vendor determines their software is compatible, the AV will add a registry key– “QualityCompat”. If that key is present the Meltdown patch will show as needed by the Windows Updater scan. If it is not present Meltdown patch will not show as needed by the Windows Updater scan. Some compatible AV does not yet create the key. Unless the key is present Windows Updates will not show it as needed and the machine will not get the patch. The applies to machines with no AV as well. In these cases you must manually create the registry key. We have scripts to do this. See Dan’s link below.

Important: Windows security updates released January 3, 2018, and antivirus software
https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

AV vendors are listed here
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

IMPORTANT: KES (Kaseya AVG) is not compatible and will not create the necessary registry key. The above doc refers to a newer version of AVG. KES is AVG 2016. You will need to switch to KAV (Kaseya Kaspersky) or Webroot. We should have Webroot available on our on-prem KServers within a couple of weeks.

AMD chips

This week Microsoft found some AMD chips were not compatible with Meltdown and rendered the machine unbootable. Initially they pulled the patches then re-released some of them on 1/10/2018. The patches should check the chip type and (like the missing AV registry key), if it is incompatible, not show as needed.

Windows operating system security update block for some AMD based devices
https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Dan wrote about Spectre/Meltdown last week in his newsletter and has links to our Virtual Administrator scripts.
“Meltdown – Look Before You Leap” (here: https://virtualadministrator.com/blog/meltdown-look-before-you-leap/)

You may not be done yet!

Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.

Windows Server guidance to protect against speculative execution side-channel vulnerabilities
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Other considerations

The Meltdown patch can cause performance issues. Here is a Microsoft article about this.
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Notable CVEs

CVE-2018-0788 | OpenType Font Driver Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0788
An elevation of privilege vulnerability exists in Windows Adobe Type Manager Font Driver (ATMFD.dll) when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2018-0773 | Scripting Engine Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2018-0802 | Microsoft Office Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802
A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.