Patchday Windows 10-Updates (August 14, 2018)

[German]On August 14, 2018 (second Tuesday of the month, patchday at Microsoft), several cumulative updates were released for the supported Windows 10 builds. Here are some details about the updates.

A list of updates can be found on this Microsoft website. In August 2018, Microsoft revised the display format so that the information can be called up more easily. I have pulled out the details below.

Spectre vulnerabilities are closed in all updates – details can be found in the individual sections.

Updates for Windows 10 Version 1803

The following updates are available for Windows 10 April Update (version 1803).

Update KB4343909 for Windows 10 Version 1803

Cumulativ Update KB4343909 contains quality improvements but no new operating system functions and raises the OS build to 17134.228. The update also includes an update for Microsoft HoloLens (OS Build 17134.228). Here is the list of fixes:

• Provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715 – Branch Target Injection).
• Addresses an issue that prevents apps from receiving mesh updates after resuming. This issue occurs for apps that use Spatial Mapping mesh data and participate in the Sleep or Resume cycle.
• Ensures that Internet Explorer and Microsoft Edge support the preload="none" tag.
• Addresses an issue that prevents some applications running on HoloLens, such as Remote Assistance, from authenticating after upgrading from Windows 10, version 1607, to Windows 10, version 1803.
• Addresses an issue that significantly reduced battery life after upgrading to Windows 10, version 1803.
• Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after installing the May 2018 Cumulative Update.
• Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. After installing this update, existing modules on devices that have Device Guard enabled will intentionally fail. The exception error is "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement." For more information, see CVE-2018-8200 and PSModuleFunctionExport.
• Addresses an issue that was introduced in the July 2018 .NET Framework update. Applications that rely on COM components were failing to load or run correctly because of "access denied," "class not registered," or "internal failure occurred for unknown reasons" errors.
• Security updates to Windows Server.

The update is distributed via Windows Update, but should also be available via WSUS or the Microsoft Update. Microsoft (currently) is not aware of any problems with the update.

Addendum: Microsoft has extended the article KBb4343909 with a known error.

Launching Microsoft Edge using the New Application Guard Windowmay fail; normal Microsoft Edge instances are not affected.

The Microsoft workaround is: uninstall update KB4343909 and install updates KB4340917 and KB4343909.

Updates foür Windows 10 Version 1709

he following updates are available for Windows 10 Fall Creators Update (version 1709).

Update KB4343897 for Windows 10 Version 1709

Cumulativ Update KB4343897 for Windows 10 Version 1709 (Fall Creators Update) raises the OS build to 16299.611 and includes quality improvements and the following fixes:

• Provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715 – Branch Target Injection).
• Updates support for the draft version of the Token Binding protocol v0.16.
• Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after the May 2018 Cumulative Update is installed.
• Ensures that Internet Explorer and Microsoft Edge support the preload="none" tag.
• Addresses an issue that displays "AzureAD" as the default domain on the sign-in screen after installing the July 24, 2018 update on a Hybrid Azure AD-joined machine. As a result, users may fail to sign in in Hybrid Azure AD-joined scenarios when users provide only their username and password.
• Addresses an issue that adds additional spaces to content that's copied from Internet Explorer to other apps.
• Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. After installing this update, existing modules on devices that have Device Guard enabled will intentionally fail. The exception error is "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement". For more information, see CVE-2018-8200 and PSModuleFunctionExport.
• Addresses an issue that was introduced in the July 2018 .NET Framework update. Applications that rely on COM components were failing to load or run correctly because of "access denied," "class not registered," or "internal failure occurred for unknown reasons" errors.
• Security updates to Windows Server.

The update is distributed via Windows Update, but can also be downloaded via Microsoft Update Catalog.

This cumulative update has the same known issues as the previous month's patch. Some non-English platforms can display the following string in English instead of the localized language: "Reading scheduled jobs from file is not supported in this language mode." This error is displayed when Device Guard is enabled and you are trying to read the scheduled jobs you have created. In addition, there are other known bugs with Device Guard activated (e.g. no & or . operator etc., see) Microsoft is working on solving the problems.

Dynamic Update KB4340689 for Windows 10 Version 1709

Dynamice Update KB4340689 for Windows 10 Version 1709 is used during install or reset of Windows and contains critical drivers and setup improvements.

Updates for Windows 10 Version 1703

The following updates are available for Windows 10 Creators Update (version 1703).

Update KB4343885 for Windows 10 Version 1703

Cumulative Update KB4343885 for Windows 10 Version 1703 (Creators Update) raises the OS build to 15063.1266 and contains quality improvements. The update is also available for Windows 10 Mobile (OS Build 15063.1266). It addresses the following vulnerabilities and issues:

• Provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue that causes Internet Explorer to stop working for certain websites.
• Updates support for the draft version of the Token Binding protocol v0.16.
• Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after installing the May 2018 Cumulative Update.
• Ensures that Internet Explorer and Microsoft Edge support the preload="none" tag.
• Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. After installing this update, existing modules on devices that have Device Guard enabled will intentionally fail. The exception error is "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement". For more information, see CVE-2018-8200 and PSModuleFunctionExport.
• Addresses an issue that was introduced in the July 2018 .NET Framework update. Applications that rely on COM components were failing to load or run correctly because of "access denied," "class not registered," or "internal failure occurred for unknown reasons" errors.
• Security updates to Windows Server.

The update is distributed via Windows Update, but is also available in the Microsoft Update Catalog. There are no known issues.

Windows Update Improvements

Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.

Dynamic Update KB4343885 for Windows 10 Version 1703

Update KB4343885 for Windows 10 Version 1703 is used during installation or Recovery.

Updates for Windows 10 Version 1507 bis 1607

Various updates are available for Windows 10 RTM to Windows 10 (version 1607). Here is a short overview.

• Windows 10 Version 1607: Update KB4343887 is only available for Enterprise and Education and Windows Server 2016. The update raises the OS build to 14393.2430. It also contains the spectre fixes mentioned above for other updates. This update is automatically downloaded and installed from Windows Update, but is available for download from the Microsoft Update Catalog. Before manual installation, the Servicing Stack Update (SSU) (KB4132216) must be installed. Details can be found in the KB article.
• Windows 10 Version 1507: Update KB4343892 is available for the RTM version (LTSC). The update raises the OS build to 10240.17946 and includes the spectre fixes mentioned above for other updates. This update is automatically downloaded and installed from Windows Update, but is available for download from the Microsoft Update Catalog. Similar to Windows 10 version 1703, there are also improvements to Windows Update (see note above). Details can be found in the KB article.

For Windows 10 V1511 there was no update that this version has fallen on the support. Details on the above updates can be found in the respective Microsoft KB articles in case of doubt.

Similar articles:
Security update for Adobe Acrobat/Reader
Microsoft Office Patchday (August 7, 2018)
Windows 10 Updates KB4295110/KB4023057 (08/09/2018)
Microsoft Security Update Summary August 14, 2018
Patchday Windows 10-Updates (August 14, 2018)
Patchday: Updates for Windows 7/8.1/Server (August 14, 2018)
Patchday Microsoft Office Updates (August 14, 2018)
Microsoft Patchday: Other Updates (August 14, 2018)
Windows 10: Update KB4346783, KB4343893, KB4343889, KB4343884 (08/30/2018)