[German]On Patchday, July 11, 2023, Microsoft released a bunch of security updates for Windows, Office and other products. In addition, a vulnerability in the HTML component of IE became known, which could allow an RCE attack on Office and Windows with system takeover. There is no patch for this, only countermeasures for protection. And some readers complain about issues after the update, among other things because Kerberos hardening measures take effect since July 2023 and can no longer be disabled. Here is part 1 of a follow-up on these issues.
Advertising
Unpatched HTML RCE Vulnerability CVE-2023-36884
As of July 11, 2023 (patchday), a 0-day vulnerability (CVE-2023-36884) has become public, allowing remote code execution in Microsoft Windows and Office. The vulnerability has already been exploited by hackers from the Storm-0978 group for attacks on various targets (e.g. NATO summit in July 2023). Currently, however, there is no patch, Microsoft has only published mitigation instructions. I have compiled everything you should know in the blog post HTML RCE Vulnerability CVE-2023-36884 Allows Office and Windows System Takeover.
Vulnerabilities to patch
The July 11, 2023 security updates address 130 vulnerabilities, five are 0-days, in Microsoft products. The articles at the end of the post indicate the updates for Windows and Office, where this is distributed via Windows Update. A list of the vulnerabilities that should be closed can be found in the blog post Microsoft Security Update Summary (July 11, 2023).
Network issues
With the security updates for Windows, the first stage of the enforcement mode will be activated for the Netlogon and Kerberos protocols from July 11, 2023 (see Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues). So if there are problems with communication with DC, the adjustment to Netlogon and Kerberos cannot be turned off with the update installed. This is possibly the cause of warnings in the comments I received in my German blog, that there are problems with the network.
Connect problem with OpenLDAP server as DC
In this German comment, a user points out that there are problems after installing KB5028166 on Windows 10 22H2. Domain users can no longer log on to the client directly and via RDP (error 0xC000018D): "The trust relationship between this workstation and the primary domain could not be established".
Removing the client from the domain and adding it again works, but then the error reappears. The only current solution is to uninstalling KB5028166. Problem is probably the LDAP signing, but in the current case this is due to the OpenLDAP server.
Advertising
Problems with SAMBA servers
If a SAMBA server is used as domain controller, Windows clients will probably not be able to connect after the update installation. The German comment thread here addresses the issue:
Since the update, my Windows 2022 servers have lost their domain trust (Netlogon Event ID 3210).
A "Test-ComputerSecureChannel -Repair" does not help either. Possibly worth mentioning: AD-DC is with us a Samba 4.15.13
There are further confirmations that there are connection problems with SAMBA. In the meantime, the SAMBA project has this bug report about this problem.
Windows 10 Embedded loses network configuration
In this German comment Michael reports that several Windows 10 Embedded machines have been found to lose network configuration due to the update. Existing network interfaces seem to be recognized as a new device, so possibly static IP, DNS, etc. are lost in the update.
IGEL OS sfails with RDP access
In this German comment Hartmut reports that Windows 10 Pro clients with version 22H2 are having problems with RDP after installing KB5028166. With the update installed, "IGELs can no longer access it via RDP," it says. My guess is that it's IGEL OS, a platform-independent, Linux-based endpoint operating system designed for easy, intelligent and secure access to virtual applications, desktops and cloud workspaces. The user also posted the problem at administrator.de, where it is blamed on GEL-OS V 11.
WLAN adapter problems
There are only two vague reports about problems with WLAN adapters in connection with the July 2023 updates. Holger reports a rejected TP-Link Archer T1U WLAN adapter here because the driver is quoted as "not safe". Could be related to the topic from the blog post Windows: Malware still loadable in kernel drivers (RedDriver attack). A similar issue is feared here (German) by tecci for AVM WLAN sticks.
Installation errors during updates
So far, the reports about installation errors are still limited. From tecci there is this German comment that 5 machines had problems with the update KB5028166 (Windows 10) during reboot at the latest. In a GErman follow-up comment, tecci adds that the installation fails very reliably due to outdated Intel drivers. His advice: Get everything up to speed via INTEL Driver & Support Wizard, then it will run. Otherwise STOP at 74% and stall on shutdown during reboot. However, ESET NOD32 AntiVirus later turned out to be a problem bear.
MWC reports serious problems with Windows Server 2016 / 2019 here, however, rolling back the installation of updates after reboot with error 0x800f0922. No more updates can be installed.
Update KB5028185: Error message 0x800f081f on Surface
German blog reader Reinhard H. emailed me about another problem. On his brand-new Microsoft Surface Go 3, he is having installation problems with cumulative update KB5028185 (the update is described in the blog post Patchday: Windows 11/Server 2022-Updates (July 11, 2023). The reader told me the following about the Windows 22H2 update (translated):
KB5028185, error message 0x800f081f
Hello Günter,
just briefly ne info, I think you collect such things.
Just now in July patchday here (brand new Microsoft Surface GO3, Win11 Home with Defender) had these problems.
Troubleshooting, sfc, dism, manual install and delete of software distribution didn't help.
Actually, Microsoft should be particularly careful with its own computers…..
The Windows 11 Update Manager error message indicates that important system files are missing or have incorrect references there – the error code has been running through Windows 10/11 for years. Since the above methods with a debug using sfc and dism didn't help, I'm assuming it's either the update package or there is already corruption to the system files on the new device.
His post on German site deskmodder.de gave the advice on an "inplace upgrade" by installing Windows 11 from the running Windows. But even after this step, there were problems with the update installation. Since the user writes that "Windows 11 is recovering" and slowly installing updates, I assume that Microsoft noticed the bug and fixed the update package.
In the meantime there are other places on the Internet (e.g. Windows Central, or here, as well as in the Microsoft Techcommunity) where this installation error 0x800f081f is described for Windows 11 22H2 for the update KB5028185.
Application issues after update installation
There is some message about isolated problems with software that goes on strike after installing Windows updates. Here are the reader notes in question – but they are related to EDR/virus protection solutions from PaloAlto Cortex.
Chromium browsers won't launch in VDIs
German reader Christoph reported in this German comment, that after installing the update KB5028171 on Windows Server 2022, no Chromium-based browsers (Chrome, Edge) can be opened in VDIs (virtual desktop environments based on Windows Server 2022 21H2). Only a white window appears briefly and closes again shortly afterwards.
The root cause is the GPU support of the Chromium based browsers. Disabling the GPU support via registry or startup parameters does not change anything. The current solution is to uninstall the update. The bug has been confirmed by other readers, where the hint came that the Cortex XDR virus guard is the cause. Disabling it fixes the problem of the browser not starting anymore (not the first time there is this effect).
Query WMI in PRTG returns error
After installing July updates KB5028171 and KB5028943, Windows Server 2022 installations can no longer be queried via WMI according to this comment from Bjoern. PRTG reports e.g. error 8080005: Server execution failed. However, it is an isolated issue for environments where Palo Alto Cortex EDR is running. Disabling/uninstalling Cortex or uninstalling update KB5028171 fixes the problem.
Mouse stuttering in Windows 11 fixed
If I interpret the article from neowin.net correctly, a problem has been fixed in Windows 11 that caused a stuttering reaction to mouse movements.
Outlook Exchange starts in ECM
In June 2023 I had published the German blog post Outlook-Exchange-Probleme: Startet nur noch im Exchange Cache Modus (ECM), which discussing the effect that Outlook clients can only be operated in cache mode (ECM). German blog reader Dennis contacted me in a private Facebook message on July 12, 2023 and wrote that he had a customer with three terminal servers "recently" encountered the above error again.
Similar articles:
Microsoft Security Update Summary (July 11, 2023)
Patchday: Windows 10-Updates (July 11, 2023)
Patchday: Windows 11/Server 2022-Updates (July 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (July 11, 2023)
Microsoft Office Updates (July 11, 2023)
HTML RCE Vulnerability CVE-2023-36884 Allows Office and Windows System Takeover
Windows: Malware still loadable in kernel drivers (RedDriver attack)
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Microsoft July 2023 Patchday issues (Windows, Office, Apps) – Part I
Microsoft July 2023 Patchday issues: Windows 10 22H2 Update KB5028166 – Part II
Advertising