Tuesday, January 09, 2018

Microsoft January, 2018 Security Updates



The January security release consists of 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. The updates address Remote Code Execution, Tampering, Security Feature Bypass, Information Disclosure and Denial of Service.  The release consists of security updates for the following software: 

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • ChakraCore
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • Adobe Flash


    Known Issues 4056890 4056891 4056892 4056893 4056888 4056895 4056898 4056894 4056897 4056896 4056899


    Important:  Because the out-of-band security update for "Meltdown"/"Spectre" requires the setting of a registry key and not all antivirus software has been updated to include the key, Microsoft updated Important: January 3, 2018, Windows security updates and antivirus software to include the following Note: 
    Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:
    Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
    Data="0x00000000”

    If your computer has not received the security update, check the status at CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility. In the event both "Sets registry key" and "Supported" are not both indicated with the letter "Y", Bleeping Computer has created a .reg file that can be used to create the registry.  However, it should only be used if your antivirus vendor has indicated that a manual install is needed.  For in-depth information, see the Bleeping Computer articles Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key and How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws.

    Further note that some AMD devices are getting into an unbootable state after installing the "Meltdown"/"Spectre" security update. As a result, Microsoft is temporarily pausing sending updates to devices with impacted AMD processors at this time. Further information is available at Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs.

    More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

    Also see this month's Zero Day Initiative — The January 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and lincludes a breakdown of the CVE's addressed in the update. 

    Additional Update Notes

    • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
    • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...





    No comments: