This month’s large bundle of Patch Tuesday patches nearly definitely comprises quite a lot of surprises, they usually’re solely beginning to floor. Right here’s a rundown of what I’ve seen within the wee hours of Wednesday morning.
There are many experiences of delayed, failed and rolled again installations of KB 4041676, the Win10 Creators Replace (model 1703) month-to-month cumulative replace, which brings 1703 as much as construct 15063.674. A fast look on the KB article confirms that there are dozens and dozens of fixes on this cumulative replace — a exceptional state of affairs, contemplating the Fall Creators Replace, model 1709, is due on Oct. 17.
In a single day, Günter Born and Bogdan Popa accrued lengthy lists of individuals reporting issues with the replace, together with experiences of hangs, uncontrolled restarts, and exceedingly gradual downloads. Born experiences that the supply of some issues could also be attributable to Norton. If you happen to’re having issues, my long-standing recommendation for cleansing issues up and working the Replace Troubleshooter might assist.
For these of you questioning what occurred to this month’s Flash safety patches, there’s a stunning reply: You aren’t seeing any Adobe safety patches this month as a result of there aren’t any! All of this month’s patches are high quality updates, er, bug fixes.
@PKCano on AskWoody has confirmed that there have been no .NET Safety-only updates this month. The entire .NET updates include non-security patches solely.
All updates for .NET Framework four.6, four.6.1, four.6.2, and four.7 require the D3 Compiler to be put in. We advocate that you simply set up the included D3 Compiler earlier than making use of this replace. For extra details about the D3 Compiler, see KB 4019990.
MrBrian goes on to notice
On a Home windows 7 x64 digital machine with no Home windows month-to-month rollups put in, and .NET Framework four.6.1 put in, Home windows Replace doesn't listing the October 2017 .NET Framework month-to-month rollup… However the guide installer for the October 2017 .NET Framework month-to-month rollup efficiently put in. Ugh!
Tero Alhonen has vital details about the TPM vulnerability. You could recall that Microsoft’s Safety Advisory ADV170012 comprises the warning:
Do NOT apply the TPM firmware replace previous to making use of the Home windows working system mitigation replace. Doing so will render your system unable to find out in case your system is affected. You will have this info to conduct full remedation.
And ZDI illuminates:
That is only a stop-gap measure and nonetheless requires guide intervention. When the precise firmware updates roll out from TPM distributors, the method might want to occur yet again — besides this time, new TPM firmware must be put in on each affected system.
Which is sufficient to tie any admin in knots. Alhonen provides some perception:
In case your is a Floor system, firmware updates are but not accessible as of October 10, 2017. Floor Laptop computer and the Floor Professional (launched in June 2017) are NOT affected… [for Surface Pro 3] Infineon firmware model 5.zero TPM just isn't secure. Please replace your firmware.
If you happen to’re patching the 2015 LTSC model of Home windows 10, it's good to see Microsoft's admission that the Home windows Presentation Framework might get munged. WPF crashes after the October 2017 Safety and Month-to-month High quality Rollup is utilized on Home windows 10 model 1507 that has Microsoft .NET Framework four.6.2 put in.
There’s additionally a variety of confusion about Microsoft’s rationalization for its repair of CVE-2017-11776. Microsoft says: “An attacker who exploited the vulnerability might use it to acquire the e-mail content material of a person,” when in actual fact no assault is critical. The SEC-Seek the advice of weblog has an in depth rationalization:
If you happen to used Outlook’s S/MIME encryption previously 6 months (not less than, we're nonetheless ready for Microsoft to launch detailed info and replace the weblog) your mails may not have been encrypted as anticipated. Within the context of encryption this may be thought of a worst-case bug.
Kevin Beaumont (@GossiTheDog) has tied the items collectively and concluded:
Outlook S/MIME bug is totally reproducible, I simply did it. Doesn't want an attacker. Microsoft have labeled it flawed.
So if you happen to used Outlook’s S/MIME encryption for textual content emails previously six months, your emails haven’t been encrypted in any respect. The “encrypted” emails went out in plain textual content, no antivirus backdoor required. Gotcha.
No definitive phrase as but on whether or not the Win eight.1 Month-to-month Rollup, KB 4041693, or the Safety-only replace, KB 4041687, repair the baffling drawback the place Win eight.1 clients can’t sign up with a Microsoft account. That bug was launched within the September Month-to-month Rollup. The subject isn’t even talked about within the KB articles.
… and it’s been lower than a day for the reason that patches rolled out.
Obtained a patching drawback? Hit us on the AskWoody Lounge.