7 replies to this topic

[AplusWebMaster]

FYI...

>> https://doublepulsar...ou-a852ba0292ec
Jan 8, 2018 - "... the Microsoft knowledge base articles have had extensive edits since publishing. There’s some really important things you should know before trying to apply the patches..."
>> https://support.micr...ivirus-software
Last Updated: Jan 6, 2018

- https://docs.google....haring&sle=true
CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility
Last update: 8th January 2018 @20.30 GMT
___

> https://blogs.techne...update-release/
Jan 9, 2018 - "Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically..."

Release Notes - Jan 2018 Security Updates
> https://portal.msrc....57-000d3a33cf99
Jan 09, 2018 - "The January security release consists of security updates for the following software:
    Internet Explorer
    Microsoft Edge
    Microsoft Windows
    Microsoft Office and Microsoft Office Services and Web Apps
    SQL Server
    ChakraCore
    .NET Framework
    .NET Core
    ASP.NET Core
    Adobe Flash ..."

Known Issues:
4056890: https://support.micr...om/help/4056890
4056891: https://support.micr...om/help/4056891
4056892: https://support.micr...om/help/4056892
4056893: https://support.micr...om/help/4056893
4056888: https://support.micr...om/help/4056888
4056895: https://support.micr...om/help/4056895
4056898: https://support.micr...om/help/4056898
4056894: https://support.micr...om/help/4056894
4056897: https://support.micr...om/help/4056897
4056896: https://support.micr...om/help/4056896
4056899: https://support.micr...om/help/4056899

Security Updates: https://portal.msrc....curity-guidance

Security Update Summary: https://portal.msrc....uidance/summary

January 2018 Office Update Release
- https://blogs.techne...update-release/
Jan 9, 2018 - "The January 2018 Public Update releases for Office are now available! This month, there are 36 security updates and 25 non-security updates. All of the security and non-security updates are listed in KB article 4058103*.
A new version of Office 2013 Click-To-Run is available: 15.0.4997.1000
A new version of Office 2010 Click-To-Run is available: 14.0.7193.5000"
* https://support.micr...om/help/4058103
___

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- https://portal.msrc....isory/ADV180002
Security Advisory
Published: 01/03/2018  | Last Updated : 01/09/2018
... Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions: Version / Date / Description
 1.0 01/03/2018 Information published.
 2.0 01/03/2018 Revised ADV180002 to announce release of SQL 2016 and 2017 updates.
 3.0 01/05/2018 The following updates have been made: Revised the Affected Products table to include Windows 10 Version 1709 for x64-based Systems because the update provides mitigations for ADV180002. Corrected the security update numbers for the 2016 and 2017 SQL Server Cumulative Updates. Removed Windows Server 2012 and Windows Server 2012 (Server Core installation) from the Affected Products table because there are no mitigations available for ADV180002 for these products. Revised the Affected Products table to include Monthly Rollup updates for Windows 7 and Windows Server 2008 R2. Customers who install monthly rollups should install these updates to receive the mitigations against the vulnerabilities discussed in this advisory. In the Recommended Actions section, added information for Surface customers. Added an FAQ to explain why Windows Server 2008 and Windows Server 2012 will not receive mitigations for these vulnerabilities. Added an FAQ to explain the protection against these vulnerabilties for customers using x86 architecture.
 4.0 01/09/2018 Revised the Affected Products table to include updates for the following supported editions of SQL Server because the updates provide mitigations for ADV180002: Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3 (QFE), Microsoft SQL Server 2008 for 32-bit Systems Service Pack 4 (QFE), Microsoft SQL Server 2008 for Itanium-Based Systems Service Pack 3 (QFE), Microsoft SQL Server 2008 for Itanium-Based Systems Service Pack 4 (QFE), Microsoft SQL Server 2016 for x64-based Systems, Microsoft SQL Server 2016 for x64-based Systems (CU).
___

ghacks.net:
- https://www.ghacks.n...y-2018-release/
Jan 9, 2018

Qualys blog: https://blog.qualys....s-1-adobe-patch
Jan 9, 2018 - "... It is important to note that OS-level and BIOS (microcode) patches that are designed to mitigate Meltdown and Spectre may lead to performance issues. It is important to test all patches before deploying.
Some of these updates are incompatible with third-party antivirus software, and may require updating AV on workstations and servers. Microsoft has released guidance documents for both Windows clients and servers. Windows Server requires registry changes in order to implement the protections added by the patches.
Microsoft has also halted the deployment of patches for some AMD systems, as there have been issues with systems after installation.
Aside from these patches, today Microsoft has released patches covering 59 vulnerabilities. Of these vulnerabilities, 16 are ranked as “Critical,” with 20 potentially leading to remote code execution.
In today’s release there are patches for both Microsoft Word and Outlook, which should also be prioritized for workstation-type devices. Most of the patches released today are for browsers and involve the Scripting Engine. These patches should be prioritized  for systems that access the internet via a browser..."
___

- https://www.us-cert....ecurity-Updates
Jan 09, 2018
- https://support.micr...-january-9-2018
 

Edited by AplusWebMaster, 09 January 2018 - 04:19 PM.

[AplusWebMaster]

FYI...

BIOS Updates to Patch CPU Flaws
- http://www.securityw...patch-cpu-flaws
Jan 15, 2018 - "Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.
The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected...
(Much more detail at the URL above.)

> https://www.sans.org...ewsbites/xx/3#1
"CPU Patches - (January 9, 10, & 11, 2018)
Some vendor patches for the Spectre and Meltdown CPU vulnerabilities have been causing problems for users. Microsoft said that systems running incompatible anti-virus products would not receive any further updates; anti-virus vendors must confirm compatibility by setting a registry key. Linux has released microcode to address the CPU problems for certain processors. Canonical had to release a new patch after Ubuntu Xenial 16.04 users reported that the first fix rendered their systems unable to boot. Google says it applied patches for the flaws last year and that they have not slowed down its cloud services.  
 The patches are complicated and some require steps beyond just clicking install to complete the mitigation. They are also changing rapidly as issues surface and are resolved. Test not only for stability after application but also for performance impact.
 There are patches and then there are PATCHES. It is pretty clear that software/firmware PATCHES for Spectre/Meltdown are complex and will, at a minimum, have performance impact. They will require significantly more QA testing than routine monthly Microsoft vulnerability Tuesday patches, probably even more than quarterly Oracle CPU PATCHES. Spinning up production environments (with obfuscated data) on IaaS services has enabled many organizations to increase depth of patch/PATCH testing while minimizing increases in time to patch. But, shielding, mitigation and monitoring will be needed in the interim..."

- http://www.zdnet.com...r-meltdown-fix/
Jan 10, 2018

- https://www.computer...which-ones.html
Jan 11, 2018

> https://www.askwoody...at-ms-defcon-2/
"...Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it."
 

[AplusWebMaster]

FYI...

GRC test utility for 'Meltdown and Spectre' vulnerabilties
- https://www.grc.com/inspectre.htm
Jan 15, 2018 - "This is the Initial Release of InSpectre - We did not wish to delay this application's release while building additional confidence in its conclusions and output. It has been carefully tested under as many different scenarios as possible. But new is new, and it is new. We may well have missed something. So please use and enjoy InSpectre now. But you may wish to check back in a few days to see whether we may have found and fixed some last bits of debris.... Protection from these two significant vulnerabilities requires updates to every system's hardware – its BIOS which reloads updated processor firmware – and its operating system – to use the new processor features. To further complicate matters, newer processors contain features to minimize the performance impact of these important security improvements. But older processors, lacking these newer features, will be significantly burdened and system performance will suffer under some workloads.
This InSpectre utility was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance."
(Download the utility from the URL above.) - Thank you, Steve!!!

... Added Jan 16, 2018: "High incidence of -false-positive- A/V warnings:
People are reporting that their 3rd-party anti-virus systems are quarantining InSpectre under the mistaken belief that it's malicious. This did not occur during early work, and is almost certainly due to the end-of-project inclusion of the protection enable/disable buttons and the presence of the registry key they use. I would rather not remove that feature... I will explore obscuring the use of that key to see whether false positive anti-virus warnings can be eliminated. At that time I will clarify some of the conflicting language the app can produce and also explain why the enable/disable buttons may be disabled (there's nothing for them to enable or disable in specific circumstances.)"
___

Windows 7 SP1 and Windows Server 2008 R2 SP1
January 4, 2018 — KB4056894 (Monthly Rollup)
Applies to: Windows Server 2008 R2 Service Pack 1Windows 7 Service Pack 1
- https://support.micr...pdate-kb4056894
Last Updated: Jan 12, 2018
___

Patch Watch: Tracking Issues with the Spectre Patches on AMD Machines
> https://windowssecre...n-amd-machines/
Jan 11, 2018 - "Beware, AMD chip owners. For you Windows Secrets readers who have computers with AMD inside, these Spectre/Meltdown patches are causing more issues than they are preventing. So much so that Microsoft has halted release of the updates on machines that have AMD chipsets. Some of the relevant security posts include the following:
  Microsoft’s KB4073707 on the issues with AMD chip sets and how Microsoft is blocking the patches until the issue is resolved:
- https://support.micr...d-based-devices
  Microsoft’s KB4073757 recapping the overall guidance:
- https://support.micr...pectre-meltdown
Let’s recap the big picture:
> Intel CPU chips have a bug in their very architecture.
Researchers found a way for attackers to possibly steal passwords and other confidential information from our machines. As of publication, the attack has not been used in the wild. However, the potential is there and it’sreally concerning up in cloud servers as it could mean that fellow virtual servers could read information from a tenant next door.
It won’t be enough to patch for the Windows operating system, you’ll need to patch the firmware on your computer as well.
It’s not a Microsoft bug, but because everything uses CPUs, pretty much everything needs to be patched ranging from phones to firewalls. So after you get your patches for Windows, go look for updates for anything else that has a CPU included in it (I’m not kidding or overstating the issue).
A bigger concern to many will be the performance hit this “fix” will make on your system as discussed in a Microsoft blog[2].
2] https://cloudblogs.m...indows-systems/

The older your computer the more the “hit” will be. If you have a computer that is a 2015-era PC with Haswell or older CPU – you will notice a difference.
CERT goes so far as to recommend replacing the CPU hardware in their blog post[1]. I’m not ready to go that far, but it would be wise to review how old your computer hardware is, evaluate the performance hit and plan accordingly.
1] https://web.archive..../vuls/id/584653
Check That Your Antivirus Is Supported:
Because this is a kernel update, antivirus vendors who have hooked into the kernel for additional protection could trigger blue screens of death if they are not updated for the change introduced by this patch. Thus Microsoft is requiring that before the January Windows and .NET updates are installed that a registry entry is made by the vendor – or by you if your vendor doesn’t provide the registry key in an update – before the January updates are installed.
Make sure you review the antivirus listing page that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn’t support these updates, it’s time to find a new vendor...

Make sure you review the antivirus listing page*** that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn’t support these updates, it’s time to find a new vendor...
*** https://docs.google....mlview?sle=true

Protect your Windows devices against Spectre and Meltdown
Applies to: Windows 10, Windows 10 Mobile, Windows 8.1, Windows 7, HoloLens, Windows Server 2016, Windows Server 2012
Standard, Windows Server 2012 R2 Standard, Windows Server 2008 R2 Standard
> https://support.micr...pectre-meltdown
Last Updated: Jan 10, 2018
 

  

Edited by AplusWebMaster, 16 January 2018 - 05:22 PM.

[AplusWebMaster]

FYI...

Lenovo Releases Security Advisory
- https://www.us-cert....curity-Advisory
Jan 19, 2018 - "Lenovo has released security updates to address a vulnerability affecting Enterprise Network Operating System (ENOS) firmware. An attacker could exploit this vulnerability to obtain sensitive information.
NCCIC/US-CERT encourages users and administrators to review the Lenovo Security Advisory* for more information and apply the necessary updates or mitigations."

Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products
* https://support.leno...urity/len-16095
Lenovo Security Advisory: LEN-16095
Potential Impact: An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2017-3765 ...
___

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs
- http://www.zdnet.com...ts-after-patch/
Jan 18, 2018

Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
- https://security-cen...anguageid=en-fr
Last revised: Jan 17, 2018
___

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
- http://www.dell.com/...roducts?lang=en
Last Date Modified: 01/19/2018 07:46 AM
___

More Windows patches, primarily previews, point to escalating problems this month
Five Windows patches and nine for .NET released yesterday, Patch Wednesday “C,” leave many of us wondering what we did to deserve such abuse. Yes, there are bugs
- https://www.computer...this-month.html
Jan 18, 2018
___

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- https://portal.msrc....isory/ADV180002
Security Advisory
Published: 01/03/2018 | Last Updated : 01/19/2018
Revisions
Version     Date     Description
1.0     01/03/2018     Information published.
2.0     01/03/2018     Revised ADV180002 to announce release of SQL 2016 and 2017 updates.
3.0     01/05/2018     The following updates have been made: Revised the Affected Products table to include Windows 10 Version 1709 for x64-based Systems because the update provides mitigations for ADV180002. Corrected the security update numbers for the 2016 and 2017 SQL Server Cumulative Updates. Removed Windows Server 2012 and Windows Server 2012 (Server Core installation) from the Affected Products table because there are no mitigations available for ADV180002 for these products. Revised the Affected Products table to include Monthly Rollup updates for Windows 7 and Windows Server 2008 R2. Customers who install monthly rollups should install these updates to receive the mitigations against the vulnerabilities discussed in this advisory. In the Recommended Actions section, added information for Surface customers. Added an FAQ to explain why Windows Server 2008 and Windows Server 2012 will not receive mitigations for these vulnerabilities. Added an FAQ to explain the protection against these vulnerabilties for customers using x86 architecture.
4.0     01/09/2018     Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008, and Microsoft SQL Server 2016 because these updates provide mitigations for ADV180002.
4.1     01/10/2018     Added FAQs to provide more details about the following: the vulnerabilities described in this advisory, what systems are at risk from the vulnerabilities, how customers can be protected against each specific vulnerability, information for customers with AMD-based devices.
5.0     01/12/2018     Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2014 because these updates provide mitigations for ADV180002.
6.0     01/16/2018     Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2012 because these updates provide mitigations for ADV180002.
7.0     01/18/2018     On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1/3/2018 should reinstall the update.
8.0     01/18/2018     Microsoft has released security update 4073291 to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”). Microsoft recommends that customers running Windows 10 Version 1709 for 32-bit systems install the update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time. The update is currently available via the Microsoft Update Catalog only, and will be included in subsequent updates. This update does not apply to x64 (64-bit) systems.
9.0     01/19/2018     1 - Updated FAQ #10 to announce that Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. See the FAQ for links to information on how to download the update for your operating system. Customers with AMD-based devices should install the updates to be protected from the vulnerabilities discussed in this advisory. 2 - Added an update to FAQ #7 that security update 4073291 is available to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”).
___

Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook
If you thought this month’s Windows/Office/.NET patching debacle couldn’t get any worse...
- https://www.computer...nd-outlook.html
Jan 19, 2018
 

Edited by AplusWebMaster, 20 January 2018 - 09:56 AM.

[AplusWebMaster]

FYI...

Intel says you should NOT install its Meltdown firmware fixes
The warning, which encompasses just about every Intel processor out there, from all PC manufacturers, takes effect immediately. And there’s no indication when it will get fixed
- https://www.computer...ware-fixes.html
Jan 22, 2018 -  "... Intel just announced* that you need to hold off on all of its new patches..."

* https://newsroom.int...s-and-partners/
Jan 22, 2018 -  "As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed. Based on this, we are updating our guidance for customers and partners:
  We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.
 We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week...
 I will keep you updated as we learn more and thank you for your patience..."
(More detail at the URLs above.)
 

[AplusWebMaster]

FYI...

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
Security Advisory
Published: 01/03/2018 | Last Updated : 01/26/2018
- https://portal.msrc....isory/ADV180002
10.0     01/22/2018     Added FAQ #11 to address customer concerns about reboot issues with microcode on devices with older Intel processors. 2. Revised the Affected Products table to add Monthly Rollup updates for supported editions of Windows 8.1 and Windows Server 2012 R2. Customers who install Monthly Rollups should install these updates to be protected from the vulnerabilities described in this advisory.
11.0     01/26/2018     Updated FAQ #11 with further guidance for customers who are experiencing reboot issues on Intel devices.
___

Microsoft Patch Alert: Lots of lingering problems in a very messy month
- https://www.computer...nth.html?page=6
Jan 25, 2018 - "... recommend that you hold off on applying this month’s patches..."

- https://www.askwoody...-defcon-system/
"... Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it."

Windows 10 Version 1709 KB4073291 (OS Build 16299.201)
- https://support.micr...pdate-kb4056892
Last Updated: Jan 26, 2018
"Known issues in this update... Microsoft is working on a resolution and will provide an update in an upcoming release."

Update to Disable Mitigation against Spectre, Variant 2
Applies to: Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 10 Version 1703, Windows 10 version 1709, Windows Server 2008 R2 Standard, Windows Server 2012 R2 Standard
- https://support.micr...ectre-variant-2
Last Updated: Jan 26, 2018
 

Edited by AplusWebMaster, 27 January 2018 - 05:25 PM.

[AplusWebMaster]

FYI...

January patches - Get Windows updated...
...We’ve gone five whole days without a new Windows or Office patch. The latest ones have a few identified problems, but for most people now’s the right time to get the January patches installed
- https://www.computer...ws-updated.html
Feb 5, 2018 - "... General caveats:
Don’t install any firmware updates...
Make sure your antivirus is copacetic with this month’s patches...
Make a full system image -backup- before you install the January patches...
As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED. In particular, don’t be tempted to install anything marked 'Preview'..."
 
- https://www.askwoody...to-get-patched/
Feb 5, 2018 - "... Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems..."
 

[AplusWebMaster]

FYI...

Get Windows Update locked down in preparation for this month’s problems
...If February turns out half as bad as January... make sure Windows Update is turned off. Temporarily, of course...
- https://www.computer...s-problems.html
Feb 12, 2018 - "... an unconscionable number of patches left bricked machines and busted programs in their wake. With the onslaught of February security patches due... you should take a few minutes to make sure Microsoft’s problems won’t immediately turn into your problems..."
___

Feb 2018 Security Updates
- https://portal.msrc....61-000d3a33c573
Feb 13, 2018 - "The February security release consists of security updates for the following software:
    Internet Explorer
    Microsoft Edge
    Microsoft Windows
    Microsoft Office and Microsoft Office Services and Web Apps
    ChakraCore
    Adobe Flash..."
___

- https://www.us-cert....ecurity-Updates
Feb 13, 2018
 

Edited by AplusWebMaster, 13 February 2018 - 03:30 PM.