Flash-Update KB4287903: Install issues with WSUS

It seems that Microsoft has messed up the critical Adobe Flash Update KB4287903 for Windows. At least for enterprise environments with WSUS, where the patch may causes install issues.


Advertising

KB4287903, a critical Flash-Update

Adobe has released an update for Flash Player on June 7, 2018, for Windows, macOS, Linux and Chrome OS. This upgrades Flash player to version 30.0.0.113. It was an emergency patch, that closed Zero-Day vulnerability CVE-2018-5002. Adobe wrote in security advisory APSB18-19:

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.

Later that day, Microsoft released Flash Update KB4287903 for Windows 8.1 and Windows 10 (and it’s server pendants) to close this vulnerability too. I’ve blogged about that within my yesterday’s blog post Adobe Flash Player version 30.0.0.113 available. Further

WSUS install issues with KB4287903

At a first place, security update KB4287903 is available via Windows Update to the appropriate clients (Windows 8.1, Windows 10, Windows Server). The update may be also downloaded via Microsoft Update-Katalog. If you choose a manual install, note the restrictions described in KB4287903. Also read ADV180014 for further details.

But it seems, that users within a WSUS environment are facing install issues. I’ve received two comments within last night for my German blog post Windows: Flash Player Update KB4287903 (7. Juni 2018), claiming serious install issue. One user wrote (freely translated):

Hello, under Windows 10 LTSB 2016 (1607), the update is not recognized after released via WSUS.

When manually downloaded from the Microsoft Update Catalog (2018-06 security update for Adobe Flash Player for Windows 10 version 1607 for x64-based systems (KB4287903)), the following error message appears during installation: The update is not suitable for your computer.

That’s very strange! There is a critical update for flash dedicated for Windows 10 V1607, but LTSB-Clients doesn’t recognize this update after it was released via WSUS. And even stronger: A manual download has been refused during update installation as ‘not suitable’. A second user reported also WSUS install issues:


Advertising

The update to current Windows 10 Pro via WSUS is not imported here. Since my own PC was also affected, I went to the Windows Update setting and got “You are up to date”. Then I triggered a manual update search, that has found and installed the update.

Within a business environment with hundreds or thousands of Windows 10 clients this isn’t a real option. Have you also noticed such problems?


Advertising
This entry was posted in issue, Security, Update, Windows and tagged , , , , , , . Bookmark the permalink.

9 Responses to Flash-Update KB4287903: Install issues with WSUS

  1. Tonny Sieben says:

    Install problems for Windows 10 1607 clients can be solved by
    installing the Service Stack Update KB4132216 – before installing
    the Flash Player update KB4287903.

    Gordon7.

    • Rolf Lidvall says:

      Yes, the SSU installs a new WUA; 10.0.14393.2248.

    • Zoom says:

      Thanks Rolf. That was exactly our issue. The missing stack update was released out of cycle and were not already on our Win 10 systems. After pushing that out, the systems were able to then download and installed the June Adobe Flash update.

  2. Susan Bradley says:

    1607 is no longer supported unless you are a edu or enterprise license.

    • guenni says:

      @Susan: Thx, I alwas forgot that. But the case mentioned in my blog post above is a LTSB-SKU (10 years support).

      I haven’t feedback from the German reader – I asked him about the SSU – but I assume that he is an experienced admin reading my initial blog post, where the SSU is mentioned as required. We will see.

      An interesing thought: Microsoft says that Win 10 V1607 will be supported up to 2023 for clover trail systems (see here). Have somebody made the experience, that MS prevents installing updates for V1607 on non clover trail systems?

  3. EP says:

    Win10 v1607 is STILL supported on devices using Intel “Clover Trail” CPUs as noted here, regardless of the edition of the 1607 release:
    https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/intel-clover-trail-processors-are-not-supported-on/ed1823d3-c82c-4d7f-ba9d-43ecbcf526e9?auth=1
    People seem to be forgetting about this little detail.

    I’ve tested & installed the flash player KB4287903 update on Win10 LTSB 2016 just today and it installed successfully without problems. Perhaps turn OFF or disable the Windows Update “Deferral” policy in Group Policies (gpedit.msc) in LTSB 2016 because KB4287903 is a recently released update.

    Btw, KB4287903 is NOT blocked under the 1607 versions of Home/Pro as it does allow installation as I checked myself on a non-Clover Trail machine – note that I manually downloaded & installed the KB4287903 update for v1607 Pro thru MS Update Catalog.

    • guenni says:

      Thx for sharing your experience. Then there is maybe a possibility to create a ‘poor man’s Windows 10 LTSC’, using Windows 10 V1607 and block all upcoming feature updates. Then we will have support with updates till 2023. Will keep an eye on that. Any further thoughts are welcome.

  4. Advertising

  5. John Henskens says:

    I was having issues getting these 2 patches to install. They would say either they didn’t apply or were not needed even though ACAS had them as a High vulnerability.

    2018-06 Security Update for Adobe Flash Player for Windows 10 Version 1607 for x64-based Systems (KB4287903)

    2018-06 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4284880)

    It ended up being that I needed to install this servicing stack update first KB4132216 which updates the Windows update client. After installing the patch the other two installed.

    Thank You Very Much!

  6. EP says:

    even the newest flash player update – KB4343902 (superseding KB4338832 & KB4287903) for Win10 v1607 still installs on any edition of Win10 v1607 including Home & Pro and not just the education, enterprise & LTSB versions.

    new cumulative updates made after April 2018 that require the KB4132216 servicing stack update [such as KB4343887 & KB4284880], on the other hand, fail to install on the home & pro editions of Win10 v1607 and only install successfully on the education/enterprise/ltsb editions. this problem was noted in this forum:
    https://msfn.org/board/topic/177510-kb4132216-causes-failed-installationuninstallation-of-cu/

    a workaround is to “integrate” or “slipstream” a new CU onto the v1607 Win10 media as noted in this forum:
    https://forums.mydigitallife.net/threads/stop-windows-10-1607-upgrading-to-1709.76434/page-4

Leave a Reply to EP Cancel reply

Your email address will not be published. Required fields are marked *