IE 11 security updates June/July 2016 are causing issues

[German]Microsoft has issued some security updates in June and July 2016 for Internet Explorer 11. Blog reader Axel H. has observed serious issues within his intranet with Sharepoint. Some Web sites are rendered wrong and it seems that other admins are facing also trouble.


Advertising

Currently I can only cumulate what I've found. Some SAP users are reporting login issues after installing IE 11 security updates. Others are facing trouble with rendering some web pages in IE 11 enterprise mode. At August 3, 2016 Axel send me an e-mail summarizing his observations. Here is an excerpt.

after installing cumulative IE 11 updates June/July 2016, some web pages in Intranet can't be opened, and on some SharePoint pages the context has been rendered in "shifted mode".

MS16-063 (June) and/or MS16-084 on W7 clients  and the corresponding Cumulative updates for Windows 10 has been installed. IE version is either 11.0.32 (June) or 11.0.33 (July). Version 11.0.31 doesn't make trouble. After uninstalling the last IE security updates, everything seems fine again. There has been only two websites, addressing similar issues:

Windows update KB3170106 messes up sharepoint
An update to our SHA-1 deprecation roadmap

Later on Axel send me further details. He found some comments in SAP user forums, where login has changed for SAP software. Here are the links.

update KB3170106 which changed the way ASP objects are handled
windows 10 update 15 Jun 2016
Could not establish secure channel for SSL/TLS with authority
June 2016 Update KB3163018 – TLS 1.0 support removed/blocked?

This posts confirms, that IE 11 updates like KB31616086 and KB3161608 are causing issues, because server certificates are exchanged. Some admins are reporting SSL errors that will be gone after uninstalling the updates.

SAP login issues

Axel has send me the link Server's Security Certificate Windows 7 addressing SAP software. He has added a SAP document dealing with this issue. Below is a screenshot of the PDF document (the content is only a graphic).

SAP Problembericht


Advertising

The site SAP B1 – There is a problem with the server's security certificate – Windows 10 deals with the same issue and recommends to uninstall KB3163017/KB3163018. SAP recommends to switch to the newest Business One clients.

First workaround

Because we are dealing with security updates for IE 11, uninstalling these patches isn't the best choice. Axel found some hints. He wrote:

The SharePoint issues could be tracked down to the Enterprise Mode site list. But HP Service Manager won't work anymore in W10 Patch. The assumption was that it's a TLS 1.0+SHA-1 handshake error.

One of his colleagues found more details. KB3161639 adds two Cipher suites, and those entries change the order of certificates. Deleting:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

in HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\
Configuration\Local\SSL\00010002 enables access to Web pages in Windows 10 clients. At August 10, 2016 Axel added:

According to https://technet.microsoft.com/library/security/3042058.aspx Microsoft has changed the priority of entries in Cipher suites. Changing the position of entries within the list changes also its priorities. Under Windows 10 they moved entry

TLS_RSA_WITH_AES_128_CBC_SHA

in above the new entries

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

and HP ServiceManager was useable again.

The liste of „Cipher Suites" on this Microsoft page looks a bit different from our list. We fear that new patches will change the priorities and list order again. Therefore we are searching for different solutions.

Axel has added the following links to pages covering the topic:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
https://msdn.microsoft.com/library/windows/desktop/mt767769.aspx
https://blogs.technet.microsoft.com/windowsitpro/2016/05/17/simplifying-updates-for-windows-7-and-8-1/

If someone has further thoughs/insides or hints, feel free to crop a comment.


Advertising

This entry was posted in Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).