A roundup of ongoing problems with this month’s Windows and .NET patches

Topic

New Reply

It’s a long, sad list. Post coming on Computerworld.
[See the full post at: A roundup of ongoing problems with this month’s Windows and .NET patches]

6 users thanked author for this post.

SueW, walker, MrBrian, AJNorth, Elly, twbartender

Reply | Quote

Replies

Not to take away from the gravity of this headline, but after passing my own testing in VMs I’ve had my main Windows 8.1 x64 Pro/MCE workstation running continuously on the September updates (group A style) for 4+ days now. Doing my normal business management and software engineering work (including work with Office 2010) I’ve seen no downsides. Of course no one individual can possibly do all things Windows can do with a given system.

I’m still holding off updating my critical Windows 7 system as I simply haven’t had time to do update testing for that system yet.

-Noel

6 users thanked author for this post.

HiFlyer, JDeC, AJNorth, Elly, ryegrass, woody

Reply | Quote

I’m leaning towards installing the .NET patch since other people use my computer who may press the “Enable Editing” button.

Interestingly, when I went to look at the article for KB 4040960 at

https://support.microsoft.com/en-au/help/4040960/description-of-the-security-only-update-for-the-net-framework-4-5-2-fo

and clicked on the link to the Microsoft Update Catalog, the updates offered appear to be a different number: KB 4041090. This seems unusual.

Any advice / comments? Thanks.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Also interesting, the four subcomponents of KB 4041090 for Windows 7 64-bit are all labelled x86. At first I thought this a mistake, but looking through the Microsoft Update Catalogue the apparent error seems consistent. Does one install and wait to see what happens?

Reply | Quote

@samak
In the Update Catalog for .NET, there are several different updates for the different versions. If you click on the title of the updates (instead of “Download” button) then click on “more information” in the box that pops up, it will take you to a page that shows which patch belongs to which version. Then you can download the one(s) you need for the version(s) installed on your computer.

4 users thanked author for this post.

SueW, walker, samak, The Surfing Pensioner

Reply | Quote

Many thanks for the tip. However, having done that, the subcomponents of KB 4041090 for Windows 7 64-bit are all still described as x 86. What I’m saying is that I can’t find another version of KB 4041090 whose internal components are described as x64 anywhere. So I am wondering whether this version will fit both 32- and 64-bit Windows 7?

Reply | Quote

If you look carefully in the name, the one for 64-bit has x64 in the name (the second one down). The one without any indication is x86.

Once you identify which one(s) you need, go back to the original Update Catalog pave, click on the download button, and download the correct patch.

2 users thanked author for this post.

walker, samak

Reply | Quote

Thank you so much! I couldn’t see for looking. Got it now.

Reply | Quote

Most important: If you can’t keep yourself (or your clients) from clicking “Enable Editing” in Word, you must install a broad range of .NET patches (if you’re running Windows 7 or 8.1) or cumulative updates (if you’re running Windows 10), like, NOW.

CVE-2017-8759 can also be exploited with PowerPoint or Excel. From https://github.com/nccgroup/CVE-2017-8759/: “This is interesting, as previously pointed out – CSV (and SLK files) do not trigger protected mode. This means that the number of prompts presented to a user when sent either an RTF, PPSX or CSV/SLK file from an internet location are exactly the same (due to the former triggering protected view). Furthermore, due to being plain-text and usually relatively innocuous, CSV files often sail through perimeter defenses (such as web-proxies or email spam filters).”

2 users thanked author for this post.

walker, woody

Reply | Quote

MrBrian wrote:

If a poisoned .CSV file arrives via a method that doesn’t preserve the “mark of the web” (such as put inside a 7-Zip archive), then I would guess that the number of prompts is 0.

How is it possible to poison a .csv file? It’s just interpreted as text to be put into cells, right? Does that activity somehow carry the ability to turn that text into macros?

-Noel

Reply | Quote

See the “Bonus – CSV exploit” section of the link in post #133813.

Reply | Quote

Good point that’s getting stuck in our ongoing site problems (which may be solved tomorrow):

Woody, You missed to point out that the September update not just added the search box to IE11, but the search box ignores group policy settings preventing IE11 from searching the Web. Currently, the only workaround is to null-route the domains of search providers

Overnight, there was this additional anonymous post:

Also, the search box is using ‘disabled’ search providers. Actually, the search box should be hidden when no available search provider is enabled under IE 11 settings. But Microsoft decided to ignore all that and just put the c***** search box up.

1 user thanked author for this post.

walker

Reply | Quote

MS have updated .NET Framework September 2017 Security and Quality Rollup
September 21, 2017:

Known Issues

This release has the following known issues.

WPF Rendering in a Windows Service
.NET Framework versions: 4.6.x, 4.7
Windows versions: all
Affected KBs: KB4040956, KB4040955, KB4040957

After you install this update on the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7, you may experience rendering issues in Windows Presentation Foundation (WPF) applications that use WPF types in a Windows service. For more information, see KB 4043601.

Incorrect text in .NET Framework Setup
.NET Framework versions: 4.5.2
Windows versions: Windows 7, Windows Server 2008, Windows Server 2008 R2
Affected KBs: KB4040960, KB4040977

When you apply this update on non-English locale systems, you may notice some pseudo localized characters instead of localized content in the interactive setup. This is a non-impacting, UI-only, setup issue that does not affect the deployment result or functionality of the update contents. Please apply this update to help secure your computer against vulnerabilities and the issues that are addressed by this update. For more information, see: KB 4043564.

4 users thanked author for this post.

AJNorth, walker, woody, MrBrian

Reply | Quote

@Kirsty:  The only update I see for September (an older version disappeared) is KB4041083 for the .NET Framework.   Win 7, x64,  (trying to get into Group A).  It becomes more and more confusing with every “check for updates” results (set at NEVER).  This is for the Security & Quality Rollup For .NET Framework going up to 4.7 and on.

I see that your update is more current than the one that I have which is dated 9-12-17, so that explains the reason.   I must get busy and do another “check for updates” with the “NEVER CHECK” on.

I’m awaiting the Defcon3, to try to get this one DL & installed.   Good luck to us all, that’s for sure.   Thank you for all of the excellent information you share with us all.   It is most appreciated, as always!  

1 user thanked author for this post.

Kirsty

Reply | Quote

@Kirsty:     Well, I “checked for updates”, and they are the same as they were previously, so I only have the same one I referenced above for the .NET.   The only other Important update I have is the KB4038777 (Sec. Monthly Quality Rollup for Win7 x64.   I will get the MSRT and WinDef. updates installed ASAP.

Apologies for the edit, since I found nothing “new”.  Thank you once again!  

Reply | Quote

Question regarding the September .NET updates: after the status changes to DEFCON 3, would those in “Group B” go ahead with KB4041083, or should the individual “Security Only Updates” be installed instead (for the machines in question, Win 7 Pro x64, these would be KB4040957 and KB4040960, both dated 2017.08.30, and KB4040966, dated 2017.08.31)?

Thanks!

Reply | Quote

Group B does not include .NET – in fact, AKB2000003 recommends in step B4, using the .NET patches provided by Windows Update (at DEFCON 3, or course).

Some people still insist on using the security-only .NET patches. I have been using the WU .NET Rollup patches, myself, without problems.

However, it is recommended for Win7 to hold off installing .NET 4.7 for the time being because of problems with Win7.

1 user thanked author for this post.

AJNorth

Reply | Quote

From Rendering issues after the September 12, 2017, .NET Security and Quality Rollups are installed:

“Workaround

To work around this problem, temporarily remove the September 12, 2017, Security and Quality Rollup update, and then install the corresponding September 12, 2017, Security-Only update to make sure that systems are secured against the latest vulnerabilities.”

1 user thanked author for this post.

AJNorth

Reply | Quote

Published earlier today at gHacks:

Author: Ksuvi Khor  September 25, 2017 at 3:57 pm

Comment: We are experiencing a similar issue in our organization. After installing KB4038777 on our HP 6200 desktops our users are experiencing a blank screen with cursor for several minutes immediately after logging in, thus delaying their ability to log in and get to work. Removing KB4038777 and rebooting fixes this issue.

Permalink: https://www.ghacks.net/2017/09/12/microsoft-security-updates-september-2017-release/

Reply | Quote

Woody, You missed to point out that the September update not just added the search box to IE11, but the search box ignores group policy settings preventing IE11 from searching the Web. Currently, the only workaround is to null-route the domains of search providers.

Reply | Quote

Group A,  Win 7 x64,  Home premium,  Office 2010,  Firefox55,  HP printer.  Received KB4038803 today.  Downloaded it.  No problems so far.

Reply | Quote