Massive March Patch Tuesday relaxes antivirus restrictions, but there are problems

With 74 separately identified plugged holes, every version of Windows and Office gets goosed. No known exploits for any “Critical” vulnerabilities, but there’s a report of more forced upgrades.

Broken window with band-aid patch

On a scale from 1 to 10, Microsoft in March has ratcheted the patching pace up to 11. The good news is that there are no known exploits for any of the “Critical” rated security holes. (Worth repeating: There are still no known exploits for Meltdown or Spectre.) The bad news? Reports of another forced upgrade to Win10 Fall Creators Update. Still waiting for confirmation on that one.

By the numbers

As usual, Martin Binkmann on, has the best summary:

  • Windows 7: 21 vulnerabilities, of which 21 are rated important
  • Windows 8.1: 20 vulnerabilities, of which 20 are rated important
  • Windows 10 version 1607: 29 vulnerabilities, of which 29 are rated important
  • Windows 10 version 1703: 28 vulnerabilities, of which 28 are rated important
  • Windows 10 version 1709: 24 vulnerabilities, of which 24 are rated important
  • Windows Server 2008: 21 vulnerabilities, of which 21 are rated important
  • Windows Server 2008 R2: 22 vulnerabilities, of which 22 are rated important
  • Windows Server 2012 and 2012 R2: 21 vulnerabilities, of which 21 are rated important
  • Windows Server 2016: 29 vulnerabilities, of which 29 are rated important
  • Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
  • Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important

Microsoft lists 157 updates. If you break those down into individual patches for specific platforms, the total damage comes to 1,352 rubber-meets-the-road patches. Looks like patching is set to become Microsoft’s next billion-dollar business.

Johannes Ullrich at the SANS Internet Storm Center lists the specific fixed security holes by CVE number, confirming that two of the CVEs have been disclosed to the world, but none of them have been exploited — and the two disclosed CVEs are listed as “Severity: Important” which means that they really aren’t all that important.

Office had 23 security patches and 26 non-security patches this month. None of them appear to be pressing — although the Equation Editor security hole I warned you about in January is under active attack. Curiously, Office 2007 is still getting patched, even though it hit the end of extended support almost a year ago.

Meltdown and Spectre updates

Microsoft reissued its Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities to announce that it’s distributing Meltdown patches for 32-bit versions of Win7 and 8.1, which have been conspicuously absent. There’s a list of Server 2008 and Server 2012 patches that cover Meltdown. There’s also a long list of new microcode patches for Intel processors — but none of the announced KB articles (e.g., KB 4091663 for 1703, KB 4091664 for 1607) are available, as of early Wednesday morning.

Again, for emphasis, there are no known Meltdown or Spectre exploits in the wild.

Win10 patches no longer require antivirus stamps

This month’s Win10 patches no longer look for the QualityCompat registry key. As Gregg Keizer explained in January, the Meltdown and Spectre patches caused mayhem with some antivirus products. The solution was to require antivirus packages to set a specific registry key declaring that they were compatible with the January patches. That requirement extended to February, but this month it’s been dropped for Windows 10 machines.

Says ‘Softie John Cable:

Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update ... in cases where there are known issues of AV driver compatibility, we will block those devices from receiving Windows updates to avoid any issues.

So instead of requiring a registry flag, the Win10 patch installers now look for incompatible antivirus software and refuse to install if a bad antivirus is detected.

There’s no change for Win7 or 8.1 machines. If you want this month’s Security-Only or Monthly Rollup, you (or your antivirus software) have to set the QualityCompat registry key.

Remote Desktop Protocol and CredSSP

If you or your organization uses Remote Desktop Protocol to connect machines, you need to pay particular attention to the warning in the CVE-2018-0886 support page, KB 4093492:

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to  “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems. Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.

Protection from the CredSSP exploit will roll out in three consecutive monthly Patch Tuesday patches, each increasingly restrictive. Susan Bradley has full details on AskWoody.

Other warnings

As befits a data dump of this magnitude, warnings — official and otherwise — abound.

Win7/Server 2008R2 blue screens both Security-Only and Monthly Rollup. From the KB articles:

A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled

A Stop error occurs on machines that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2)

SMB servers may leak memory.

Return of the 1709 forced upgrade: Microsoft claims it has turned off the forced upgrades to Win10 Fall Creators Update, version 1709, so I find this most distressing. Poster @dononline on AskWoody reports:

So, I have all the known — at least to me — settings in place on all three of my WIN 10 1607 Pro computers to keep MS from force feeding any of them the WIN 10 1709 Upgrade. … After I had hidden all the monthly updates and had updated the Windows Defender virus definitions, before I could go back to Windows Update Blocker to turn Services back off, guess what popped up? Why, it was the good old Windows 10 Update Assistant and the upgrade to WIN 10 1709 was speeding right along!

Susan Bradley offers an explanation:

If you manually kick a check for updates, you trigger a potential check in to the Windows 10 feature update.

And MrBrian elaborates:

A problem with some Windows 10 update blocking methods is that when updates are turned on, automatic updates may start downloading and installing. Perhaps that’s what happened to you. In my opinion, what is needed is a method that stops automatic Windows 10 updates; I will be testing this method for hopefully doing so soon.

KB4023814 is an update that installs the Windows 10 Update Assistant. See this post for how to get rid of the Windows 10 Update Assistant.

In addition there’s the usual background radiation of people who can’t get the patches installed, for various reasons. In many cases, that’s a blessing — be careful what you wish for, eh? The standard Reddit troubleshooting advice applies:

If you've tried basic troubleshooting steps for the issue(s) you're encountering and these don’t help, please be kind to submit your issue to the Feedback Hub. This is the best approach to get your feedback properly channeled to the Engineering Team, and we can also gather additional details and information about your issue so that we can figure out what’s causing it and address it.  

What to do

Nothing. There are no pressing security problems, no widespread exploits pounding at your door. I continue to recommend that you avoid IE and Edge, and use Chrome, Firefox, or one of the many alternatives. If you have to use Flash, limit it to one browser (I use Chrome) and set Chrome so you have to manually approve Flash each time it runs, or to only run Flash on sites that your approve.

Personally, I’m waiting to see if the Win10 Fall Creators Update, version 1709, patch causes any more problems. If not, and 1709 is stable, I’ll be looking to move from 1703 to 1709 in a couple of weeks.

Join us for popcorn and plaints on the AskWoody Lounge.

IT buyer’s guide to business laptops
Shop Tech Products at Amazon