Jump to content

Microsoft January 2018 Security Updates


Corrine

Recommended Posts

The January security release consists of 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. The updates address Remote Code Execution, Tampering, Security Feature B y p a s s , Information Disclosure and Denial of Service. The release consists of security updates for the following software:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • ChakraCore
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • Adobe Flash

Important: Because the out-of-band security update for "Meltdown"/"Spectre" requires the setting of a registry key and not all antivirus software has been updated to include the key, Microsoft updated Important: January 3, 2018, Windows security updates and antivirus software to include the following Note:

Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key: [/indent]
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

Data="0x00000000” [bold added]

 

If your computer has not received the security update, check the status at
CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility
. In the event both "Sets registry key" and "Supported" are not
both
indicated with the letter "Y", Bleeping Computer has created
a .reg file
that can be used to create the registry. However, it should only be used if your antivirus vendor has indicated that a manual install is needed. For in-depth information, see the Bleeping Computer articles
Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key
and
How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws
.

 

Further note that some AMD devices are getting into an unbootable state after installing the "Meltdown"/"Spectre" security update. As a result, Microsoft is temporarily pausing sending updates to devices with impacted AMD processors at this time. Further information is available at
Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs
.

 

More
: For more information about the updates released today, see
https://portal.msrc....uidance/summary
. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at
Windows 10 Update history
.

 

Also see this month's
Zero Day Initiative — The January 2018 Security Update Review
by Dustin Childs in which he discusses several of the patches and linclude
s a breakdown of the CVE's
addressed in the
update.

  • Like 2
Link to comment
Share on other sites

EDIT: As of a few minutes ago, the reg key has been created by ESET.

 

ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now.

Edited by ebrke
  • Like 1
Link to comment
Share on other sites

ESET was among the first A/V's to provide the reg update. It was released late in the day on January 3. What OS is your Mother's machine? Since Microsoft states that "Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.", have you checked the OEM for an update? I gather it is Intel and not a newer AMD processor (at least post 1995).

 

Did you check her device with PowerShell to confirm that it does not have the reg? (Information for the PowerShell check as well as a downloadable reg update are available in the Bleeping Computer article, How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws.

 

Please Note: If your system received the out-of-band January 3, 2018, security update, most likely, only the Flash Player and MSRT updates were installed yesterday for Windows 10. To confirm that your system is up to date, go to Windows 10 update history.

  • Select the Windows 10 version you are at. For example, the Fall Creators Update is Windows 10 Version 1709 and the Creators Update is Version 1703.
  • The current Build for Windows 10 Version 1709 is OS Build 16299.192, with KB4056892, dated January 3, 2018, installed.
  • The current Build for Windows 10 Version 1703 is OS Build 15063.850, with KB4056891, dated January 3, 2018, installed.
  • To check your version go to Settings > System > About and scroll down to "Windows Specifications".
  • The OS Build under Windows Specifications will match the Windows 10 Version.

With regard to the Microsoft Office updates, the January, 2018 Office updates are listed here. For Microsoft Office updates see How to: Install Microsoft Office Updates.

Link to comment
Share on other sites

Hello,

 

I read that ESET pushed an update out to all customers to automatically create the registry key, but I also know that sometimes anti-malware software doesn't apply all changes immediately in some circumstances, like pending operating system updates. In cases like those, rebooting the computer and letting the operating system apply the updates usually resolves things.

 

Regards,

 

Aryeh Goretsky

 

EDIT: As of a few minutes ago, the reg key has been created by ESET.

 

ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now.

Link to comment
Share on other sites

Everything is good--reg key is now present, so whenever I decide to install the updates I should be okay. I'm still sticking to manual installs, not using WU except for things like .NET updates. I'm going to wait and see how everything shakes out, though. If I bork my mother's machine, I'll never hear the end of it.

  • Like 2
Link to comment
Share on other sites

Elizabeth all the updates for Windows 7 this month are Important. None are critical.

Also as posted by Woody Leonhard

there are NO KNOWN Meltdown or Spectre exploits in the wild.
So take your time. You don't have to install the updates to Windows 7 while problems still remain. MS will eventually figure out how to fix the patch that causes BSOD. Edited by zlim
  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...