Jump to content


Microsoft January 2018 Security Updates


  • Please log in to reply
5 replies to this topic

#1 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,138 posts

Posted 09 January 2018 - 03:51 PM

The January security release consists of 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. The updates address Remote Code Execution, Tampering, Security Feature B y p a s s , Information Disclosure and Denial of Service.  The release consists of security updates for the following software:  
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server
  • ChakraCore
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • Adobe Flash
   Important:   Because the out-of-band security update for "Meltdown"/"Spectre"  requires the setting of a registry key and not all antivirus software  has been updated to include the key, Microsoft updated Important: January 3, 2018, Windows security updates and antivirus software to include the following Note:  

Quote

Note:  Customers will not receive  the January 2018 security updates (or any  subsequent security updates)  and will not be protected from security  vulnerabilities unless their  antivirus software vendor sets the  following registry key: [/INDENT] [indent=1]  Key="HKEY_LOCAL_MACHINE"   Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"   Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000” [bold added]

If your computer has not received the security update, check the status at CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility.  In the event both "Sets registry key" and "Supported" are not both indicated with the letter "Y", Bleeping Computer has created a .reg file   that can be used to create the registry.  However, it should only be  used if your antivirus vendor has indicated that a manual install is  needed.  For in-depth information, see the Bleeping Computer articles Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key and How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws.

Further note that some AMD devices are getting into an unbootable state  after installing the "Meltdown"/"Spectre" security update.  As a result,  Microsoft is temporarily pausing sending updates to devices with  impacted AMD processors at this time.  Further information is available  at Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs.

More:  For more information about the updates released today, see https://portal.msrc....uidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Also see this month's Zero Day Initiative — The January 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and lincludes a breakdown of the CVE's addressed in the update.  
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#2 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,736 posts

Posted 09 January 2018 - 06:35 PM

EDIT: As of a few minutes ago, the reg key has been created by ESET.

ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now.

Edited by ebrke, 09 January 2018 - 09:07 PM.

Registered Linux User 344759

#3 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,138 posts

Posted 10 January 2018 - 03:35 PM

ESET was among the first A/V's to provide the reg update.  It was released late in the day on January 3.  What OS is your Mother's machine?  Since Microsoft states that "Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.", have you checked the OEM for an update?  I gather it is Intel and not a newer AMD processor (at least post 1995).

Did you check her device with PowerShell to confirm that it does not have the reg?  (Information for the PowerShell check as well as a downloadable reg update are available in the Bleeping Computer article, How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws.

Please Note:  If your system received the out-of-band January 3, 2018, security update, most likely, only the Flash Player and MSRT updates were installed yesterday for Windows 10.  To confirm that your system is up to date, go to Windows 10 update history.  
  • Select the Windows 10 version you are at.  For example, the Fall Creators Update is Windows 10 Version 1709 and the Creators Update is Version 1703.
  • The current Build for Windows 10 Version 1709 is OS Build 16299.192, with KB4056892, dated January 3, 2018, installed.
  • The current Build for Windows 10 Version 1703 is OS Build 15063.850, with KB4056891, dated January 3, 2018, installed.
  • To check your version go to Settings > System > About and scroll down to "Windows Specifications".
  • The OS Build under Windows Specifications will match the Windows 10 Version.
With regard to the Microsoft Office updates, the January, 2018 Office updates are listed here.  For Microsoft Office updates see How to: Install Microsoft Office Updates.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#4 OFFLINE   goretsky

goretsky

    Forum Fiend

  • Forum Moderators
  • 1,944 posts

Posted 10 January 2018 - 04:53 PM

Hello,

I read that ESET pushed an update out to all customers to automatically create the registry key, but I also know that sometimes anti-malware software doesn't apply all changes immediately in some circumstances, like pending operating system updates.  In cases like those, rebooting the computer and letting the operating system apply the updates usually resolves things.

Regards,

Aryeh Goretsky

View Postebrke, on 09 January 2018 - 06:35 PM, said:

EDIT: As of a few minutes ago, the reg key has been created by ESET.

ESET indicates Y and Y on the spreadsheet you linked to, Corrine. However, the registry key is not present on my mother's windows machine. ESET shows up-to-date on virus signature and product module. I'm a little confused about whether I could install the MS patch on her machine. I'm not ready to do it yet anyway (like to see some of the bugs shake out first), but I'd kind of like to know where it stands. I've talked her into letting me install NoScript and her FF is the latest version, so I think she's relatively safe for now.

Dexter is a good dog.

Aryeh Goretsky
Microsoft MVP (Windows - IT Pro)

Facebook Google+ personal blog personal website Twitter

#5 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,736 posts

Posted 10 January 2018 - 06:27 PM

Everything is good--reg key is now present, so whenever I decide to install the updates I should be okay. I'm still sticking to manual installs, not using WU except for things like .NET updates. I'm going to wait and see how everything shakes out, though. If I bork my mother's machine, I'll never hear the end of it.
Registered Linux User 344759

#6 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,057 posts

Posted 11 January 2018 - 11:38 AM

Elizabeth all the updates for Windows 7 this month are Important. None are critical.
Also as posted by Woody Leonhard

Quote

there are NO KNOWN Meltdown or Spectre exploits in the wild.
So take your time. You don't have to install the updates to Windows 7 while problems still remain. MS will eventually figure out how to fix the patch that causes BSOD.

Edited by zlim, 11 January 2018 - 11:38 AM.

Liz
Registered Linux User # 401459
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users