5 replies to this topic

[AplusWebMaster]

FYI...

- https://blogs.techne...update-release/
Dec 12, 2017 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."

Release Notes - December 2017 Security Updates
- https://portal.msrc....dd-000d3a32f9b6
Dec 12, 2017 - "The December security release consists of security updates for the following software:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- ChakraCore
- Microsoft Malware Protection Engine..."

Security Update Summary
> https://portal.msrc....curity-guidance
___

December 2017 Office Update Release
- https://blogs.techne...update-release/
Dec 12, 2017 - "... This month, there are -9- security updates and 30 non-security updates. All of the security and non-security updates are listed in KB article 4055454*.
A new version of Office 2013 Click-To-Run is available: 15.0.4989.1000
A new version of Office 2010 Click-To-Run is available: 14.0.7191.5000 ..."

* https://support.micr...icrosoft-office
Last Updated: Dec 12, 2017
___

ADV170022 | December 2017 Flash Security Update
- https://portal.msrc....DV170022#ID0EGB
12/12/2017
- https://support.micr...ecember-12-2017
___

- https://www.askwoody...ate-turned-off/
"... Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it..."
___

ghacks.net: https://www.ghacks.n...r-2017-release/
Dec 12, 2017 - "... Executive Summary:
 Microsoft released security updates for all versions of Windows the company supports (client and server).
 No critical updates for Windows, but for IE and Edge.
 Other Microsoft products with security updates are: Microsoft Office, Microsoft Exchange Server, Microsoft Edge and Internet Explorer.
Operating System Distribution:
    Windows 7: 2 vulnerabilities of which 2 are rated important
    Windows 8.1: 2 vulnerabilities of which 2 are rated important
    Windows 10 version 1607: 3 vulnerabilities of which 3 are rated important
    Windows 10 version 1703: 3 vulnerabilities of which 3 are rated important
    Windows 10 version 1709: 3 vulnerabilities of which 3 are rated important
Windows Server products:
    Windows Server 2008: 2 vulnerabilities of which 2 are rated important
    Windows Server 2008 R2: 2 vulnerabilities of which 2 are rated important
    Windows Server 2012 and 2012 R2: 2 vulnerabilities of which 2 are rated important
    Windows Server 2016: 3 vulnerabilities of which 3 are rated important
Other Microsoft Products:
    Internet Explorer 11: 13 vulnerabilities,  9 critical, 4 important
    Microsoft Edge: 13 vulnerabilities, 12 critical, 1 important..."

Qualys analysis: https://blog.qualys....end-to-the-year
Dec 12, 2017 - "This December Patch Tuesday is considerably lighter than last month’s patch releases.  While only three of the fixes were for Windows operating system, the majority of the vulnerabilities to pay attention to are Browser/Scripting Engine based. For an overview, we show fixes for 32 unique CVEs addressed, with 19 Critical, and 24 addressing remote code execution at varying severity levels. No active exploits are listed by Microsoft again this month. From a prioritization standpoint, again we turn our focus to the browsers and the Scripting Engine Memory Corruption Vulnerabilities. We recommend prioritizing patching for user facing workstations to address the 19 Critical Internet Explorer and Edge updates released today by Microsoft, as they are listed as “Exploitation More Likely”. There are no known exploits as of yet, but this is an opportunity to remain ahead of any future exploits that may be released.
There is one Windows OS vulnerability that should be reviewed, and that is the fix for CVE-2017-1885, which is a Remote Code Execution using RPC on systems that have RRAS enabled. Make sure you are patching systems that are using RRAS, and ensure it is not enabled on systems that do not require it, as disabling RRAS will protect against the vulnerability. For that reason it is listed as Exploitation less likely, but should get your attention after patching the browsers. Additionally, we recommend you take some time to review ADV170021, a Defense-in-Depth update that has configuration options to allow you to exert more control over DDE behaviors, in light of the recent DDE exploits that have been publicized. Note that this configuration change would be made after installing the update referenced in the advisory.
It should also be noted that on December 7, Microsoft released an out-of-band emergency patch for CVE-2017-11937 and CVE-2017-11940, which was a flaw in the Microsoft Malware Protection engine that could allow an attacker to create a specially crafted file that would be scanned by the Malware Protection engine, allowing for code execution on the endpoint. The patch was automatically ingested by the affected engines via definition updates, so no action should be required. As a precautionary measure, if you are using Microsoft’s Malware Protection engine in Defender, Security Essentials, Forefront Endpoint Protection, or the engines in Exchange 2013 or 2016, ensure that your updates are being applied automatically, and that you are on at least Version 1.1.14405.2 of the Malware Protection Engine.
From the Adobe side, there was only one Flash update, APSB17-42 listed as a “Business Logic Error”. So all in all, a rather quiet end to a busy year in vulnerabilities..."
___

- https://www.us-cert....ecurity-Updates
Dec 12, 2017
___

Additional information:
- https://www.security....com/id/1039987
- https://www.security....com/id/1039989
- https://www.security....com/id/1039990
- https://www.security....com/id/1039991
- https://www.security....com/id/1039992

- https://www.security....com/id/1039993
- https://www.security....com/id/1039994
- https://www.security....com/id/1039995
- https://www.security....com/id/1039996
- https://www.security....com/id/1039997

- https://www.security....com/id/1039998
 

Edited by AplusWebMaster, 13 December 2017 - 05:27 AM.

[AplusWebMaster]

FYI...

Win7 updates get bigger
... monthly security rollups for Windows 7 have almost -doubled- in size
> https://www.computer...ing-bigger.html
Dec 14, 2017 - "... At the 12-update pace that Windows 7's rollups have established, the 64-bit version will weigh in at approximately 350MB by October 2018, and a year after that, as Windows 7 nears its expiration date, almost 600MB. The latter would represent a 20% boost above and beyond Mercer's target size. Likewise, the x86 edition would increase to 216MB and 374MB in 2018 and 2019, respectively, if the 12-update growth rate continues:
> https://images.idges...44368-large.jpg
... The 64-bit security-only for July was just 30MB and the 32-bit was an even smaller 19MB, compared to the same month's rollups of 194MB and 119MB. The differences in December were even starker: 900KB and 1.4MB for the 32- and 64-bit security only updates, respectively, and 125.1MB and 204.7MB for the rollups. The rollups are larger not only because they drag their past with them - each succeeding rollup includes that month's patches as well as all previous patches back to October 2016 - but because they also include non-security bug fixes. Usually, though not always, issued later in each month, the non-security updates are bundled with the security patches, adding to the size of the rollup..."
 

   

Edited by AplusWebMaster, 14 December 2017 - 08:32 AM.

[AplusWebMaster]

FYI...

MS Store reliability improvements for Windows 10 Version 1709
- https://support.micr...-version-1709-d
Dec 15, 2017
Applies to: Windows 10 version 1709
"Summary: This update makes reliability improvements to Microsoft Store and fixes an issue that could cause app update failures and cause Microsoft Store to generate unnecessary network requests...
This update is available through Windows Update*. When you turn on automatic updating, this update will be downloaded and installed automatically..."
* https://support.micr...dows-update-faq
___

> http://borncity.com/...date-kb4058043/
2017-12-16 - "... Microsoft has released another (reliability) update KB4058043 for Windows 10 Fall Creators Update on December 15, 2017. Here are some hints for this (reliability) update... Unfortunately they don’t tell us in detail, which app update error(code) has been fixed..."
> https://i.imgur.com/MRqZGV0.jpg
___

Win10 Fall Creators Update December patch KB 4054517 fails...
... This month’s cumulative update for Win10 Fall Creators Update fails hard on many systems, with INACCESSIBLE_BOOT_DEVICE, network problems and more. Several possible culprits identified, but no definitive solution
- https://www.computer...s-big-time.html
Dec 18, 2017 - "Some subset of users of Windows 10 Fall Creators Update, version 1709, report persistent bugs with this month’s Patch Tuesday missive, KB 4054517. Many of those reporting problems are using recent Surface devices. Microsoft has not acknowledged any problems... doesn’t seem to explain all of the problems that people are encountering, but it may account for some. Microsoft, as usual, has not confirmed the problem and the persistent “advice” is to Reset or reinstall Windows — a process that’s been shown, time and time again, to be ineffective. No, the Windows Update Troubleshooter doesn't work either."

> https://answers.micr...81-d5d500780963
12/12/2017

December 12, 2017—KB4054517 (OS Build 16299.125)
Applies to: Windows 10, Windows 10 version 1709
> https://support.micr...pdate-kb4054517
"... Microsoft is not currently aware of any issues with this update..."

"... My mind is going. I can feel it." - HAL 2001 Space Odyssey
 

Edited by AplusWebMaster, 18 December 2017 - 03:48 PM.

[AplusWebMaster]

FYI...

Windows 10 - Dec 12, 2017 — KB4054517 (OS Build 16299.125)
... Applies to: Windows 10, Windows 10 version 1709  
Windows 10 Version 1709 - KB4054517 (OS Build 16299.125)
- https://support.micr...pdate-kb4054517
Last Updated: Dec 20, 2017
"... Windows Update History reports that KB4054517 failed to install because of Error 0x80070643.
Even though the update was successfully installed, Windows Update incorrectly reports that the update failed to install. To verify the installation, select the Check for Updates button to confirm that there are no additional updates available. You can also type 'About your PC' in the Search box on your taskbar to confirm that your device is using OS Build 16299.15.
Microsoft is working on a resolution and will provide an update in an upcoming release."
Also see: "Known issues in this update..."

- https://www.askwoody...ulative-update/
Dec 21, 2017 - "Update on these bugs and two more — an Excel 2016 security patch bug from last month, and an Exchange Server security patch bug from this month..."

- https://www.computer...s-big-time.html
Dec 18, 2017

> https://www.computer...kb-4054517.html
Dec 21, 2017

Related:

Description of the security update for Excel 2016: November 14, 2017
> https://support.micr...ovember-14-2017
Last Updated: Dec 19, 2017
See: "Known issues..."

Microsoft Exchange: September 12, 2017
> https://support.micr...nge-december-12
Last Updated: Dec 19, 2017
See: "Known issues..."
___

MS Dec Security Update KB4054518 breaks opening office documents
- https://www.symantec...ffice-documents
14 Dec 2017 - "After installation of the December KB4054518 (Monthly Rollup), opening Office documents from a encrypted fileshare is broken..."
>> https://www.symantec...omment-11943651

> https://support.micr...pdate-kb4054518
Applies to: Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1
Last Updated: Dec 10, 2017
 

Edited by AplusWebMaster, 22 December 2017 - 07:02 AM.

[AplusWebMaster]

FYI...

Dec 12, 2017 — KB4054518 (Monthly Rollup)
Applies to: Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1
- https://support.micr...pdate-kb4054518
Last Updated: Dec 10, 2017 ...
Known issues in this update: Microsoft is not currently aware of any issues with this update..."
___

Time to install MS patches -except- KB 4054517 for Win10 Fall Creators Update
... Although there are a few lingering problems, just about everybody should get this month’s patches installed now — except those of you who installed (or got forced into) the lump-of-coal Win10 version 1709
- https://www.computer...ors-update.html
Dec 22, 2017 - "... If you’re running Win10 Creators Update, version 1703 (current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703... As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED. In particular, don’t be tempted to install anything marked 'Preview'...”
> https://www.askwoody...e-version-1709/

Microsoft confirms stalled downloads, bogus errors in Win10 FCU update KB 4054517
... Microsoft just confirmed two major bugs in this month’s cumulative update for Win10 Fall Creators Update, KB 4054517 — which we described earlier this week. We also have confirmation of bugs in the November Excel 2016 patch and in this month’s Exchange Server patch
- https://www.computer...kb-4054517.html
Dec 21, 2017

December 12, 2017 — KB4054517 (OS Build 16299.125)
Applies to: Windows 10, Windows 10 version 1709
- https://support.micr...pdate-kb4054517
Last Updated: Dec 20, 2017
"... Microsoft is working on a resolution and will provide an update in an upcoming release..."
See: "Known issues in this update..."

... Windows 10 FCU — version 1709, build 16299, Redstone 3 — just around the corner, here are the best ways to ensure you install the update when you’re ready, -not- when Microsoft says so
- https://www.computer...installing.html
Oct 15, 2017

Fixes or workarounds for recent Office issues
... Applies To: Excel 2016 Word 2016 Outlook 2016 PowerPoint 2016 More...
- https://support.offi...2d-264c6907ea75

> https://support.offi...8c-cd74884f292f
Last updated: December 2017

ADV170021 | Microsoft Office Defense in Depth Update
> https://portal.msrc....isory/ADV170021
12/12/2017

Microsoft Security Advisory 4053440
Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
> https://technet.micr...id=cx-wdsi-ency
Published: November 8, 2017 | Updated: December 12, 2017
Version: 2.0

Office as a malware delivery platform: DDE, Scriptlets, Macro obfuscation
... Powerful behind-the-scenes features in Office have suddenly stepped back into the malware limelight, with an onslaught of mostly macro-less attacks starring jimmied Word, Excel and PowerPoint documents
- https://www.computer...bfuscation.html
Dec 19, 2017
 

Edited by AplusWebMaster, 28 December 2017 - 11:18 AM.

[AplusWebMaster]

FYI...

Win10 FCU - KB4054517 (OS Build 16299.125)
Applies to: Windows 10, Windows 10 version 1709
- https://support.micr...pdate-kb4054517
Last Updated: Jan 2, 2018
See: "Known issues in this update..."

> https://portal.msrc....uidance/summary