[German]Microsoft released an out of band security update KB4100480 for Windows 7, Windows Server 2008 R2 and the embedded version of Windows 7 on March 29, 2018.
Update KB4100480 is a Windows kernel update that closes the CVE-2018-1038 vulnerability. This update fixes an Elevation of Privilege vulnerability in the Windows kernel of the 64-bit (x64) version of Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1.
Fix for CVE-2018-1038
This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated in January 2018 or later by applying any of the following updates.
- 4056897 January 3, 2018—KB4056897 (Security-only update)
- 4056894 January 4, 2018—KB4056894 (Monthly Rollup)
- 4073578 Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4057400 January 19, 2018—KB4057400 (Preview of Monthly Rollup)
- 4074598 February 13, 2018—KB4074598 (Monthly Rollup)
- 4074587 February 13, 2018—KB4074587 (Security-only update)
- 4075211 February 22, 2018—KB4075211 (Preview of Monthly Rollup)
- 4091290 March 1, 2018—KB4091290
- 4088875 March 13, 2018—KB4088875 (Monthly Rollup)
- 4088878 March 13, 2018—KB4088878 (Security-only update)
- 4088881 March 23, 2018—KB4088881 (Preview of Monthly Rollup)
The patch is rolled out via Windows Update and WSUS, but is also available for download in the Microsoft Update Catalog. Microsoft says there are no known problems. I got feedback from German blog readers, who claiming a delayed boot of machines and broken network connections.
Microsoft sends out security warning
Microsoft has sent out the following security warning for the update.
The following CVE has been added to the March 2018 Security Updates:
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: March 29, 2018
– Updated: N/A – Aggregate CVE Severity Rating: Important
2nd fix for TotalMeltdown
January/February patches released to close the meltdown vulnerability had led to an even larger vulnerability (see Windows 7 Jan./Feb. 2018 patches opens Total Meltdown vulnerability). This should be fixed with the March update. On Twitter Ulf Frisk announces that this update fixes the TotalMeltdown bug:
#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame!https://t.co/TcVVMBDEPl pic.twitter.com/n0FpD8nP5X
— Ulf Frisk (@UlfFrisk) 29. März 2018
Ulf Frisk wrote in an addendum to his blog post:
2018-03-28: Found out that the March patches only partially resolved the vulnerability. Contacted MSRC again
Shall I install this update?
Ulf Frisk recommends to install this update, and I would say: The update should be installed promptly to close the zero-day vulnerability. But I suggest to create a system image backup before you install the update. If you have problems, you can uninstall the update from the Control Panel.