Patchday: Updates for Windows 7/8.1/Server (April 9, 2019)

Windows Update[German]On April 9, 2019, Microsoft released various (security) updates for Windows 7 SP1 and other updates for Windows 8.1 as well as the corresponding server versions. Here is an overview of these updates.


Advertising

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1, a rollup and a security-only update have been released. The update history for Windows 7 can be found on this Microsoft page.

KB4493472 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB44493472 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains improvements and bug fixes that were already included in last month’s update. The update addresses the following items:

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.
  • Addresses an issue that causes the error “0x3B_c0000005_win32k!vSetPointer” when the kernel mode driver, win32k.sys, accesses an invalid memory location.
  • Addresses an issue in which netdom.exe fails to run, and the error, “The command failed to complete successfully” appears.
  • Addresses an issue that may prevent Custom URI Schemes for Application Protocol handlers from starting the corresponding application for local intranet and trusted sites on Internet Explorer.
  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.
  • Security updates to Windows Kernel, Windows Server, Graphics Component, Windows Input and Composition, Windows Data

This update is automatically downloaded and installed by Windows Update. The package is also available via Microsoft Update Catalog. Installation requires that the latest SSU is already installed (will be the case, it installed via Windows Update).

As a known problem, Microsoft mentions that authentication problems can occur after the update is installed:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft specifies several workarounds in the KB article (e.g. purgen Kerberos ticket) to fix this problem.


Advertising

As of April 2019 or update KB4493472, the monthly rollup updates no longer contain the program PciClearStaleCache.exe. This installation utility fixes inconsistencies in the internal PCI cache. This may cause the symptoms listed below when installing monthly updates that do NOT include PciClearStaleCache:

  • Existing NIC definitions in control panel networks may be replaced with a new Ethernet Network Interface Card (NIC) but with default settings. Any custom settings on the previously NIC persist in the registry but were unused.
  • Static IP address settings were lost on network interfaces.
  • Wi-Fi profile settings were not displayed in the network flyout.
  • WIFI network adapters were disabled

These symptoms are particularly common in guest virtual machines and machines that have not been updated since March 2018. Administrators should therefore ensure that one or more of the monthly rollups released between April 10, 2018 (KB 4093118) and March 12, 2019 (KB 4489878) have been installed before installing the April 2019 and later updates. Each of these rollup updates contains the PciClearStaleCache.exe.

KB4493448  (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4493448 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1. The update addresses the following issues.

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.
  • Addresses an issue in which netdom.exe fails to run, and the error, “The command failed to complete successfully” appears.
  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.
  • Security updates to Windows Kernel, Windows Server, Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows MSXML, and the Microsoft JET Database Engine.

he update is available via WSUS or in Microsoft Update Catalog. If you install the update, you must first install the latest Servicing Stack Update (SSU). If you install the Security Only Update, you must also install KB4493435 for IE. Das has the same known issues as update KB4493472.

Updates for Windows 8.1/Windows Server 2012 R2

For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update have been released. The update history for Windows 8.1 can be found on this Microsoft page.

KB4493446 (Monthly Rollup) for Windows 8.1/Server 2012 R2

Update KB4493446 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes that were included in the previous month’s rollup. It also addresses the following items.

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.
  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.
  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.
  • Addresses an issue with Custom URI Schemes for Application Protocol handlers, which may not start the corresponding application for local intranet and trusted sites on Internet Explorer.
  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.
  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, Windows SQL components, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update, but is also available from the Microsoft Update Catalog. The udate has one known issue:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

The KB article mentions several options to fix this issue.

KB4493467 (Security-only update) for Windows 8.1/Server 2012 R2

Update KB4493467 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) adresses the following issues.

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.
  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.
  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.
  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.
  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, Windows SQL components, and the Microsoft JET Database Engine.

The update is available via WSUS or in the Microsoft Update Catalog. If the Security Only Update is installed, you need to install also KB4493435 for IE. The update has the same known issues in the Preboot Execution Environment (PXE) as update KB4493446.

Similar articles:
Microsoft Office Updates (Patchday April 2, 2019)
Microsoft Security Update Summary (April 9, 2019)
Patchday: Updates for Windows 7/8.1/Server (April 9, 2019)
Patchday Windows 10-Updates (April 9, 2019)
Patchday Microsoft Office Updates (April 9, 2019)
Windows patchday issues–one week later (April 17, 2019)


Advertising
This entry was posted in Security, Software, Windows and tagged , , , , , , , . Bookmark the permalink.

4 Responses to Patchday: Updates for Windows 7/8.1/Server (April 9, 2019)

  1. EP says:

    guenni

    these new updates for Windows 7 & 8.1 should not be installed on machines that have Sophos software installed as these new patches can cause them to hang or lock up.

    noted on this recent Askwoody blog:
    https://www.askwoody.com/2019/widespread-reports-of-freezing-with-this-months-win7-monthly-rollup-kb-4493472/

    and on the Sophos web site:
    https://community.sophos.com/kb/en-us/133945

    do not install these updates (or if they are already installed, remove them) until either Microsoft or Sophos provides a fix

Leave a Reply

Your email address will not be published. Required fields are marked *