[German]On May 14, 2019, Microsoft released several (security) updates for Windows 7 SP1 and further updates for Windows 8.1 as well as the corresponding server versions. Here is an overview of these updates.
Advertising
Updates for Windows 7/Windows Server 2008 R2
For Windows 7 SP1 and Windows Server 2008 R2 SP1, a rollup and a security-only update have been released. The update history for Windows 7 can be found on this Microsoft page.
KB4499164 (Monthly Rollup) for Windows 7/Windows Server 2008 R2
Update KB4499164 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains improvements and bug fixes that were already included in last month's update. The update addresses the following fixes:
- Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions).
- Addresses an issue that prevents the Microsoft Visual Studio Simulator from starting.
- Addresses an issue that may prevent applications that rely on unconstrained delegation from authenticating after the Kerberos ticket-granting ticket (TGT) expires (the default is 10 hours).
- Addendum: Adds "gov.uk" to the HTTP Strict Transport Security Top Level Domains (HSTS TLD) for Internet Explorer.
- Removed: Addresses an issue that may cause the text, layout, or cell size to become narrower or wider than expected in Microsoft Excel when using the MS UI Gothic or MS PGothic fonts.
- Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Cryptography, Windows Wireless Networking, Windows Kernel, Windows Server, and the Microsoft JET Database.
Once again, there is an attempt to mitigate various vulnerabilities that could be exploited by side-channel attack methods (this time the new zombieload vulnerability). And they tries to patch the Microsoft JET Database – the bugs have been there for months. The RDP vulnerability that I covered in Critical update for Windows XP up to Windows 7 (May 2019), and that needs to be patched urgently, is not even mentioned above. Also CVE-2019-0903(GDI+ remote code execution vulnerability) is not mentioned in the list.
This update is automatically downloaded and installed by Windows Update. The package is also available via Microsoft Update Catalog. Installation requires that the latest SSU is already installed. If you install it using Windows Update, it will be installed automatically.
Known issues
Also the kb article for this updat explicitly mentions issues related to Mc Afee antivirus software. There is the issue identified in April 2019 on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8. The antivirus solution may cause the system to boot slowly after this update is installed, or may cause the system to stop responding when rebooted. Mc Afee offers a workaround in the following articles.
Advertising
- McAfee Security (ENS) Threat Prevention 10.x
- McAfee Host Intrusion Prevention (Host IPS) 8.0
- McAfee VirusScan Enterprise (VSE) 8.8
As of April 2019 or update KB4493472, the monthly rollup updates no longer contain the program PciClearStaleCache.exe. This installation utility fixes inconsistencies in the internal PCI cache. This may cause the symptoms listed below when installing monthly updates that do NOT contain PciClearStaleCache:
- Existing NIC definitions in control panel networks may be replaced with a new Ethernet Network Interface Card (NIC) but with default settings. Any custom settings on the previously NIC persist in the registry but were unused.
- Static IP address settings were lost on network interfaces.
- Wi-Fi profile settings were not displayed in the network flyout.
- WIFI network adapters were disabled
These symptoms are particularly common in guest virtual machines and machines that have not been updated since March 2018. Administrators should therefore ensure that one or more of the monthly rollups released between April 10, 2018 (KB 4093118) and March 12, 2019 (KB 4489878) have been installed before installing the April 2019 and later updates. Each of these rollup updates contains the PciClearStaleCache.exe.
KB4499175 (Security Only) for Windows 7/Windows Server 2008 R2
Update KB4499175 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1. The update addresses the following issues.
- Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions).
- Addresses an issue that may prevent applications that rely on unconstrained delegation from authenticating after the Kerberos ticket-granting ticket (TGT) expires (the default is 10 hours).
- Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Cryptography, Windows Wireless Networking, Windows Kernel, Windows Server, and the Microsoft JET Database.
The update is available via WSUS or in the Microsoft Update Catalog. If you install the update, you must first install the latest Servicing Stack Update (SSU). If you install the Security Only Update, you must also install KB4498206 for IE. Microsoft is not aware of any problems with this update.
Updates for Windows 8.1/Windows Server 2012 R2
For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update have been released. The update history for Windows 8.1 can be found on this Microsoft page.
KB4499151 (Monthly Rollup) for Windows 8.1/Server 2012 R2
Update KB4499151 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes that were included in the previous month's rollup. It also addresses the following issues.
- Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions).
- Addresses an issue that may cause "Error 1309" while installing or uninstalling certain types of .msi and .msp files on a virtual drive.
- Addresses an issue that prevents the Microsoft Visual Studio Simulator from starting.
- Adds "uk.gov" into the HTTP Strict Transport Security Top Level Domains (HSTS TLD) for Internet Explorer and Microsoft Edge.
- Addresses an issue that may cause the text, layout, or cell size to become narrower or wider than expected in Microsoft Excel when using the MS UI Gothic or MS PGothic fonts.
- Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Cryptography, Windows Datacenter Networking, Windows Wireless Networking, Windows Kernel, and the Microsoft JET Database Engine.
This update is automatically downloaded and installed by Windows Update, but is also available from the Microsoft Update Catalog.
Known Issues
The update has several known issues, some of which occurred as early as April 2019:
After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Within the KB article Microsoft specifies several methods to fix these boot issues.
Another bug: Certain operations, such as renaming files or folders located on a cluster shared volume (CSV), may fail with the error "STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)". This occurs when you perform the action on a CSV owner node from a process that does not have administrator privileges. Do one of the following:
- Run the operation from a process that has administrative privileges.
- Perform the operation from a node that does not have CSV ownership.
Microsoft is working on a solution and will release an update in an upcoming release. Also in this update, Microsoft explicitly mentions issues related to McAfee antivirus software. There is the problem that was discovered in April 2019 on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8. The antivirus solution may cause the system to boot slowly after this update is installed, or may cause the system to stop responding when it reboots. Mc Afee offers a workaround in the following articles.
- McAfee Security (ENS) Threat Prevention 10.x
- McAfee Host Intrusion Prevention (Host IPS) 8.0
- McAfee VirusScan Enterprise (VSE) 8.8
Avira has informed me yesterday, that Microsoft Microsoft will release the April 2018 updates for systems with installed Avira antivirus products.
KB4499165 (Security-only update) for Windows 8.1/Server 2012 R2
Update KB4499165 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses the following items.
- Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions).
- Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Cryptography, Windows Datacenter Networking, Windows Wireless Networking, Windows Kernel, and the Microsoft JET Database Engine.
The update is available via WSUS or in the Microsoft Update Catalog. If the Security Only Update is installed, KB4498206 must also be installed for IE. The update has the same known problems in the Preboot Execution Environment (PXE) as update KB4493446.
In addition, certain actions, such as renaming files or folders located on a cluster shared volume (CSV) may fail with the error "STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)". This is already described in the upper section of KB4499151.
Similar articles:
Windows 10 V1809 Update KB4495667 (May 3, 2019)
Adobe Updates for Flash, Reader, Encoder (May 2019)
Microsoft Office Updates (Patchday May 7, 2019)
Critical update for Windows XP up to Windows 7 (May 2019)
Microsoft Security Update Summary (May 14, 2019)
Patchday: Updates for Windows 7/8.1/Server (May 14, 2019)
Patchday Windows 10 Updates (May 14, 2019)
Patchday Microsoft Office Updates (May 14, 2019)
