Corrine Posted January 9, 2018 Share Posted January 9, 2018 The January security release consists of 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. The updates address Remote Code Execution, Tampering, Security Feature B y p a s s , Information Disclosure and Denial of Service. The release consists of security updates for the following software: Internet Explorer Microsoft Edge Microsoft Windows Microsoft Office and Microsoft Office Services and Web Apps SQL Server ChakraCore .NET Framework .NET Core ASP.NET Core Adobe Flash Important: Because the out-of-band security update for "Meltdown"/"Spectre" requires the setting of a registry key and not all antivirus software has been updated to include the key, Microsoft updated Important: January 3, 2018, Windows security updates and antivirus software to include the following Note: Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key: [/indent] Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000” [bold added] If your computer has not received the security update, check the status at CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility. In the event both "Sets registry key" and "Supported" are not both indicated with the letter "Y", Bleeping Computer has created a .reg file that can be used to create the registry. However, it should only be used if your antivirus vendor has indicated that a manual install is needed. For in-depth information, see the Bleeping Computer articles Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key and How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws. Further note that some AMD devices are getting into an unbootable state after installing the "Meltdown"/"Spectre" security update. As a result, Microsoft is temporarily pausing sending updates to devices with impacted AMD processors at this time. Further information is available at Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs. More: For more information about the updates released today, see https://portal.msrc....uidance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history. Also see this month's Zero Day Initiative — The January 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and lincludes a breakdown of the CVE's addressed in the update. 2 Quote Link to comment Share on other sites More sharing options...
ebrke Posted January 9, 2018 Share Posted January 9, 2018 (edited) EDIT: As of a few minutes ago, the reg key has been created by ESET. ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now. Edited January 10, 2018 by ebrke 1 Quote Link to comment Share on other sites More sharing options...
Corrine Posted January 10, 2018 Author Share Posted January 10, 2018 ESET was among the first A/V's to provide the reg update. It was released late in the day on January 3. What OS is your Mother's machine? Since Microsoft states that "Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.", have you checked the OEM for an update? I gather it is Intel and not a newer AMD processor (at least post 1995). Did you check her device with PowerShell to confirm that it does not have the reg? (Information for the PowerShell check as well as a downloadable reg update are available in the Bleeping Computer article, How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws. Please Note: If your system received the out-of-band January 3, 2018, security update, most likely, only the Flash Player and MSRT updates were installed yesterday for Windows 10. To confirm that your system is up to date, go to Windows 10 update history. Select the Windows 10 version you are at. For example, the Fall Creators Update is Windows 10 Version 1709 and the Creators Update is Version 1703. The current Build for Windows 10 Version 1709 is OS Build 16299.192, with KB4056892, dated January 3, 2018, installed. The current Build for Windows 10 Version 1703 is OS Build 15063.850, with KB4056891, dated January 3, 2018, installed. To check your version go to Settings > System > About and scroll down to "Windows Specifications". The OS Build under Windows Specifications will match the Windows 10 Version. With regard to the Microsoft Office updates, the January, 2018 Office updates are listed here. For Microsoft Office updates see How to: Install Microsoft Office Updates. Quote Link to comment Share on other sites More sharing options...
goretsky Posted January 10, 2018 Share Posted January 10, 2018 Hello, I read that ESET pushed an update out to all customers to automatically create the registry key, but I also know that sometimes anti-malware software doesn't apply all changes immediately in some circumstances, like pending operating system updates. In cases like those, rebooting the computer and letting the operating system apply the updates usually resolves things. Regards, Aryeh Goretsky EDIT: As of a few minutes ago, the reg key has been created by ESET. ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now. Quote Link to comment Share on other sites More sharing options...
ebrke Posted January 10, 2018 Share Posted January 10, 2018 Everything is good--reg key is now present, so whenever I decide to install the updates I should be okay. I'm still sticking to manual installs, not using WU except for things like .NET updates. I'm going to wait and see how everything shakes out, though. If I bork my mother's machine, I'll never hear the end of it. 2 Quote Link to comment Share on other sites More sharing options...
zlim Posted January 11, 2018 Share Posted January 11, 2018 (edited) Elizabeth all the updates for Windows 7 this month are Important. None are critical. Also as posted by Woody Leonhard there are NO KNOWN Meltdown or Spectre exploits in the wild. So take your time. You don't have to install the updates to Windows 7 while problems still remain. MS will eventually figure out how to fix the patch that causes BSOD. Edited January 11, 2018 by zlim 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.