July 2018 patches: Review for administrators

[German]Fortunately July 2018 is over. Time for a brief review of the July 2018 patches and what’s still open. At least administrators should know the following overview.


Advertising


Short supplements

If you haven’t already noticed, here is a short overview of patches I didn’t mention here in my blog.

  • Update KB4052623 (Windows Defender Antimalware Platform, for Windows 10) has been updated. 
  • Updates for Adobe products: Beside the Flash player update (mentioned in my blog), Adobe has released more security updates for Reader etc. (see).

Also Oracle has released an Oracle Critical Patch Update Advisory – July 2018 and a view blog posts here, here and here.

Microsofts July 2018 patches, what to know?

German blog reader Karl sent me an email a few hours ago, summing up the problems and issues that occurred in the Microsoft environment due to the July 2018 updates (thanks for that). Here is Karl’s list.

Updates from July 10, 2018 are all buggy

The July updates from 10.07.2018 are all buggy (as reported in the blog here). For Windows 2008 – 2012 R2 you have to install the Preview to get error-free updates for 07-2018. The buggy updates from 10.07 have not been re-released with the same KB. Why? Ask MS. 

AD Connect Sync issues caused by .NET Framework 4.6.2

.Net 4.6.2 causes problems with AD Connect Sync (CPU usage increases to 100%). This is a known issue, a fix should come. According to Karl, the bug provided 7 GHz load on the ESX, although the machine has only 2 cores. 


Advertising

Windows Server 2016 slow update install

Windows 2016 servers take hours to install the patches (see also). This applies even to newly installed systems, despite the service stack update (SSU) of May 2018. I already mentioned this problem in the blog article Windows Server 2016: Slow updates.

Beware of the.NET rollup updates July 7, 2018

All .NET Framework Rollups (July 07-2018) should generally not be installed because of known problems reported here in the blog. So the rollup must be allowed from 05-2018, although already marked as expired in WSUS. 

Outdated/wrong Spectre documentation

Microsoft does not maintain its Spectre documentation. Therefore here my substitution table to get Spectre 2,3, 3a and 4 (for 2 and 4 BIOS updates are still necessary, if not Windows 10 / 2016 Server), as well as for client and servers the registry keys.

Spectre 1*, 2, 3, 3a*, 4*

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

https://support.microsoft.com/de-de/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Many links in the table have been superseded and should be replaced.

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

https://support.microsoft.com/de-de/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

The following table lists (if available) the former patch > new patch + SSU + Spectre patch (the latter not in WSUS / via WU, must be imported or installed manually (at first the SSUs were also missing)

Windows 10 1803 KB4338853 + KB4340917 +  KB4100347-v2 + *Registry AMD / Intel
Windows 10 1709 KB4056892 > KB4131372 + KB4338817 + KB4090007_v4 + *Registry AMD / Intel
Windows 10 1703 KB4132649 + KB4338827 + KB4091663-v4 + *Registry AMD / Intel
Windows 10 1607 LTSC KB4056890 > KB4132216 + KB4338822 + KB4091664_v4 + *Registry AMD / Intel
Windows 10 1511 KB4035632 + KB4093109 no protection Spectre
Windows 10 1507 LTSC KB4345455 + KB4091666-v3 + *Registry AMD / Intel
Server 2016 1709 Core KB4056892 > KB4131372 + KB4338817 + KB4090007_v4 + *Registry AMD / Intel
Server 2016 1607 KB4056890 > KB4132216 + KB4338822 + KB4091664_v4 + *Registry AMD / Intel
Server 2012 R2 KB4056898 > KB4338831  + *Registry AMD / Intel
Server 2012 KB4088880 > KB4338816 + *Registry AMD / Intel
Server 2008 R2 KB4056897 > KB4338821 + *Registry AMD / Intel
Server 2008 KB4090450 > KB4093478 + *Registry AMD / Intel

Note the subsequent registry adjustments necessary for the Spectre patches to take effect. According to Karl, changes to the registry can easily be distributed via GPO GPP (without script): 

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f

Maybe the overview above will help you. Some more hints about known problems in the July 2018 updates can be found in my blog post Looking back at Microsoft’s July 2018-Patches.

Similar articles:
Adobe Flash Player Version 30.0.0.134
Microsoft Office Patchday (July 3, 2018)
Patchday: Windows 10-Updates July 10, 2018
Patchday: Updates for Windows 7/8.1/Server July 10, 2018
Patchday Microsoft Office Updates (10. Juli 2018)
Microsoft Patchday: Other Updates July 10, 2018
Windows 10: Update revisions July 16, 2018
Windows 7/8.1: Revised Updates July 16, 2018
Windows 7/8.1 Preview Rollup Updates (July 18, 2018)
Revised .NET Framework Update KB4340558 (July 19, 2018)
Windows 10: Cumulative Updates July 25, 2018
Intel Microcode Updates KB4100347, KB4090007 (July 2018)
NET-Framework Updates July 30, 2018 with Fixes

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

.Net-Framework Update July 2018 pulled?
Windows: Stop error 0xD1 in July 2018 updates explained
Microsoft’s July 2018 patch mess – put update install on hold


Advertising


This entry was posted in issue, Office, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *