Replies

Microsoft patched this vulnerability 09/14 for most flavors of OS Server and Workstations.
In our Windows 10 1909, Server 2012 R2, and Server 2016 test group  IE11 will not start after applying the respective patches.  When IE11 is launched a white screen without any text or controls appears on the screen.  Nothing logged indicating something has been blocked.  The patches are:
Win10 1909 Sep Cumulative 5005566
Server 2012 R2 Sep Security Only KB5005627 and IE Cumulative KB5005563
Server 2016 Sep Cumulative KB5005573

Appreciate feedback if anyone else has seen this.

We have the same problem on Windows Server 2008 R2 and Windows Server 12 R2.  Ours is a fully offline environment so we use MBSA (Microsoft Baseline Security Analyzer) to determine which KBs to download and install:

MS00-000 | Missing | Security update for the information disclosure vulnerability in Visual Studio 2010 Service Pack 1 (KB4506161) | Important

When we try to install the patch it returns a ‘does not apply, or is blocked’ error.
Agree with previous posts that this is a detection issue and expect an updated MBSA signature file for offline installs to be released soon.

Further, the Nessus Plugin for KB4506161 was modified on Friday, and does NOT detect the patch as required for our systems.

1 user thanked author for this post.

woody

In the past, when you were searching for a .NET patch, the KB pointed to a specific flavor of .NET. For example, 3.1.5 or 4.5.2.

With the new rollup system that MS is deploying there is no specific MS, just the monolithic KB; in your example KB4014985.  The four individual downloads you see correspond to a specific .NET version:

4014573 = .NET Framework 3.5.1
4014566 = .NET Framework 4.5.2
4014558 = .NET Framework 4.6, 4.6.1
4014552 = .NET Framework 4.6.2

You need to download the version of .NET supported on your systems.  .NET 3.5.1 was patched via .msu files while .NET 4x use .exe files.

r/Dan

2 users thanked author for this post.

Elly, 212louis

Well…we have performed some isolation testing and it seems that KB4015546 may be the real culprit. Once we run Windows6.1-KB4015546-x64.msu we receive the following MBSA results:

Security assessment: Incomplete Scan
Computer name: WORKGROUP\V-HELLIUM
IP address: //snip//
Security report name: WORKGROUP – V-HELLIUM (4-12-2017 8-31 PM)
Scan date: 4/12/2017 8:31 PM
Scanned with MBSA version: 2.3.2208.0
Catalog synchronization date: 2017-04-10T21:31:59Z
Security Updates Scan Results

Issue:  Security Updates
Score:  Unable to scan
Result: Cannot load security CAB file

2 users thanked author for this post.

Elly, walker

IE patch KB4014661 breaks MBSA.

While testing, we installed ie11-windows6.1-kb4014661-x64.msu.  After rebooting we run MBSA to verify the patch.  MBSA starts but then fails, complaining about a bad signature file.  Now we don’t have a good way to verify that the vulnerability has been closed until MS either puts out a new signature file or they update kb4014661.  This is on Windows Server 2008 R2.  Have not verified on other supported OS platforms.

-Dan

2 users thanked author for this post.

AElMassry, woody

We download the offline cab file via go.microsoft.com/fwlink/?LinkID=74689.  That is our normal process.

As a test, we ran an online MBSA and copied the resulting wsusscn2.cab over to our offline systems, and now the scan works just fine.  The files contain the same signatures (and date/time stamps), and are the same size.  MBSA is still supported by Microsoft, but I’m going to look into your suggestion and try Windows Update MiniTool.

Thank you, Dan

That’s a good observation.  We’ve seen corrupted cab files before.  When they are corrupt, the file Properties lacks a valid Signature tab.  In this case, there is a good Signature tab with both a SHA1 and SHA256 signing certificate.   They seem to be signed with the same PCA as with the previous cab file that worked.  I’ll did a little digger.

1 user thanked author for this post.

HiFlyer