This is the second follow-up to the original January 2018 Update release discussed in this Zendesk article (click link). Of note in this update were the first patches for the Spectre and Meltdown viruses. The second update covering all Microsoft Security Patches between January 17 and August 20, 2018 was released in this Zendesk article (clink link). Of note in the second update was protection for Spectre Variant 2.
This third Windows update covers all Microsoft Security Patches between August 21, 2018 and May 31, 2019, of particular note is the patch for the Intel ZombieLoad vulnerability. This is an incremental update, which means the earlier update MUST be applied before applying this update. These patches include the following:
- kb4483187 - Cumulative security update for Internet Explorer 11. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.
- kb4019990 - Installs necessary DLLs to allow for .net framework 4.7 installation.
- kb4474419 - Allows SHA-2 code signing support
- kb4483458 - Removes Remote code execution vulnerabilities for .net Framework
- kb4493472 - Cumulative update that fixes Spectre Variant 2 for VIA based systems, windows kernel errors, netdom.exe errors and various dll fixes.
- kb4490628 (x64 only) - Quality improvements for Windows Updates
- kb4483451 (x64 only) - Removes Remote code execution vulnerabilies and a vulnerability with how .net framework parses urls
- kb4486546 (x64 only) - Addresses an issue in System.Threading.Timer where a single global queue that was protected by a single process-wide lock causing a issues with scalability where Timers are used frequently on multi-CPU machine. Addresses an issue that caused compatibility breaks seen in some System.Data.SqlClient usage scenarios. Improved the memory allocation and cleanup scheduling behavior of the weak-event pattern.
- kb4499164 - Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling
- kb4495606 - Denial of service vulnerabilities exist when .NET Framework improperly handles objects in heap memory, or when .NET Framework and .NET Core improperly process RegEx strings.
- kb4505050 - Addresses an issue that may prevent access to some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) when using Internet Explorer 11 or Microsoft Edge.
- kb4495588 - Denial of service vulnerabilities exist when .NET Framework improperly handles objects in heap memory, or when .NET Framework and .NET Core improperly process RegEx strings.
In case one is unsure whether earlier updates have been applied yet or not and to verify that this update is fully applied, AtlasIED has written a small Updater Searcher utility, which may be downloaded here (click link).
It has also been learned that in certain instances, the Internet Explorer update to version 11 that is part of Update 1 does not get properly installed. So, the Update Searcher specifically checks for IE 11 to be present on the system. If not, present, one should run the IE 11 standalone installer included in a separate folder in the Windows Update 2 package.
The current Windows Update 3 package may be downloaded here (click link). (Note, this is a 1.7 GB file, so may take some time to download.) One should unZIP a package to local folders and go into the x86 (32-bit Windows) or x64 (64-bit Windows) folder for the proper updates. There is a !ReadMe.txt file in each folder with instructions.
Insuring Sufficient Hard Drive Space for Updates
If the installation process makes an error right at the beginning (e.g., 0x80070070), then most likely the updater does not have sufficient free space to unpack and apply the Windows updates. One should insure there is at least 4 GB of free space on the C: drive (after update files are copied to the system). Older systems with both C: and D: partitions, and systems that have had several GLOBALCOM/GCK software updates applied, could find this to not be the case. Steps one can take to alleviate this problem are:
- Do not copy the update files to the C: drive (or desktop). Copy it to the D: drive (if present) or leave on a USB drive with sufficient free space. It may unpack a little slower from the USB drive, but at least it will not take up precious space.
- Delete old copies of GLOBALCOM/GCK files. The procedure is in the attached document, GC Disk Clean-up.pdf.
- Run the Windows Disk Cleanup app and free up any temporary files still on the C: drive