Patch Tuesday brings some surprises, some early crashes, and a surreal solution

Patch Tuesday brings some surprises, some early crashes, and a surreal solution

With all of the problems in the January, February and March patches for Windows and Office, you’d think we would catch a break in April. In one sense

PoC Exploit Compromises Microsoft Live Accounts via Subdomain Hijacking
Duck! Windows and Office patches are coming
GhostHook Attack Bypasses Windows 10 PatchGuard

With all of the problems in the January, February and March patches for Windows and Office, you’d think we would catch a break in April. In one sense we did — some of the worst bugs in the earlier patches now seem to be behind us. But we’re definitely not out of the woods just yet.

Patch Tuesday by the numbers

Tuesday, Microsoft released 177 separate patches covering 66 security holes (CVEs), 24 of which are rated “critical.” The SANS Internet Storm Center says that only one of the patches, CVE 2018-1034, covers a security hole that’s been documented, and it isn’t being exploited.

Further details, compliments of Martin Brinkman on ghacks:

  • Win7: 21 vulnerabilities, 6 rated critical
  • Win8.1: 23 vulnerabilities, 6 rated critical
  • Win10 version 1607: 25 vulnerabilities, 6 critical. (Note that this is the last planned security update for Win10 1607.)
  • Win10 version 1703: 28 vulnerabilities, 6 critical
  • Win10 version 1709: 28 vulnerabilities, 6 critical
  • Server 2008 R2: 21 vulnerabilities, 6 critical
  • Server 2012 and 2012 R2: 23 vulnerabilities, 6 critical
  • Server 2016: 27 vulnerabilities, 6 critical
  • IE 11: 13 vulnerabilities, 8 critical
  • Edge: 10 vulnerabilities, 8 critical

As Dustin Childs notes on the Zero Day Initiative site, five of the critical bugs are variations on an old, tired theme: a “bad” font can take over your machine, if you’re running in admin mode. And it doesn’t matter where the font appears — on a web page, in a document, in an email. Don’t you just love it when fonts get rendered inside the Windows kernel?

As of early Thursday morning, there are no known exploits for the font phunnies.

Worth noting

Top points, from my point of view, anyway:

  • Every version of Windows gets patched. All have 6 “critical” patches.
  • The old restriction on compatible antivirus products has been lifted on Win7 and 8.1 — it was already lifted on Win10. The old constraints are still in effect for last month’s patches.
  • Windows 7 and Server 2008R2 are still a mess. We’re entering the realm of surreal patching sequences. See the next two sections.
  • The old Win7/Server 2008R2 SMB server memory leak is still there — that’s a showstopper for many folks running 2008R2 servers.
  • The old Win7/Server 2008R2 bluescreens for SSE2 are still there.
  • Microsoft thinks it fixed an old data-stealing bug in Outlook, but the hole’s still one click away.
  • There’s no update that I can see on the Word 2016 March security patch KB 4011730 that prohibited Word from opening and saving docs.
  • We’re still getting Office 2007 patches, six months after it was supposed to hit end of life.
  • We even got a strange hardware fix, for the Microsoft Wireless 850 Keyboard.

Some progress on the Win7 Keystone Kops patches

If you’ve been following along, you know that Win7/Server 2008 R2 has left a trail of tears, starting with the January security patches, which introduced the Total Meltdown gaping security hole, followed by an SMB server bug introduced in March that may render it inoperable, and buggy patches that created phantom Network Interface Cards (NICs) and shot down static IP addresses.

This month, it appears as if some of those problems have been solved. In particular, the Win7/Server 2008R2 Monthly Rollup KB 4093118 and the manually installed KB 4093108 Security-only patch supersede the sketchy KB 4100480 that’s supposed to fix the Total Meltdown bugs in this year’s Win7 patches. KB 4093118 and KB 4093108 also contain the fix in KB 4099467, which eliminates the Stop 0xAB error when you log off. Not so coincidentally, both of those bugs were introduced by security fixes released earlier this year.

According to MrBrian, installing this month’s Win7 Monthly Rollup or Security-only patch obliterates those bugs:

  • KB4093118 and KB4093108 contain v6.1.7601.24094 of files ntoskrnl.exe and ntkrnlpa.exe, which is newer than the v6.1.7601.24093 files ntoskrnl.exe and ntkrnlpa.exe contained in the Total Meltdown fix KB4100480. (My analysis of KB4100480.) Thus, KB4093118 and KB4093108 very likely fix Total Meltdown without needing to install KB4100480.
  • KB4093118 and KB4093108 contain v6.1.7601.24093 of file win32k.sys, which is newer than the v6.1.7601.24061 file win32k.sys contained in KB4099467. (abbodi86’s analysis of KB4099467.) Thus, KB4093118 and KB4093108 very likely fix the same issue fixed by KB4099467 without needing to install KB4099467.

Or at least it’s supposed to obliterate those bugs.

The phantom NIC and static IP bugs enter the Twilight Zone

That leaves us with two other significant bugs in the old Win7 patches. Microsoft describes them like this:

  • A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry, but are unused.
  • Static IP address settings are lost after you apply this update.

As of this moment, it looks as if the manual Win7 Security-only patch KB 4093108 fixes the phantom NIC bug and static IP zapping bug — but the Monthly Rollup, KB 4093118, does not. That puts us in a surreal situation where Microsoft recommends that those installing the (automatically pushed) Monthly Rollup first install the (manual download) Security-only patch.

I didn’t believe that either until I read the newly updated KB article:

Microsoft is working on a resolution and will provide an update in an upcoming release.

In the meantime, please apply KB4093108 (Security-only update) to stay secure, or use the Catalog release of KB4093118 to stage the update for WU or WSUS.  

Although the description isn’t crystal clear, it looks to me as if Microsoft is saying that anyone who uses Windows Update to install this month’s Win7 Monthly Rollup is required to dive into the Windows Catalog, download and install the Security-only patch, prior to letting Windows Update do the dirty deed. If you don’t do that, your NIC may fall over and play dead and/or any static IP addresses you’ve assigned will be wiped out.

Bizarre.

But that’s not all for the Update Server folks

Those of you who control Update Servers have yet another cute twist. Two of them.

Reading between the lines again, it appears as if WSUS and SCCM won’t queue up the Security-only patch prior to installing the Monthly Rollup. You have to do that manually. There was a notice sent out on Wednesday that urged admins to download a separate patch, KB 4099950, and install it prior to installing this month’s Win7 Monthly Rollup. Now, it seems, installing the Security-only patch first is the recommended course of action.

Susan Bradley says:

For standalone computers that use the B patching process of applying security only updates – again you should be in wait and see mode right now. If you have a spare computer and want to live on the edge, install now. Otherwise get the popcorn out and wait to see what happens.

Again reading between the lines, it appears as if KB 4099950 prevents the phantom NIC and static IP zapping bugs. If you’ve already installed it, there’s no need to uninstall it, you’re good to go — and you don’t need to manually install this month’s Security-only patch. If you haven’t installed KB 4099950, Microsoft now says that the preferred method for fending off the IP problems is to install this month’s Security-only patch. Which means those of you at the helm of WSUS and SCCM servers need to make sure your users get the Security-only patch prior to receiving the Monthly Rollup. Clear as mud, right?

More than that, I’m getting reports that the Win10 1607 April cumulative update, KB 4093119, is dishing out a retrograde version of Credssp.dll. The March cumulative update installed version 10.0.14393.2125, whereas the April version installs version 10.0.14393.0.

For details, I strongly urge you overworked and underappreciated admins to subscribe to Shavlik’s Patchmanagement newsletter.

An Outlook security patch that doesn’t

Microsoft released a handful of patches for Word 2007, 2010, 2013, 2016 and Office 2010 under the heading CVE-2018-0950, where:

An information disclosure vulnerability exists when Office renders Rich Text Format (RTF) email messages containing OLE objects when a message is opened or previewed. This vulnerability could potentially result in the disclosure of sensitive information to a malicious site.

To exploit the vulnerability, an attacker would have to send an RTF-formatted email to a user and convince the user to open or preview the email. A connection to a remote SMB server could then be automatically initiated, enabling the attacker to brute-force attack the corresponding NTLM challenge and response in order to disclose the corresponding hash password.

But according to Will Dorman at CERT/CC, who originally reported the vulnerability to Microsoft 18 months ago, Microsoft’s fix doesn’t fix the whole problem. He says:

Microsoft released a fix for the issue of Outlook automatically loading remote OLE content (CVE-2018-0950). Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. … It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above

Dorman’s advice? Use complex passwords and a password manager, and those of you managing servers need to jump through even more hoops.

In other news

Brad Sams reports that KB 4093112, the cumulative update to 1709, has messed up File Explorer — he can’t open File Explorer at all, even after two restarts.

We have reports that the same update is causing Windows to complain that it hasn’t been activated. Multiple reboots solved the problem.

And we have another report of a blue screen PAGE_FAULT_IN_NONPAGED_AREA error 0x800f0845 with the same patch.

Commenters on Brian Krebs’ site have reported problems with installing KB 4093118, the Win7 Monthly Rollup. Peacelady explains:

Two people who installed it on Windows 7 Professional computers now can’t access the computer getting message on Startup “user profile not found.”  Then underneath it says okay — they click okay and it logs off. Then it comes back and the same thing happens.

AskWoody poster Bill C has further details. Samak proposes a suggested fix for the “user profile not found” problem, detailed in KB 947215.

What to do?

Wait.

We’re seeing reports of Win7 patches that are checked, unchecked, sometimes disappearing, occasionally reappearing, and vanishing into thin air. Don’t be concerned. Microsoft doesn’t know why, either.

For the non-Win7 patches, there’s no immediate need to install anything. If the font phunnies heat up, we’ll keep you posted, but for now the situation’s unbelievably complex and devolving rapidly.

Thanks, as always, to MrBrian, abbodi86, PKCano, and all of the people at AskWoody who hold Microsoft’s patching feet to the fire.

Join us for the latest commiseration on the AskWoody Lounge.

Go to Source

COMMENTS