[German]On patchday (October 11, 2017) Microsoft has released several updates for Windows, Office and other products. In this blog post I would like to take another quick look at the updates. I also collected issues, that are caused by these updates.
Advertising
Quick patchday review
I introduced the individual updates for Windows, Office etc. in various blog posts (see link list at the end of this article).
No Flash update
Adobe has fixed a bug in Flash Player 27.0.0.159 – on October 10, 2017 (see Adobe Flash Update 27.0.0.159 (October 2017)). As far as I know, Microsoft hasn't released a Flash Player update for Windows on patchday.
No Security Only Update for .NET Framework
It has been mentioned within this German comment within my blog: Microsoft offers 2017-10 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 (KB4043766). But a Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 is missing.
Will .NET Framework 4.6 be updated at 4.7?
Woody Leonhard pointed out within this article, that users of .NET Framework 4.6 will be forced to upgrade to .NET Framework 4.7, if they are installing 2017-10 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 (KB4043766). User @abbodi86 has posted such a comment at AskWoody.com:
Starting July 2017, all .NET 4.6/4.6.1/4.6.2/4.7 updates have been reconciled into one rollup update that is based on 4.7 binaries version — meaning, your .NET 4.6.x version is transforming into 4.7 under the hood… so [if you want to stay patched,] the best decision would be to install 4.7 itself or install .NET 4.5.2, which is still [getting updates] separately.
But I should also note, that a German pointed out, that .NET Framework 4.7 isn't compatible with Exchange Server 2016. Microsoft has published this article in June 2017 about that topic. So I don't think, that KB4043766 is transforming the system to .NET Framework 4.7 – but maybe I'm wrong.
Advertising
Fixed vulnerabilities
In total, Microsoft has released 62 security patches for Windows, Internet Explorer (IE), Edge, Office and Skype for businesses. Of these 62 CVEs, 27 are classified as critical and 35 as important (see this article on zerodayinitiative.com from HP).
CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability: There is a exploit available for this vulnerability.
CVE-2017-11777 – Microsoft Office SharePoint XSS Vulnerability was publically known before the patch has been released.
CVE-2017-11779 – Windows DNSAPI Remote Code Execution Vulnerability: A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.
Security Advisory ADV170012 addresses an issue in TPM on Infineon main boards. German blog reader Denis has addressed this within his comment:
It is interesting that after installing the Windows 10 update, a check of the TPM firmware for a vulnerability issue is carried out today. And the event 1794 (TPM-WMI) in the event log for those affected says:
The TPM (Trusted Platform Module) firmware on this PC has a known security problem. Check with your PC manufacturer for an update. For more information, see https://go.microsoft.com/fwlink/?linkid=852572."
Windows 10 only, no logs on the same computer under Windows 7.
Although today (10.10.) I just received the message, Infineon has already created a web page pointing out, that they are working together with device manufacturers (see).
Patchday issues
Unfortunately, it seems as if the new updates cause massive problems for users. Here's what I've seen so far.
Windows 10 update install fails with 'Inaccessible Boot Device'
In environments where updates are distributed via WSUS and SCCM, a Blue Screen 'Inaccessible Boot Device' appeared on many machines. Apparently, the controller drivers were not loaded. The machine could only be brought to life via the recovery console. This problem in WSUS and SCCM environments is discussed within the following blog posts.
Windows 10 V1703: Update KB4041676 install issues
Microsoft confirms BSOD issue with KB4041676/KB4041691
Outlook can't access CRM
After installing the October 2017 updates, users recognizing, that the Outlook Addin to access CRM (4.0 and 2011) wont work anymore. Within this Technet forum entry a user reported, that update KB4011196 blocks calling CRM 4.0 from Outlook 2007 up to 2013. Another user writes within this comment (German):
FYI: all three updates listed under CVE-2017-11774 prevent us from accessing CRM via Outlook. Uninstalling the updates solves the problem. .
It affects the security updates KB4011196 (Outlook 2010), KB4011178 (Outlook 2013) and KB4011162 (Outlook 2016). Also this thread within the dynamics forum deals with issues accessing CRM 4.0 from Outlook after installing update KB4011196. Emily Malbon (from Microsoft) left the following comment:
Update from Microsoft on this issue. The development team are working on a fix which will come in the form of a Hotfix or KB Windows Update but in the interim it is possible to implement a workaround so that the KB can be installed.
Symptom: When clicking on a link to an entity which should load the view for that entity, but actually ends up loading the Outlook "email" view
Cause: Issue is related to a windows updates
- Windows Version 7 Office Version 2010, 2013 KB update with issue KB4011178
- Windows Version 7 Office Version 2010, KB update with issue KB4011196
- Windows Version 7 Office Version 2016, KB update with issue KB4011162
- Windows Version Office Version 2010, KB update with issue KB4011089
Resolution: Our workarounds are a registry edit please see regedit key you can add below:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security]
"EnableRoamingFolderHomepages"=dword:00000001
Within the forum thread is another post mentions KB4049314 (Microsoft Dynamics 365 for Outlook is unable to render webpages after installing the October 2017 Microsoft Outlook security update), and says, it helps to set the above DWORD-Wert to 2. At askwoody.com is a user post, saying.
However, I must say that I'm SUPER UPSET about this CRM thing. The bug they caused a couple of months ago affected over 3,000 systems here and it was just after Microsoft screwed up the previous month of patching (in a year where basically every month has been filled with missteps). Now I'm reluctant to push any patches this month.
More Outlook issues
Microsoft has created a workaround article dealing with patchday 'accidents' with Outlook. For October 2017 this page contains two entries. One deals with missing folder properties on homepage (that's by design and may be fixed via a registry hack). The 2nd entry deals with delayed user login on E-Mail attachments.
JET-DB-Engine, Office links
Within my German blog there is the following comment, mentions trouble, linking Excel files with Access.
Since the last windowsupdate 10.10.2017, it is no longer possible to link excel files to Access 2000, or to open linked excel files.
A second comment confirms, that Excel drops a data base error.
Hello, DKPrince,
we probably have the same problem here.
On all Windows 7 computers, we are processing address database. Accessing the database produce an error, that the data base .xls can't be opened, because it supposedly has no data fields.In Excel itself, the address lists can be opened without any problems, only if we want to link the file for serial letter creation, a database error occurs.
With .xlsx it works immediately and with a conversion into a. csv it works the same way.
Within my blog post Security Updates for Windows 7/8.1 (October 2017) I mentioned, that Microsoft patched the Microsoft JET Database Engine with Update KB4041681 and Update KB4041678 (Windows 7), and Update KB4041693 and Update KB4041687 (Windows 8.1).
- CVE-2017-8717 – Microsoft JET Database Engine Remote Code Execution Vulnerability
- CVE-2017-8718 – Microsoft JET Database Engine Remote Code Execution Vulnerability
I found a German forum post where a user reports, that accessing Microsoft.Jet.OLEDB.4.0 from Excel using C# didn't work anymore. Error 0x80004005 (Access denied) will be dropped during accessing the data base driver in System.Data.OleDb.OleDbException. Also at askwoody.com this comment mentions a broken Microsoft.Jet.OLEDB.4.0 data base interface. XLS files can't be opened (see also this article). My guess is, that this may be the source of all issues reported within this section.
Outlook can't access address book
Furthermore, there are various hints that Outlook can no longer access the address book. This comment left within my German blog says:
W2K12 TS clients with Outlook 2010 are no longer able to download an address book download. Win 7 clients are not affected. Exchange 2010 runs on W2K8. The error message is: "Error opening local Microsoft Exchange address book files in Microsoft Exchange. Contact your administrator."
I found a similar comment at heise.de, and a second comment at heise.de forum confirms this issue.
Issue with Office 2013 Web Apps
Within this comment a user reported issues with Office 2013 Web Apps.
The Office Web Apps 2013 seem to be not compatible with .NET 4.7 update, because the Excel Web App is completely dead
Other issues
Within this comment Update KB4041691 is claimed responsible for login issues under Windows 10 Pro Version 1607.
Other users reporting, tha a home network group icon has been left on the desktop, after update installation. This article describes, how to remove this icon.
A German comment, at heise.de claims network issue, and also this comment within my blog reports network issues. Another German reader reported issues with ICS, but all are single cases, not sure, how relevant they are.
A commentar at German site heise.de pointed out issues with file penimc.dll. Rawly 5% of all Windows 10 systems within a company are reporting error:
System.DllNotFoundException bei MS.Win32.Penimc.UnsafeNativeMethods.CreateResetEvent
in .NET with WPF. Searching the web shows several hits associated with previous updates. It seems that it is caused by .NET Framework 4.7 (see here). Microsoft promised a fix in May 2017 (see here). Microsoft has published this article "COMException" error from WPF applications after the .NET Framework 4.7 is installed on Windows 7 or Windows Server 2008 R2. Don't know, if the fix helps with October update.
Woody Leonhard has this ComputerWorld article with more issues. On user reported network issues. And this post reported broken dialog boxes in Explorer. More details may be found at the ComputerWorld article.
Similar articles:
Microsoft Office Patchday (October 3, 2017)
Adobe Flash Update 27.0.0.159 (October 2017)
Microsoft Security Updates Summary October 2017
Security Updates for Windows 7/8.1 (October 2017)
Windows 10 Updates (Oktober 10, 2017)
Microsoft Office Security Updates (October 10, 2017)
Windows 10 V1703: Update KB4041676 install issues
Microsoft confirms BSOD issue with KB4041676/KB4041691
