A panoply of problems with this week’s 210 critical Windows and Office patches

[woody]

April 2017 Patch Tuesday’s 644 patches are crawling in bugs — but there are some solutions Post coming in InfoWorld.
[See the full post at: A panoply of problems with this week’s 210 critical Windows and Office patches]

3 users thanked author for this post.

HiFlyer, MrBrian, JDeC

Reply | Quote

[anonymous]

I maintain a client-server database app written in VB6 that uses ADO and COM+/DCOM. After installing the “April, 2017 Security Monthly Quality Rollup,” the VB6 app crashes in msado15.dll and ntdll.dll when trying to write to to the database. Uninstalling the update restores full write functionality. This is verified on Windows 7 x86 and Windows 8.1 x64. The issue is also present in Windows 10 x64 but I’m not testing that further. Details:

http://www.mcbsys.com/blog/2017/04/april-2017-monthly-rollup-breaks-vb6-app/

1 user thanked author for this post.

woody

Reply | Quote

[TheSuffering]

What are the biggest buggs one should watch for if running win7 ?

Reply | Quote

[woody]

See the article. There are many.

Reply | Quote

[TheSuffering]

Will do, I wonder how MS will clean up this mess because even with my limited knowledge I can see this iss bad and serious, I am even avoiding opening any and all word files

Reply | Quote

[The Surfing Pensioner]

Hi, I am Running Windows 7 Home Premium with Microsoft Office 2010 installed. As I am in Group B, I have avoided installing any updates so far this month. But I understand from Woody’s article that it would be prudent for me to instal KB3141538 and so I have downloaded this update. Can someone please give me reassurance that it is safe for me to instal without unwanted consequences? With many thanks.

Reply | Quote

[Bill C.]

I installed the MS Word patch KB3141538 from Windows Update. I installed ONLY THAT PATCH. I have WU set to never check so it is a manual check. I am Group B.

So far on my Windows 7-64 Pro SP1 machine there have been no adverse effects. However, as always and depending on your system configuration your mileage may vary (YMMV).

It is also unfortunate that my Malwarebytes v.2 is approaching EOL. The newer version 3 is still problematic from the many posts on the Malwarebytes forum.

4 users thanked author for this post.

JDeC, jburk07, SueW, Jonesy

Reply | Quote

[The Surfing Pensioner]

Many thanks, Bill. I will take the risk in a little while.

Reply | Quote

[woody]

I think that’s the best alternative.

Reply | Quote

[anonymous]

I thought I had read somewhere in the A.W.-forums that you had to install both the Office-patch and a Windows-patch. Someone had looked into it and found that for Vista and one of the server-versiosn, that do not get roll-ups, indeed there was a seperate Windows-update as well, from which he concluded that …. let me look it up. I’m confusing myself. https://www.askwoody.com/forums/topic/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/#post-107678, that is the one.

 

Annemarie

Reply | Quote

[MrBrian]

That appears to be correct. See https://www.askwoody.com/forums/topic/a-panoply-of-problems-with-this-weeks-210-critical-windows-and-office-patches/#post-108385.

Reply | Quote

[TheSuffering]

Just to be safe, I use office 2007, are there any major bugs I should be aware of in the patches?

Reply | Quote

[anonymous]

Just to add to the information: Office 2010 installed on remote terminal server. I applied Office patches and Office broke. Uninstalled 3118388 (because I thought Outlook patch was the problem) and 3141538 to get it running again. Full disclosure the terminal server is 2003 and it’s replacement is being prepared for deployment.

Reply | Quote

[MrBrian]

There is a very important detail about the vulnerability CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API that I missed at first, but later noticed:

“The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.”

It seems that both the Windows and Office update are needed to make Office invulnerable to this vulnerability. If you install just the Office update, you apparently are still vulnerable!

4 users thanked author for this post.

jburk07, Bill C., Noel Carboni, PKCano

Reply | Quote

[lizzytish]

Yes…….. as everyone is saying…….. WHAT A MESS – ye-gads!! I have the mentioned security fix for Office 2007 sitting in my Important updates (Win7 Pro 64bit – Group B)……….. was reading Woody’s article on InfoWorld and was about to install the patch for the ZeroDay effecting Office, but now I see that possibly it’s only half a fix. Also mentioned that there were another 2 bugs relating to ZeroDay….. would those be the ones relevant to the Win Security Patch………. or would it just be the Office one, that you are referring to Mr. Brian ? Guess the Game Plan would be to NOT open any Office/word files in an email until all this is sorted. I’m trying to sit tight and think of pleasant things!!!! LT

“To waste one second of one’s life is a betrayal of one’s self! I wonder what’s on television?”
Tony Hancock

Reply | Quote

[MrBrian]

I was referring to just this vulnerability.

1 user thanked author for this post.

lizzytish

Reply | Quote

[MrBrian]

I have confirmed by testing on Windows 7 that with just the relevant Office 2007 update installed, Office 2007 remains vulnerable. With both the relevant Office 2007 update and the April 2017 Windows update installed, Office 2007 is not vulnerable. I would expect the same is true for other Office versions and other Windows operating systems.

Reply | Quote

[MrBrian]

What I tested was, for a Word 2007 document, whether double-clicking an embedded object linking to a “.hta” file hosted online causes the code in the “.hta” file to run (in process mshta.exe) or not.

There are additional steps to get the “.hta” code to run automatically when opening an Office document, but I could not get those additional steps to work, so I did not test that aspect.

There’s a webpage that shows how to do these things, but I probably shouldn’t give the link because it could be used for evil.

Technical reference: Vulnerability Note VU#921560 – Microsoft OLE URL Moniker improperly handles remotely-linked HTA data.

 

1 user thanked author for this post.

SueW

Reply | Quote

[Noel Carboni]

Not to make light of the many reported problems, but I just finished updating another Windows 8.1 x64 test system, this one with Office 2010 on it. I started the Windows Update service and did a full “Group A” update on it (with the exception of the optional telemetry update which I hid – again), and I’m not able to find problem number one so far with the updated system. I even did performance benchmarking and found the speed of every major subsystem about the same as before.

Of course the number of tests I’ve subjected it to over the past couple of hours is necessarily limited, but it seems like there’s hope that the patches aren’t all bad!

I’m typing this on a tweaked and fully up-to-date Win 10 version 1703 build 15063.138 Creator’s test system, and it’s been running pretty well too, other than failures I saw yesterday with Adobe’s Creative Cloud.

-Noel

Reply | Quote

[anonymous]

So far installed the IE and .NET (the full one, via Windows Update) patches, things seem fine. Waiting on the April security-only bundle, but getting awfully anxious about it. Bar that tiny January update that I didn’t see as exactly relevant to my computer and therefore waited (and installed it only alongside the March bundle), it’s definitely the only time in the past several years when I waited over 48 hours to install security updates, and may well be the only time in 15 years.
Scared of either possibility now, both installing that and waiting longer. Gah.

Reply | Quote

[anonymous]

Reporting in, DEFCON 1 is right. Double reboot, but that seemed all right, what definitely is not all right after applying the April security-only patch (4015546) is that once again fan speeds no longer change according to temperature. Win 7 32-bit, AsRock Fatal1ty B85 Killer as motherboard.
Happened once before, after installing the September patches, and uninstalling didn’t fix it, and was noticing other issues too then, so ended up taking computer to the shop I got it from, thinking some hardware issue that may have just coincidentally triggered then. They said they fixed it by updating BIOS. But now there’s no newer update available.

Wonder what’s common between April and September to mess with BIOS…

Reply | Quote

[_Reassigned Account]

I’ve resorted to running Office online only until this is fixed. Cautioned everyone to be careful what you open. Just the shear amount of patches themselves is scary. As with any thing the focus on the weakest link is always the target. Office to me is a mess, and has been for some time. Its the Windows 95, 98 of Office document creation.

Reply | Quote

[arfurdent]

I have tried to install MS Word patch KB3141538 on two seperate PCs running Office 2013. Each time it failed saying there was no relevant component installed. Any ideas?

1 user thanked author for this post.

Reply | Quote

[The Surfing Pensioner]

Sorry, I’ve just realised that I wasn’t logged in. That last post about kb3141538 was from me.

Reply | Quote

[anonymous]

That’s because kb3141538 is for Office 2010. I believe you need kb3178710.

Having said that, I am today feeling slightly uneasy. I’ve had no problems since installing kb3141538 yesterday, but have just checked and it is nowhere listed in my update history or indeed as an installed update – so I could not uninstal it if I wanted to. But I note that the installation date of ALL my historical Office patches has changed to 13/4/17 – which is more than slightly weird, given that kb3141538 was the only patch I installed yesterday and moreover installed manually. Has anyone got an explanation for all this?

Reply | Quote

[b]

woody wrote:

There’s one exception, though. The Word zero-day vulnerability that I talked about over the weekend is being actively used to infect machines. Lots and lots of machines, according to Dan Goodin at Ars Technica. If you’re concerned about that zero-day — and you should be, if you open documents attached to email messages —  you should apply one or all of these patches, depending on which version of Office you use:

How do you reconcile that with MS-DEFCON 1: Don’t apply ANY Windows or Office patches posted within a couple of hours?

Which should be believed, MS-DEFCON 1 or InfoWorld?

1 user thanked author for this post.

JDeC

Reply | Quote

[woody]

As stated, if you’re concerned about opening Word documents attached to email messages, it would be wise (but possibly not sufficient) to install the listed Word Security updates.

Worthwhile alternatives here: https://www.howtogeek.com/302740/how-to-open-office-files-without-being-hacked/

Reply | Quote

[MrBrian]

Unfortunately that’s indeed probably not sufficient. See https://www.askwoody.com/forums/topic/a-panoply-of-problems-with-this-weeks-210-critical-windows-and-office-patches/#post-108385.

1 user thanked author for this post.

woody

Reply | Quote

[woody]

It seems the best solution at this point is to use office online if you absolutely must open an attached DOC

Reply | Quote

[anonymous]

I discovered yesterday that Active Directory Replication is failing since 4/16/17 (when I installed the latest round of updates). What turned me on to it is I am getting an “access denied” error when trying to open Group Policy from another subnet to my primary domain controller. Using my laptop, if I am on the same subnet it opens just fine, however when I move my laptop to a different subnet, that is when it fails.

Reply | Quote

[PKCano]

We will need some additional information.
What version of Windows are you running and what version is your domain controller?

Reply | Quote

[anonymous]

I am narrowing it down to my main site I believe. When I run “repadmin /replsum” on one of my remote sites domain controllers, it shows that all of the remote sites replicate fine, with the exception of the “main site”. My laptop is Win 10, but that doesn’t seem to matter.

The main site has 2 – 2012 DC’s and 1 2008r2 DC. The remote sites are a mix of the two, and like I said seem to be replicating fine. So, I am narrowing it down to either a DNS issue (everything looks fine here) and potentially a site trust problem.

Reply | Quote

[anonymous]

Ok, scratch that, it seems to be only with 1 of the 2012 domain controllers (the primary one that holds all of the FSMO role unfortunately). Replication with the others is ok.

Reply | Quote

[MrBrian]

A known issue was recently added to April 11, 2017—KB4015547 (Security-only update) (for Windows 8.1 and Windows Server 2012 R2):

“[Symptom] After installing this update on Windows Server 2012 R2 DC, you may notice Kerberos Key Distribution Center (KDC) service fails to start and error events are logged in the System Event log with Event ID: 7023 –  The parameter is incorrect.

[Workaround / Resolution] Install the April 2017 Monthly Rollup Update KB4015550 or Install the March 2017 Security-only update KB4012213.”

1 user thanked author for this post.

Noel Carboni

Reply | Quote

[Author]

Posts