[German]Microsoft has ended support for Windows Vista back in April 2017. But there is a way, to support Windows Vista with security updates till January 2020. Here are the details.

Windows Vista reached End of Life

Extended Support for Windows Vista has ended in April 2017 – see my blog post Windows Vista reached End of Live (April 11, 2017). This means, Microsoft won’t ship security updates via Windows Update anymore.

But in rare cases, Microsoft provides some security updates for Windows Vista. One exception was in June 2017 at Microsoft patchday, where Microsoft has released patches for Windows XP and Windows Vista (see my blog post Microsoft June 13, 2017 Patchday – further updates).

But wait, there is more

Windows Vista and Server 2008 are using the same code base. A German blog reader remembered me about that fact and pointed out, that security updates for Windows Server 2008 are installable under Windows Vista. So it’s possible to download updates for Windows Server 2008 from Microsoft Update Catalog and install the packages manually. It’s only mandatory to take care about the 32 or 64 bit updates. The German blog reader wrote:

… the updates for Server 2008 are also valid for Vista. Just download it and install it manually. Special updates for Windows Server 2008 features (like Hyper-V) aren’t supported in Vista.

Examples of such special updates are the April 2017 Server 2008 updates for Hyper V: KB3211308 and KB3217841. Both updates are not offered on a Windows Server 2008 without Hyper V installed, and won’t be installable in Windows Vista. In case you try to install such an update, Windows refuse that with a message, that the update isn’t supported on this platform.

Windows Server 2008 Support till 2020

The beef for users of Windows Vista is: Microsoft has extended support for Windows (Storage) Server 2008 Standard until January 14, 2020, as you could read at this site. So in brief: Windows Vista can be patched until that date. Here are updates provides for May and June 2017:

Updates May 2017

KB4018271
KB4019115
KB4018466
KB4018556
KB4018821
KB4018885
KB4018927
KB4019149
KB4019204
KB4019206
KB4015193

Updates June 2017

KB4021558
KB4018106
KB4021903
KB4021923
KB4022008
KB4022010
KB4022013
KB4022883
KB4022884
KB4022887
KB4024402
KB890830

Only Microsoft’s Windows Malicious Software Removal Tool (KB890830) can’t be installed in Windows Vista anymore. But most Vista users are running an up to date antivirus tool, I suppose. Martin Brinkmann from ghacks.net has also published an article based on my German blog post. Also this thread at Bleeping Computer contains some information about Windows Server 2008 security fixes available also for Vista.

[German]Today just a short note for Windows Administrators in enterprises. Windows Internet Name Service (WINS) is legacy and contains a vulnerability. Therefore WINS should not be deployed anymore. Switch to DNS instead.

WINS has a DoS vulnerability

A few days ago I’ve published a German blog post WINS-Lücke in Windows Server bleibt ungepatcht (unfortunately I missed to release an English version). Therefore here are the details in brief: Microsoft’s implementation of Windows Internet Name Service (WINS) on Windows Server contains a Denial-of-Service vulnerability.

Security researcher from Fortinet has published recently the article WINS Server Remote Memory Corruption Vulnerability in Microsoft Windows Server with more details of the vulnerability. This vulnerability affects WINS server enabled as a role in Microsoft Windows Server 2008, 2012 and 2016. There is a memory corruption vulnerability, that can be used remotely by an attacker.

(Source: Fortinet)

But this flaw requires, that WINS is activated on Windows Server as a role and has been configured.

Microsoft won’t patch this vulnerability

Fortinet’s researcher reported this vulnerability to Microsoft in December 2016. Microsoft answered in June 2017:

„a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it.“

So in short: Microsoft won’t fix that issue and recommend to switch from WINS to Domain Name System (DNS).

Well, there is an official Microsoft recommendation

Within a Google+ post for my German readers I mentioned my blog post and asked, whether WINS is still alive in business environments. Reader Karl Heinz (Quamar) wrote back:

My experience is, that many enterprises still are using WINS, especially, because Microsoft hasn’t published a recommendation to move from WINS to DNS(Sec).

Well, a few days later, Karl Heinz added a 2nd comment to my post, mentions, that there is a recommendation, dated 05/19/2017, from Microsoft, advising to deactivate WINS and move to DNS. Within this document Microsoft wrote:

Windows Internet Name Service (WINS) is a legacy computer name registration and resolution service that maps computer NetBIOS names to IP addresses.

If you do not already have WINS deployed on your network, do not deploy WINS – instead, deploy Domain Name System (DNS). DNS also provides computer name registration and resolution services, and includes many additional benefits over WINS, such as integration with Active Directory Domain Services.

If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS.

Well, there are no words about the WINS vulnerability I mentioned above. But the recommendation is clear: Deactivate legacy WINS and use Domain Name System (DNS).

Similar articles:
Semi annual update channel for Windows Server 2016
June 2017 Patches causing Internet Explorer 11 printing issues
June 2017 security updates IE 11 printing issues confirmed
Fix KB4032782 for Internet Explorer 11 printing issues (June 2017)
Outlook issues after June 2017 security updates
Microsoft Security Update Releases – CVE revisions
32 TByte Leak with Windows 10 source code and more?
Microsoft closes critical vulnerability CVE-2017-8558 in Malware Protection Engine (June 23, 2017)

[German]According to several sources, the Petya ransomware is back in a modified version, infecting worldwide heavily computer systems from enterprises, banks, and power supplies.

Currently it’s speculated, that the modified Petya version (calles PetyaWrap) is using the ETERNALBLUE exploit known from WannaCryp ransomeware to spread over networks using an unpatched SMBv1 vulnerability.

Infections worldwide

Russian news agency TASS reported (English), that systems from companies in Russia and Ukraine are affected. This tweet contains the same message

A new #WannaCry-like massive attack on Russian and Ukrainian #Critical #Infrastructue discovered. More countries expected #Petya #infosec pic.twitter.com/hRDPHKAC8R

— Group-IB (@GroupIB_GIB) 27. Juni 2017

The Hacker News wrote, that worldwide companies, banks, energy supplier in Russia, Ukraine, Spain, France, Britain, India and other countries are affected. German Beiersdorf AG (Nivea) seems also a victim.

How PetyaWrap works

The ransomware reboots the computer system and encrypts the Master File Table (MFT) of accessible hard disks, to lock access to the stored data. Then a message is shown (see this tweet).

Huge Global #CyberAttack / #Ransomware spreading right now. Its a #Petya variant that spreads through SMB and #EternalBlue exploit. pic.twitter.com/fjP60jS6p9

— George Argyrakis (@gargyrakis) 27. Juni 2017

Antivirus vendor AVIA confirms attacks from PetyaWrap using ETERNALBLUE exploit:

The #Petya #ransomware is back using the #EternalBlue exploit – and our #Antivirus customers are protected! #infosec pic.twitter.com/fWap1rRLeA

— Avira (@Avira) 27. Juni 2017

Avira claims that its customers are protected. According to Virus Total, only 16 of 61 AV products detects PetyaWrap. If the text:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

is shown on your screen, the system is affected. The ransomware requests 300 US $ as bitcoins.

What to do?

First of all, install the patches provided by Microsoft, to close the SMBv1 vulnerability used by ETERNALBLUE exploit. Then check, whether the AV solution used within your organisation detects PetyaWrap. And at least warn your user, that ransomware is spread via an e-mail campaign – probably within an attachment. Further details may be found within The Hacker News article.

Currently ransomware PetyaWrap is spreading through computer networks. Beside that, Google has revealed a new Windows vulnerability in Windows Kernel, that hasn’t been patched fully.

The vulnerability has been discovered in March 2017 within Google’s Project Zero and has been reported to Microsoft. The vulnerability allows an application running in user mode to call nt!NtNotifyChangeDirectoryFile system API and access kernel memory. 

The issues has been confirmed in Windows 7 up to Windows 10. Microsoft has released a patch for this vulnerability in June 2017. But Google claims that the vulnerability hasn’t patches fully. So the details went public after a 90 day period here. (via)

[German]Microsoft has released on June 27, 2017 Monthly Preview Rollups for Windows 7/8.1 and it’s corresponding Server versions. Here are a few details.

Update KB4022168 for Windows 7

Update KB4022168 (Preview of Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains the fixes from Rollup KB4022719 and the following improvements:

• Addressed issue where users who are sharing their screen with external or internal customers see a blue screen on the display. This is caused by a Windows Display Driver Model (WDDM) violation.
• Addressed issue where, after installing KB3177725, an Active X control stops working.
• Addressed an issue where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed issue to update time zone information.
• Addressed a reliability issue in Windows Search.

• Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

Update KB4022720 for Windows 8.1

Update KB4022720 (Preview of Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains the fixes from Rollup KB4022726 and the following improvements:

• Addressed issue where applications stop receiving SNMP traps after a random time. When this happens, no application can receive SNMP traps. A restart of the computer will temporarily resolve the issue.
• Addressed issue to provide Server Message Block version 1 auditing on Windows Server 2012 R2.
• Addressed issue where multiple tenant VMs reboot when one or more solid-state drives (SSDs) are removed from pool 1 of the Cloud Platform System (CPS) rack.
• Addressed an issue where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed issue where certutil.exe can no longer generate an EPF file when attempting to recover a key for a version 1 certificate.
• Addressed an issue where MPIO failover stops after a disk has been surprise removed, identified by Event ID 157: “Disk X has been surprised removed” when there are still viable paths to use. Scenario may occur when the newly selected path belongs to the disk that has been surprised removed.
• Addressed issue where a server crash causes loss of access to files and requires full recoveries for mirrored data.
• Addressed issue with NTFS error event, ID:55, that occurs when using Unified Write Filter in DISK mode.
• Addressed issue where, when running ChkDsk on a volume that has several million files, ChkDsk may take several weeks to complete and appears to be stuck in Stage 3.
• Updated the Access Point Name database.
• Addressed issue where, when a system resumes from sleep, printers appear offline over Wi-Fi networks even though they are online. This occurs on Wi-Fi networks that are susceptible to dropped packets.
• Addressed issue where a race condition causes an NFS server error (0x0000000A) when an NFS client mounts and unmounts an NFS share.
• Addressed issue where stop error 0x50 may occur when querying the clients that are connected to a Network File System (NFS) in Windows Server 2012 R2.
• Addressed issue where the svchost.exe process, which hosts the Remote Desktop gateway service, crashes. In the application log, application error 1000 occurs, and the faulting module points to c:\windows\system32\aaedge.dll. This restarts the Remote Desktop gateway service, which causes Remote Desktop connections to drop.
• Addressed issue where intermittently, Remote Desktop sessions can stall on logoff when winlogon.exe is blocked waiting on DWM.exe. The blockage is due to a timing issue that halts DWM.exe. User sessions cannot be reused, and the Remote Desktop server must be rebooted to clear the stalled session(s).
• Addressed issue that causes users to lose network access when Accelerated Networking (single root I/O virtualization (SR-IOV)) is enabled on guest Virtual Machines (VM). The netvsc_vfpp protocol provides IO virtualization functionality for NICs that support SR-IOV. If the protocol is removed and multiple NICs are attached to a guest VM, network access is lost.
• Addressed issue to update time zone information.
• Updated IDNA table to support resolving the latest Unicode emoji characters from punycode.
• Addressed issue with performance degradation when multiple clients connect to LDAP using SSL/certificate based authentication.
• Addressed a reliability issue in Windows Search.
• Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

Microsoft says a know issue are connect problems with iSCSI devices.

[German]Microsoft has released on June 27, 2017 cumulative Updates KB4023543 (Windows 10 Creators Update, V1703), KB4022723 (Windows 10 Anniversary Update, V1607), KB4032693 Windows 10 (V1511), and KB4032695 for Windows 10 RTM. These updates are fixing the Internet Explorer printing issue.

KB4022716 for Windows 10 Version 1703

Update KB4022716 for Windows 10 Creators Update (Version 1703) changes the build number to 15063.447. The update addresses the following issues:

• Addressed an issue introduced by KB4022725 where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed issue where network printers may fail to install when using the printer vendor’s setup software on machines with less than 4 GB of RAM. These printers will install properly if you install using the Settings app or from Devices and Printers in Control Panel.  
• Addressed issue that causes high memory usage for the Camera app on mobile platforms, which reduces battery life. Any app that uses a media capture element (MCE) or media element (ME) and plays 1080p will consume a lot of power, which will significantly reduce battery life. 
• Addressed issue where, after updating to the Creators Update, devices that have Receive Segment Coalescing (RSC) enabled have significantly low wireless throughput. 
• Addressed issue (Error 0x7F) with Windows Forms (WinForms) that causes the system to crash after upgrading to the Creators Update.
• Addressed issue that prevents users from connecting to the Terminal Services Gateway (TSG) running on Windows Server 2008 SP2 after upgrading to the Creators Update. As a result, users cannot access Remote Desktop Services or remote apps. 
• Addressed issue where, if you specify an auto-logon configuration in Unattend.xml, auto-logon only works on the first logon, but will not work again when the device is restarted.  
• Addressed issue where users cannot sign in with Face after upgrading to Windows 10 RS2. 
• Addressed issue where, after upgrading to Windows 10 RS2, modem dial-up fails with Error 633.  
• Addressed issue where the smartcard service (sccardsvr.exe) stops periodically and never restarts when the smart card application attempts to access the cards.
• Addressed issue where, when a laptop connected to an ISCSI disk leaves the corporate network, an error may occur when it resumes if it does not connect to the VPN fast enough.   
• Addressed issue where a remote desktop connection with Windows 2016 RDS server fails authentication when using smartcards.
• Addressed issue where Open Mobile Alliance (OMA) Device Management (DM) uses the wrong interface to index the on-demand APN.   
• Addressed issue with a memory leak in the camera platform across all devices for PC (MIPI and USB cameras).
• Addressed issue where, if the device lid close action was set to “Do Nothing”, closing and re-opening the lid causes all Universal Windows Platform apps to stop responding. 
• Addressed issue with failed login scenarios that occur because the device does not reconnect to the host PC.
• Addressed issue where users must wait between 40 to 60 minutes after a print spooler restart before attempting to change any printer settings.
• Addressed issue where the cursor type does not maintain the arrow shape when the user mouses over a select option in Internet Explorer. 
• Addressed issue where searching for a string on a page that has many iframes causes Internet Explorer to stop working. 
• Addressed issue where Internet Explorer stops responding when a user clicks on an empty column header and then immediately holds down the SHIFT key and double clicks.
• Addressed issue where the onhashchange event is not called when navigating hashed URLs in Internet Explorer. 
• Addressed issue to improve pairing, connecting, synchronizing, and notifications experiences for a third-party wearable device.
• Addressed issue to improve Bluetooth connectivity to wearable devices. 
• Addressed issue where the NewWindow3 event is not called in Internet Explorer. 
• Address issue with a memory leak that occurs when calling BluetoothGATTRegisterEvent() and BluetoothGATTUnregisterEvent() functions for an NFC card reader. 
• Addressed issue where a clear (x) button inside HTML text fields cannot be disabled using the ::ms-clear attribute when Document Modes are less than 10 in Internet Explorer 11. 
• Addressed issue where Internet Explorer 11 would fail to load HTML page after installing KB3021952. 
• Addressed issue where a Windows Phone experiences data loss (email, contact, SMS, etc.) caused by Unistore database corruption. 
• Addressed issue where guest VMs bound to a wireless NIC can lose network connectivity if the guest does not send an Address Resolution Protocol (ARP) packet in the fixed timeout window (5 minutes). 
• Addressed issue where certain elements (input or select) cannot be active targets of any action in Internet Explorer 11. This occurs after removing an iframe that contained a cursor inside certain elements (input or select) and then adding a new iframe. 
• Addressed issue with NVIDIA drivers that stop working (Error 0x9f) when the system goes to sleep. This also causes a shutdown of Microsoft Surface Hubs. 
• Addressed issue to improve Remote Desktop Protocol connections to an RD Gateway configured for RPC over HTTP. 
• Addressed issue with non-UWP applications calling into Windows.Devices.Bluetooth API’s to register callbacks or Async operations. 
• Addressed issue with an NFC driver that becomes non-functional because of improperly tracked timer handles.
• Addressed issue with Centennial apps that fail if they try to use the Payment Request API. 
• Addressed issue where the Disk Cleanup and the Storage Settings tool remove files from system32 when file paths exceed the MAX_PATH size; as a result, the machine cannot be booted. 
• Addressed issue to set the default cellular data roaming setting to “Don’t roam” when upgrading to Windows 10 Version 1703.
• Addressed issue that lead to the loss of functionality on certain third-party network adapters after upgrading to Windows 10 Version 1703.

This update may be also downloaded via Microsoft Update Catalog.

KB4022723 for Windows 10 Version 1607

Update KB4022723 for Windows 10 Anniversary Update (Version 1607) changes the build number to 14393.1378 and addresses the following topics:

• Addressed an issue introduced by KB4022715 where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.
• Addressed issue where the Volume Activation Services tool (vmw.exe) stops working with error “Indicates two revision levels are incompatible“ when attempting to activate the Volume License Service role. 
• Addressed issue where multipath I/O does not use other available paths during a failover scenario. 
• Addressed issue where a PC randomly crashes after a user inserts a USB device into the USB port. 
• Addressed issue where a blue screen and the “unmountable_boot_volume” message appear during the system boot process when the Unified Write Filter is enabled. 
• Addressed issue where a computer stops working when trying to add a phone to the computer for use as a modem. 
• Addressed issue where Simple Network Management Protocol (SNMP) applications stop receiving traps. 
• Addressed issue where Page faults for Demand Zero Pages are significantly slower (> 10%), which causes many applications to run slower. 
• Addressed issue with error that occurs when users sign out from an application when Active Directory Federation Services is enabled.    
• Addressed issue where nodes fail to join a cluster because of failed certificate authentication if SHA1 is disabled.
• Addressed issue with the Server Message Block Bandwidth limiting feature not working.
• Addressed issue where the storage replication driver (wvrf.sys) is in an infinite loop. 
• Addressed issue where a 2012 R2 or below Remote Desktop License Server causes the 2016 Remote Desktop Services Host to crash and stop giving sessions to clients.
• Addressed issue to add support in certutil.exe to allow certificate templates to be marked for Windows Hello. 
• Addressed issue where you may lose access to storage disks when there are still available paths if there is an error on one of the multipath I/O paths. 
• Addressed a WS-Federation sign-out problem where users initiate Sign-out from an application configured with SAML. In this case the Sign-out fails with an ADFS exception identified with an ADFS Admin Event 364 Error. This issue is limited to ADFS 4.0.
• Addressed issue where the creation of virtual disks fails in Windows Server 2016 storage spaces when the physical disk allocation is set to manual for all the selected disks.
• Addressed additional issues in printing, updates to the Access Point Name (APN) database, Start menu and taskbar,  Internet Explorer and the Windows Shell.

This update may be also downloaded via Microsoft Update Catalog.

KB4032693 for Windows 10 Version 1511

Update KB4032693 for Windows 10 (Version 1511) the build number to 10586.965 and addresses the following issues:

• Addressed an issue introduced by KB4022714 where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed a reliability issue in Windows Search.

• Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

This update may be also downloaded via Microsoft Update Catalog.

KB4032695 for Windows 10 RTM Version 1507

Update KB4032695 for Windows 10 RTM (Version 1507) the build number to 10240.17446 and addresses the following issues:

• Addressed an issue introduced by KB4022727 where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
• Addressed a reliability issue in Windows Search.

• Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

This update may be also downloaded via Microsoft Update Catalog.

Similar articles:
Windows 7/8.1 Preview Rollups June 2017

Currently a new variant of Petya ransomware (aka PetyaWrap, aka NotPetya) are infecting companies and organisations (see Petya ransomware is back – using WannaCry vulnerabilties). First analyses indicating, that this ransomware not only broke infected systems. There are indications, that the malware also steals user credentials. There are also hints, that spreading the malware via networks isn’t restricted to unpatched SMBv1 vulnerabilities. And there is hope, that a kind of Killswitch/vaccine has been found to protect a machine from encryption.

Talos analysis of ‘Nyetya’ malware

Security experts from Talos (Cisco) are calling the new Petya ransomware as Nyetya (for Not Petya) and has published a first analysis.

• The assumption, that the primary infection vector of this malware was an e-mail attachment hasn’t been confirmed.
• Talos found indications, that the infection started via a compromised update system of Ukrainian tax system M.e.Doc.

Kaspersky has published a graphic, shown that the majority of infections (60%) are affecting systems within the Ukraine.

(Source: Kaspersky/BleepingComputer)

Within a tweet GossiTheDog says a forged digital signature is responsible for a compromised update system.

The payload appears to specifically reference the update process and uses a forged digital signature. It may be unconnected of course still. https://t.co/o7pFzuNQXx

— Kevin Beaumont (@GossiTheDog) 27. Juni 2017

At Bleeping-Computer this article also addresses this topic, the owner of M.E.Doc confirmed a virus infection, but denies later, that it’s the source of the Petya attack.

Distribution via PsExec and WMIC in networks

If a Windows system is infected, a copy of admin tool PsExec (from Sysinternals tools) will be stored as dllhost.dat within the Windows folder. Then the malware uses WMIC commands and other strategies, to reach other machines within the network.

Just patching with EternalBlue (MS17-010) doesn’t appear to save you – other techniques for lateral movement in play here it looks like.

— Dave Kennedy (ReL1K) (@HackingDave) 27. Juni 2017

The tweet above from Dave Kennedy says, that patching the ETHERNALBLUE vulnerability (MS17-010) doesn’t prevent the malware spread over a network. Talos has published an article, containing commands to invoke PsExec and WMIC.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1

The command above contains a file perfc, mentioned below within the Killswitch section. Then a WMIC command tries to reach shares using a user name and a user password:

Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1"

Currently Talos tries to analyze, how the malware is able to obtain user credentials.

Credential Stealer integrated

Within this tweet I got the information, the same information, that login data are used within a network. Also this tweet contains a similar information:

Not sure on technique yet here, but crews being used for authentication to systems not just loggedin_user https://t.co/fEumwgs4Ho

— Dave Kennedy (ReL1K) (@HackingDave) 27. Juni 2017

This Arstechnica article cites security researcher saying, that a 2nd function within this ransomware tries to harvest user names and passwords and send it to servers controlled by the attackers. So the infected system is forced to be inaccessible, but the attackers gain access to login data and may use it to infect more machines.

Killswitch found?

On Twitter Amid Serper posted this tweet, indicating a ‘Kill switch’ has been found to stop an infection:

98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #Nopetya won’t run! SHARE!! https://t.co/0l14uwb0p9

— Amit Serper (@0xAmit) 27. Juni 2017

So a write-only file perfc (without extension) located within the Windows folder may stop the ransomware. Here are a 2nd source confirming that. So it’s possible to copy a file and rename it. It seems that this file prevent the encryption routine on a infected machine – but that’s far away from a kill switch stopping other infections. At MalwareBytes a blog post also says, it prevents only the malware on the current machine. Bleeping Computer has this article detailing how to create the file mentioned above.

Addendum: Microsoft has details and recommdations

Microsoft has published this blog post with many details about Petya. Microsoft confirms some infection theories, says, that Defender and other MS AV products  has been updated to recognise this ransomware and gives also hints to avoid infections.

Similar articles:
Petya ransomware is back – using WannaCry vulnerabilties
WannaCry & Co.: EternalBlue Vulnerability Checker and Crysis Ransomware Decryptor
Ransomware WannaCry infected worldwide thousands of Windows systems

[German]Just for your information. Microsoft has finally fixed the printing issues in Internet Explorer 11 caused by June 13, 2017 security updates within all Windows versions. Note: Update KB4032782 may cause IE 11 crashes on several web pages.

What’s the problem?

User, who has installed security updates KB4021558, KB4022719, KB4022725 etc. from June 13, 2017  probably facing printing issues within Internet Explorer 11. The content of frames and iframes are printed as blank pages. The issue occurs an all Windows version (Windows 7 SP 1 up to Windows 10). I’ve addressed this issue within my blog posts June 2017 Patches causing Internet Explorer 11 printing issues and June 2017 security updates IE 11 printing issues confirmed.

Microsoft’s fixes

Microsoft has released Update KB4032782 for Windows 7 SP1 and Windows 8.1 to fix the Internet Explorer 11 printing issue. I’ve mentioned within my blog post Fix KB4032782 for Internet Explorer 11 printing issues (June 2017).

Now Microsoft has also fixed the IE 11 printing issue for all Windows 10 builds. The cumulative updates released on June 27, 2017 are addressing also the Internet Explorer 11 printing issue (see Windows 10 Updates KB4023543, KB4022723, KB4032693, KB4032695 (June 2017)).

Addendum: KB4032782 may crash IE 11

Note that KB4032782 is causing another issue. According to some comments within my German blog, IE 11 crashes on several complex pages (see also this discussion in MS Answers). Microsoft has confirmed that in an addendum (June 29, 2017) within this KB article:

After you install this update, Internet Explorer 11 may crash when you visit some websites. The problem may occur if the website is complex and uses certain web API’s.

Microsoft is researching this problem and will post more information in this article when the information becomes available.

A workaround (proposed within the German comments) is, set these website to the IE11 compapatibility list, that may avoid crashes.

Microsoft’s Security Update Release

Microsoft has also send out a Security Update Release via e-mail. Here are the details. 

********************************************************************
Title: Microsoft Security Update Releases
Issued: June 27, 2017
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2017-0173  * CVE-2017-0299  * CVE-2017-8482  * CVE-2017-8522 
* CVE-2017-0193  * CVE-2017-0300  * CVE-2017-8483  * CVE-2017-8523 
* CVE-2017-0215  * CVE-2017-8460  * CVE-2017-8484  * CVE-2017-8524 
* CVE-2017-0216  * CVE-2017-8462  * CVE-2017-8485  * CVE-2017-8527 
* CVE-2017-0218  * CVE-2017-8464  * CVE-2017-8488  * CVE-2017-8528 
* CVE-2017-0219  * CVE-2017-8465  * CVE-2017-8489  * CVE-2017-8529 
* CVE-2017-0282  * CVE-2017-8466  * CVE-2017-8490  * CVE-2017-8530 
* CVE-2017-0283  * CVE-2017-8468  * CVE-2017-8491  * CVE-2017-8531 
* CVE-2017-0284  * CVE-2017-8469  * CVE-2017-8492  * CVE-2017-8532 
* CVE-2017-0285  * CVE-2017-8470  * CVE-2017-8493  * CVE-2017-8533 
* CVE-2017-0286  * CVE-2017-8471  * CVE-2017-8494  * CVE-2017-8534 
* CVE-2017-0287  * CVE-2017-8472  * CVE-2017-8496  * CVE-2017-8543 
* CVE-2017-0288  * CVE-2017-8473  * CVE-2017-8497  * CVE-2017-8544 
* CVE-2017-0289  * CVE-2017-8474  * CVE-2017-8498  * CVE-2017-8547 
* CVE-2017-0291  * CVE-2017-8475  * CVE-2017-8499  * CVE-2017-8548 
* CVE-2017-0292  * CVE-2017-8476  * CVE-2017-8504  * CVE-2017-8549 
* CVE-2017-0294  * CVE-2017-8477  * CVE-2017-8515  * CVE-2017-8553 
* CVE-2017-0295  * CVE-2017-8478  * CVE-2017-8517  * CVE-2017-8554 
* CVE-2017-0296  * CVE-2017-8479  * CVE-2017-8519  * CVE-2017-8555 
* CVE-2017-0297  * CVE-2017-8480  * CVE-2017-8520  * CVE-2017-8575 
* CVE-2017-0298  * CVE-2017-8481  * CVE-2017-8521  * CVE-2017-8576 
                                                   * CVE-2017-8579 
 
Revision Information:
=====================

– – https://portal.msrc.microsoft.com/en-us/security-guidance
– Version: 4.0
– Reason for Revision: Microsoft is announcing the release of the
   following updates to address a known issue customers may experience
   when printing from Internet Explorer or Microsoft Edge: 4032782 for
   Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on
   Windows Server 2012; 4032695 for Internet Explorer 11 and Microsoft
   Edge on Windows 10; 4032693 for Internet Explorer 11 and Microsoft
   Edge on Windows 10 1511; 4022723 for Internet Explorer 11 and Microsoft
   Edge on Windows 10 1607; 4022716 for Internet Explorer 11 and Microsoft
   Edge on Windows 10 1703; 4022720 which is the monthly rollup preview for
   Windows 8.1 and Windows Server 2012 R2; 4022721 which is the monthly
   rollup preview for Windows Server 2012; 4022168 which is the monthly  
   rollup preview for Windows 7 Service Pack 1 and Windows Server 2008 R2
   Service Pack 1. Â This update removes the protection from CVE-2017-8529.
   All updates are available only on the Microsoft Update Catalog, with
   the exceptions of 4022720, 4022721, 4022168, and 4022716, which are
   also available through Windows Update.
– Originally posted: June 27, 2017 
– Aggregate CVE Severity Rating: Critical

Microsoft has released Windows 10 Insider Preview Build 16232 for PC and Build 15228 for Mobile in Fast Ring. This new Insider Preview comes with a ton of new features.

The announcement has been made within Windows blog. Microsoft is focusing on protection for Windows 10 users this time. Therefore are several improvements in Windows Defender Application Guard (WDAG). Microsoft has added support for Microsoft Edge data persistence while using Application Guard.

To enable data persistence, close all Microsoft Edge windows and update the Windows Components > Windows Defender Application Guard policy to turn on data persistence:

After the Group Policy settings are set, next launch New Application Guard Window from the Microsoft Edge menu:

Then browse to your favorite web site and add it to Favorites in Microsoft Edge. To learn more about what’s coming in Windows Defender Application Guard, Microsoft released the following video.

(Source: Youtube)

Microsoft also added EMET features to the new build. Starting with this build you can now audit, configure, and manage Windows system and application exploit mitigation settings right from the Windows Defender Security Center! You don’t need to be using Windows Defender Antivirus to take advantage of these settings. Microsoft also introduced ‘Controlled folder access in Windows Defender Antivirus’ to protect folders from malicious apps and threats, such as ransomware.

Changes, improvements, and fixes for PC

• We fixed the issue that was causing updating to the latest build to fail and roll back to the previous build if you had the .NET 3.5 Framework installed. You should no longer need to uninstall .NET 3.5 before trying to update to this build.
• We fixed an issue for those with certain languages installed in the last flight where ctfmon.exe would go into a crash loop, resulting in typing in the Start menu and UWP apps becoming impossible.
• We’ve listened to feedback and in Windows Defender Security Center you will soon have the option to dismiss recommendations (yellow badged items). In this build, you will see the upcoming addition however it is under construction and not up and running yet.  Stay tuned and we’ll let you know when we have it finished.
• We fixed an issue where some games like Mass Effect 3 would crash if you used Alt + TAB after 5 minutes of game play.
• We fixed an issue resulting in Word 2016 crashing if you attempted to ink in it.
• We fixed an issue where using the new Ctrl + Win + C hotkey to enable and disable color filters would unexpectedly open Settings.
• We fixed an issue from the last flight where auto-complete in the URL bar of Microsoft Edge might fail on some devices – searching for a partial string instead of the autocompleted text. This fix should also address the feedback some of you were reporting where Cortana sometimes couldn’t keep up with typing on that flight and the letters would end up out of order.
• We fixed an issue where the File Explorer Ribbon assets were blurry if the window’s DPI was not equal to the system DPI.
• We fixed an issue resulting in apps that start with X, V or Q being incorrectly categorized in Start on Polish builds.
• We’ve moved the new Video Playback Settings page to now be listed under the Apps category, and have fixed the issues on the page where the video and battery dropdown weren’t displaying correctly.
• We fixed an issue with the XAML Acrylic Brush that could result in certain apps, for example Maps, occasionally crashing due to attempting to load acrylic brushes while the app was suspended.
• We fixed a rare condition that could result in Start menu appearing to flash/flicker continuously.

Known issues for PC

• Your PC may fail to update to this build with an 0x80070643 and rolls back to the previous build. We are investigating.
• We’re continuing to investigate reports that the battery status on certain laptops isn’t updating while the device is unplugged. If you think you are seeing this, please send in feedback via Feedback Hub and use the capture feature when logging your feedback so we can get your logs.
• You may notice some of your inbox apps are now displaying a name that looks like “ms-resource:” and are listed at the bottom of Start. We’re investigating. In the meantime, the app should still launch normally, it’s only the name resource that’s impacted.
• Some UWP apps such as Twitter will crash on launch.
• Xbox Live in-game experiences may fail to load. These include gamer profiles, achievement details, and other dialogs that may pop up on top of an Xbox Live-enabled game.
• Please avoid doing a PC reset via Settings > Update & security > Recovery and choosing “Remove everything”. This may put your device into a reboot loop.
• Task Manager may hang on launch on this build.

Further details may be obtained within Microsoft’s blog post.

After release of Windows 10 Insider Preview build 16232 for PCs Microsoft has temporarily paused updates for stock apps for Windows Insiders.

Dona Sarkar announced it within a blog post:

“In order to provide Windows customers with the highest quality inbox apps possible, we will pause testing new versions of our inbox apps with Windows Insiders. This means that Insiders will not receive app updates from the Windows Store for our inbox apps that are newer than the apps included in the build. Insiders may notice that some features we were testing in our inbox apps – including recent updates to the Photos app – will temporarily disappear. This is because some of our inbox apps won’t have all the latest new features without getting an update from the Store.

It is critical that Insiders are experiencing the same version of Windows that will be released as the default version for all Windows users. Insiders will once again start receiving app updates in the very near future. As always, your feedback will help us tremendously to define the overall Windows experience and insure the quality of the Windows 10 Fall Creators Update is excellent for our customers.”

[German]AVAST antivirus have had a vulnerability that allows a Remote Stack Buffer Overflow with Magic Numbers. The issues has been patched already.

This information has been released within an article in ladave.io blog. Antivirus software needs to decide of what file type it is, to analyze it in the right context. Therefore, the first part of the scanning process usually involves scanning the file for ‘Magic Numbers’. A PDF file starts with ASCII string %PDF- for instance.

AVAST’s scan engine tries within its module algo to detect multiple instances of a Magic Number within a file. Each instance created a data structure on stack. Now the author of the blog post linked above tried to create a file with many Magic Numbers and let it scan from AVAST. He used a file with the following Magic Numbers:

Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar! Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!%PDF-%PDF-%PDF-%PDF-%PDF-

This triggered a stack overflow, that gives an attacker control over the stack. This vulnerability has been reported to AVAST at September 23, 2016. AVAST has patched the software on September 29, 2016. Further details may be found within the linked article.

Users of Windows 10 are facing probably a strange issue after an update. Each time after login, an error code 0xc000007b is reported for application AccelerometerSt.exe.

The issue

I stumbled upon this behavior within a German forum. A user wrote: After an update for Windows 10 I receive an AccelerometerSt.exe dialog box with the error message shown below.

The error dialog box says, there is an ‘AccelerometerSt.exe – Application error’ in the title. The error message says: The application could not be started ( 0xc000007b). All a user can do, close the application via OK. This error has also been reported for Windows 8.1 after updates.

Error code 0xC000007B stands for  STATUS_INVALID_IMAGE_FORMAT. Something went wrong with a library image file (probably mixed dll versions). Because that occurs after an update, it indicates an application incompatibility. In most cases, a re-install of the application should cure this issue.

What is AccelerometerSt.exe for?

Searching the web for AccelerometerSt.exe reveals this entry. The application is preinstalled on some HP systems. AccelerometerSt.exe belongs to ‘HP 3D-Driveguard (HP ProtectSmart Hard Drive Protection)’ and shall protect disk from damaged.

The fix for the error message given above is: Uninstall the HP tool via control panel reboot und check, whether HP offers a new version of AccelerometerSt.exe. Install this verison and check, if the issue is guen. If not, omit the tool from your system.

The LibreOffice team has released at June 26, 2017 LibreOffice version 5.3.4. This is a free Office suite available for Linux, macOS and Windows. Details about the 5.3 branch may be found here within the release notes. Download is available from this LibreOffice page.

[German]It seems that Windows 10 Fall Creators Update, expected in September or October 2017, is ‘feature complete’ or more precise ‘feature locked’. Here are a few more details.

At BUILD 2017 Microsoft has announced Windows 10 Fall Creators Update and told us, what to expect. One feature announced, was Timeline – a function allow users to sync their work across all of their Windows 10, Android and iOS devices. Now it seems, that many planned features like timeline, didn’t make it into the Windows 10 Fall Creators Update. After Tom Warren insisted that at Twitter (see also), Joe Belfiore from Microsoft confirmed that.

Correct. Timeline won’t be in the Fall Creators Update. We’re planning for it to be in early insider builds shortly after FCU is out.

— Joe Belfiore (@joebelfiore) 3. Juli 2017

Zack Bowden from WindowsCentral nailed it down. If Microsoft moves all announced features new to Fall Creators Update to the upcoming Spring 2018 Update, the current Insider Builds might be ‘feature frozen’. 

Windows 10 RS3 is feature-locked at this point. A few small features/changes will continue to trickle in, but we’re done with big features.

— Zac Bowden (@zacbowden) 3. Juli 2017

It seems that two new builds a year is to much for Microsoft. We have had the well announced People app, that has been postponed from Windows 10 Creators Update to Windows 10 Fall Creators Update. And also in previous builds some features has bee postponed to a ‘next build’. Reading many comments from Microsoft enthusiasts, I can sum it up ‘It would be better for users, if Microsoft came out with one well designed, tested and stable new Windows 10 build once a year instead pushing out quick shots of Windows 10 feature updates’. What’s your opinion?

Microsoft has released two Windows 10 updates for Windows Insider in Slow and Fast Ring. The last recent update shifts Windows 10 to build 16232.1004 in Fast Ring. Update KB4034450 addresses a black screen bug in Windows 10 V1703 and is available for Windows Insider testing in Slow Ring.

Update KB4034450 for Slow Ring

Cumulative update KB4022716, shipped end of June for Windows 10 (see Windows 10 Updates KB4023543, KB4022723, KB4032693, KB4032695 (June 2017)) has caused serious issues on some systems. It’s causing a black screen after screen timeout, as discussed within this lengthy MS Answers forum thread (and also here and here).

Some people using Windows 10 Version 1703 are claiming Commodo (or other AV products) as a root cause (see this  MS-Answers forum thread). A few hours ago, Microsoft released update KB403445 for Windows Insider testing Windows 10 V1703 in Slow Ring. There has been an amendment to an announcement within Windows 10-Blog saying:

UPDATE 7/5: We have released KB4034450 to Windows Insiders in the Slow ring which supersedes KB4022716 and includes a single fix for an issue causing some laptops to boot to a black screen.

Windows 10: Update to build 16232.1004 in Fast Ring

A second addendum to this Windows blog post is announcing Cumulative Update Build 16232.1004 to Windows Insiders in the Fast ring running Build 16232. The addendum says:

UPDATE 7/6: Today we have released Cumulative Update Build 16232.1004 to Windows Insiders in the Fast ring running Build 16232. The primary goal of this update is to test our servicing pipeline. This update should not require you to have to reboot unless you happen to have Notepad.exe open.

Microsoft says, that this update only revs the version of the OS and includes a updated binary version of Notepad.exe and nothing else. It does introduce the following issues to be aware of:

• Make sure you’ve setup Mixed Reality before taking this update.
• After installing a language pack or feature-on-demand like .NET 3.5, your PC may be offered this update again and fail.

This update will only remain available until the next WIP Fast build is released. The update shall be offered via Windows Update, if the Windows 10 machine runs Build 16232 in Fast Ring.

Microsoft has released Windows 10 Insider Preview Build 16237 in Fast Ring. The announcement has been made within Windows Blog. There you will find details what’s new (the branch is feature locked, so no huge new features). And for Insiders in Slow Ring, Microsoft has released Build 16232 (see addendum at this Windows-Blog post).

Microsoft has released on July 11, 2017 a couple of cumulative updates for Windows 10, Rollup Updates for Windows 7 SP1 and Windows 8.1 and some other updates for Internet Explorer, .Net Framework and so on.

Internet Explorer 11 Updates are fixing IE 11 crashed observed after the last IE update. Here are the update categories:

• Internet Explorer
• Microsoft Edge
• Microsoft Windows
• Microsoft Office und Microsoft Office Services sowie Web Apps
• .NET Framework
• Adobe Flash Player
• Microsoft Exchange Server

Windows 10 Version 1507 is out of support since May 9, 2017, except Windows 10 Enterprise 2015 LTSB. For CVE-2017-8563 see KB4034879. An overview of all patches may be found here. Here is a list of updates from Juli 11, 2017:

• KB4025342: Windows 10 Version 1703
• KB4025339: Windows 10 Version 1607
• KB4025344: Windows 10 Version 1511
• KB4025338: Windows 10 Version 1507
• KB4025336: (Monthly Rollup) for Windows 8.1/Windows Server 2012 R2
• KB4025333: (Security-only update) for Windows 8.1/Windows Server 2012 R2
• KB4025341: (Monthly Rollup) for Windows 7/Windows Server 2008 R2 SP1
• KB4025337: (Security-only update) for Windows 7/Server 2008 R2 SP1
• KB4022746: Security Update for Windows Server 2008 and Windows XP Embedded
• KB4022748: Security Update for Windows Server 2008
• KB4022883: Security Update for Windows Server 2008
• KB4022914: Security Update for Windows Server 2008
• KB4025240: Security Update for Windows Server 2008
• KB4025252: Cumulative Security Update for Internet Explorer
• KB4025397: Security Update for Windows Server 2008
• KB4025398: Security Update for Windows Server 2008
• KB4025409: Security Update for Windows Server 2008
• KB4025497: Security Update for Windows Server 2008
• KB4025674: Security Update for Windows Server 2008
• KB4025872: Security Update for Windows Server 2008
• KB4025877: Security Update for Windows Server 2008
• KB4026059: Security Update for Windows Server 2008
• KB4026061: Security Update for Windows Server 2008
• KB4032955: Security Update for Windows Server 2008

And there is update KB4034374 (2017-07 Dynamic Update for Windows 10 Version 1703. Updates for .Net, Office etc. are not listed here. Below are the details from Microsoft’s Security Bulletins.

Microsoft Security Bulletin July 2017

********************************************************************
Microsoft Security Update Summary for July 2017
Issued: July 11, 2017
********************************************************************

This summary lists security updates released for July 2017.

Complete information for the July 2017 security update release can
Be found at https://portal.msrc.microsoft.com/en-us/security-guidance.

Critical Security Updates
============================

Critical    Adobe Flash Player
Critical    Internet Explorer 9
Critical    Internet Explorer 11
Critical    Microsoft Edge
Critical    Windows 7 for 32-bit Systems Service Pack 1
Critical    Windows 7 for x64-based Systems Service Pack 1
Critical    Windows 8.1 for 32-bit systems
Critical    Windows 8.1 for x64-based systems
Critical    Windows RT 8.1
Critical    Windows 10 for 32-bit Systems
Critical    Windows 10 for x64-based Systems
Critical    Windows 10 Version 1511 for 32-bit Systems
Critical    Windows 10 Version 1511 for x64-based Systems
Critical    Windows 10 Version 1607 for 32-bit Systems
Critical    Windows 10 Version 1607 for x64-based Systems
Critical    Windows 10 Version 1703 for 32-bit Systems
Critical    Windows 10 Version 1703 for x64-based Systems
Critical    Windows Server 2008 for 32-bit Systems Service Pack 2
Critical    Windows Server 2008 for 32-bit Systems Service Pack 2
            (Server Core installation)
Critical    Windows Server 2008 for Itanium-Based Systems Service
            Pack 2
Critical    Windows Server 2008 for x64-based Systems Service
            Pack 2
Critical    Windows Server 2008 for x64-based Systems Service
            Pack 2 (Server Core installation)
Critical    Windows Server 2008 R2 for Itanium-Based Systems
            Service Pack 1
Critical    Windows Server 2008 R2 for x64-based Systems Service
            Pack 1
Critical    Windows Server 2008 R2 for x64-based Systems Service
            Pack 1 (Server Core installation)
Critical    Windows Server 2012
Critical    Windows Server 2012 (Server Core installation)
Critical    Windows Server 2012 R2
Critical    Windows Server 2012 R2 (Server Core installation)
Critical    Windows Server 2016
Critical    Windows Server 2016 (Server Core installation)

Important Security Updates
============================

Important    Excel Services installed on Microsoft SharePoint Server 2010
            Service Pack 2
Important    Microsoft Business Productivity Servers 2010 Service Pack 2
Important    Microsoft Excel 2007 Service Pack 3
Important    Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Important    Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Important    Microsoft Excel 2013 RT Service Pack 1
Important    Microsoft Excel 2016 (32-bit edition)
Important    Microsoft Excel 2016 (64-bit edition)
Important    Microsoft Excel Viewer 2007 Service Pack 3
Important    Microsoft Office 2007 Service Pack 3
Important    Microsoft Office 2010 Service Pack 2 (32-bit editions)
Important    Microsoft Office 2010 Service Pack 2 (64-bit editions)
Important    Microsoft Office 2013 RT Service Pack 1
Important    Microsoft Office 2013 Service Pack 1 (32-bit editions)
Important    Microsoft Office 2013 Service Pack 1 (64-bit editions)
Important    Microsoft Office 2016 (32-bit edition)
Important    Microsoft Office 2016 (64-bit edition)
Important    Microsoft Office 2016 for Mac
Important    Microsoft Office for Mac 2011
Important    Microsoft Office Compatibility Pack Service Pack 3
Important    Microsoft Office Online Server 2016
Important    Microsoft Office Web Apps 2010 Service Pack 2
Important    Microsoft SharePoint Enterprise Server 2013
Important    Microsoft SharePoint Enterprise Server 2016
Important    Microsoft .NET Framework 4.6
Important    Microsoft .NET Framework 4.6.1
Important    Microsoft .NET Framework 4.6.2/4.7
Important    Microsoft .NET Framework 4.7
Important    Microsoft Exchange Server 2013 Service Pack 1
Important    Microsoft Exchange Server 2013 Cumulative Update 16
Important    Microsoft Exchange Server 2016 Cumulative Update 5

Moderate Security Updates
============================

Moderate    Internet Explorer 10
Moderate    Microsoft Exchange Server 2010 Service Pack 3

********************************************************************
Title: Microsoft Security Update Releases
Issued: July 11, 2017
********************************************************************

Summary
=======

The following CVEs and Microsoft security bulletins have undergone
a major revision increment.

* CVE-2016-3305
* CVE-2017-0292
* CVE-2017-8543
* MS16-111
* MS16-SEP

CVE Revision Information:
=====================

CVE-2016-3305

– Title: CVE-2016-3305 | Windows Session Object Elevation of
   Privilege Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance
– Reason for Revision: Revised the Affected Products table to
   include 10 Version 1703 for 32-bit Systems and Windows 10 Version
   1703 for x64-based Systems because they are affected by
   CVE-2016-3305. Microsoft recommends that customers running Windows
   10 Version 1703 should install update 4025342 to be protected from
   this vulnerability.
– Originally posted: September 13, 2016 
– CVE Severity Rating: Important
– Version: 2.0

CVE-2017-0292

– Title: CVE-2017-0292 | Windows PDF Remote Code Execution
   Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance
– Reason for Revision: To address a known issue customers
   may have experienced when rendering PDF files, Microsoft
   has released an update with the July security and monthly
   rollup updates. Microsoft recommends that customers who
   have experienced this known issue should install the July
   security or monthly rollup updates.
– Originally posted: June 13, 2017
– Updated: June 13, 2017
– CVE Severity Rating: Critical
– Version: 5.0

CVE-2017-8543

– CVE-2017-8543 | Windows Search Remote Code Execution
   Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance
– Reason for Revision: To more comprehensively address
   CVE-2017-8543, Microsoft is releasing security update 4025339
   for affected editions of Windows 10 Version 1607 and security
   update 4025342 for affected editions of Windows 10 Version 1703.
   Microsoft recommends that customers running these versions of
   Windows 10 install the updates to be protected from this
   vulnerability.
– Originally posted: June 13, 2017 
– Updated: July 11, 2017
– CVE Severity Rating: Critical
– Version: 5.0

Microsoft Becurity Bulletin Revision Information:
=====================

MS16-111

– Title: Security Update for Windows Kernel (3186973)
– https://technet.microsoft.com/library/security/ms16-111
– Reason for Revision: Revised the Windows Affected Software
   and Vulnerability Severity Ratings  table to include 10 Version
   1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based
   Systems because they are affected by CVE-2016-3305. Microsoft
   recommends that customers running Windows 10 Version 1703 should
   install update 4025342 to be protected from this vulnerability.
– Originally posted: September 13, 2016 
– CVE Severity Rating: Important
– Version: 2.0

MS16-SEP

– Title: Microsoft Security Bulletin Summary for September 2016
– https://technet.microsoft.com/library/security/ms16-SEP
– Reason for Revision: For MS16-111, added Windows 10 Version
   1703 for 32-bit Systems and Windows 10 Version 1703 for
   x64-based Systems to the Affected Software table because
   they are affected by CVE-2016-3305. Microsoft recommends that
   customers running Windows 10 Version 1703 should install
   update 4025342 to be protected from this vulnerability.
– Originally posted: September 13, 2016 
– CVE Severity Rating: N/A
– Version: 2.0

Microsoft has released on July 11, 2017 two botched updates KB4025252 and KB4025336 for Internet Explorer and Windows 8.1. Here’s what’s wrong with these updates. Addendum: It seems that an update revision fixed some install issues.

The IE patch desaster

User how installed June security updates KB4021558 or KB4022719 or KB4022725 etc. run into printing issues in Internet Explorer 11. I mentioned it within my blog post June 2017 Patches causing Internet Explorer 11 printing issues.

Microsoft issued Update KB4032782 to fix this error (see IE11 printing issues in Windows are fixed (June 2017)). But users are reporting crashes of Internet Explorer 11 during visiting several web sites.

A fix for Internet Explorer 11 crashes (July 2017)

On July 11, 2017 Microsoft released another fix for Internet Explorer that shall fix the crashes during visiting complex web sites.

• In Windows 7 SP1 (and corresponding Server variants) Rollup Update KB4025341 fixes the crashing issue.
• In Windows 8.1 (and corresponding Server variants) Rollup Update KB4025336 fixes the crashing issue
• For Windows 10 and Windows Server 2017 cumulative updates KB4025342, KB4025339, KB4025344, and KB4025338 contains the fix.

I’ve mentioned these updates within my blog post Microsoft July 2017 patch day.

Update KB4025252 reinstalling multiple time

Microsoft has also released cumulative update KB4025252 for Internet Explorer. This update is helpful for admins installing security-only Rollup updates for Windows 7 SP1 or Windows 8.1 and the corresponding Server variants. But it seems that this patch is botched, many users are reporting issues (at least with WSUS).

• I received the first information as a comment within my German blog. Users reporting, that update KB4025252 is offered multiple times for installing in WSUS.
• Also this comment within my Englisch blog mentions the update loop for this package.
• At reddit.com a user created this thread reporting the same issue.
• And within this technet forum thread, many users are confirming, that update KB4025252 is offered multiple times for installing in WSUS or via SCCM.

German blog reader Marco R. informed me via e-mail, that update KB4025252 is offered also several times via SCCM. While SCCM says, the update install fails …

(Click to resize)

… the Windows event manager says, the update is installed successful.

(Click to resize)

The only workaround: Hide or block this update in WSUS or SCCM and wait, until Microsoft delivers the next fix.

Revised update KB4025252 fixes WSUS issue

Some German blog readers mentioned Microsoft has released revision 210 of update KB4025252 on July 12, 2017 for WSUS and SCCM. Further comments posted within my German blog are saying, that multiple installs an clients via WSUS has been fixed.

But Microsoft hasn’t updated the KB article yet.

I also contacted blog reader Marco R., wo has send me the SCCM screenshots above. He wrote back that the revised update is offered on SCCM, bit there are still install errrors (see screenshot below).

(Click to resize)

Macro tries to verify it again, but till yet it seems that it hasn’t been fixed for SCCM.

Update KB4025336 blocks WSUS connections in clients

German blog reader JohnRipper points within this comment to another issue. Update KB4025336 (Monthly Rollup für Windows 8.1/Windows Server 2012 R2) blocks the clients connection to WSUS. The clients reporting error 0x80244008 during update search. This error code stands for (see Windows: How to decode update 0x8024…. errors):

WU_E_PT_SOAPCLIENT_PARSEFAULT – 0x80244008 – (16392) – Same as SOAPCLIENT_PARSEFAULT_ERROR – SOAP client failed to parse a SOAP fault.

Also in Technet forum this thread discussing the same issue. If you wondering about KB4022720 mentioned within this thread: It’s the Preview of the Monthly Rollups. In other words: Microsoft was aware about this issue since end of June 2017, but they decided to ship the botched update on July 11, 2017.

Update KB4025252 (cumulative update for Internet Explorer) is causing install loops on clients, if distributed via WSUS or SCCM. Microsoft has released a revision on July 12, 2017, to fix the install issue. But it works only partly – details may be found within my older blog post Botched Updates KB4025252 and KB4025336 (July 2017).

Microsoft has released Insider Preview Builds of Windows 10 in Fast Ring. There is Windows 10 Insider Build 16241 for PCs and Insider Build 15230 for Windows 10 Mobile devices.

The announcement has been made from Dona Sarkar within the Windows blog. Microsoft has included some Shell improvements into the PC version. Some of these improvements has been reported by blogs during the last days.

• It’s possible to recover the pin and password of a user account from the lock screen.
• Build 16241 will be shipped with an refined Acrylic material design
• There are Gaming and Task Manager improvements
• Also Edge and Mixed Reality has been improved
• Microsoft also added a page within Settings app to control ‘Delivery Optimization’ for Updates and limit used bandwidth

(Source Microsoft)

There is also a long list of general changes, improvements, and fixes for PC, and there are several known issues. Details may be read here.