It seems that Microsoft has messed up the critical Adobe Flash Update KB4287903 for Windows. At least for enterprise environments with WSUS, where the patch may causes install issues.
KB4287903, a critical Flash-Update
Adobe has released an update for Flash Player on June 7, 2018, for Windows, macOS, Linux and Chrome OS. This upgrades Flash player to version 18.104.22.168. It was an emergency patch, that closed Zero-Day vulnerability CVE-2018-5002. Adobe wrote in security advisory APSB18-19:
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 22.214.171.124 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
Later that day, Microsoft released Flash Update KB4287903 for Windows 8.1 and Windows 10 (and it’s server pendants) to close this vulnerability too. I’ve blogged about that within my yesterday’s blog post Adobe Flash Player version 126.96.36.199 available. Further
WSUS install issues with KB4287903
At a first place, security update KB4287903 is available via Windows Update to the appropriate clients (Windows 8.1, Windows 10, Windows Server). The update may be also downloaded via Microsoft Update-Katalog. If you choose a manual install, note the restrictions described in KB4287903. Also read ADV180014 for further details.
But it seems, that users within a WSUS environment are facing install issues. I’ve received two comments within last night for my German blog post Windows: Flash Player Update KB4287903 (7. Juni 2018), claiming serious install issue. One user wrote (freely translated):
Hello, under Windows 10 LTSB 2016 (1607), the update is not recognized after released via WSUS.
When manually downloaded from the Microsoft Update Catalog (2018-06 security update for Adobe Flash Player for Windows 10 version 1607 for x64-based systems (KB4287903)), the following error message appears during installation: The update is not suitable for your computer.
That’s very strange! There is a critical update for flash dedicated for Windows 10 V1607, but LTSB-Clients doesn’t recognize this update after it was released via WSUS. And even stronger: A manual download has been refused during update installation as ‘not suitable’. A second user reported also WSUS install issues:
The update to current Windows 10 Pro via WSUS is not imported here. Since my own PC was also affected, I went to the Windows Update setting and got “You are up to date”. Then I triggered a manual update search, that has found and installed the update.
Within a business environment with hundreds or thousands of Windows 10 clients this isn’t a real option. Have you also noticed such problems?