Issue with March 2018 Microsoft Patches

Hi All,

I was just informed of an issue with the KB4088875 and KB4088878 patches causing issues with vms configured with static ips.

Here is one link:
https://social.technet.microsoft.com/Forums/en-US/ae0d91d5-6c82-4cc5-b60a-8bdfa0bddbad/march-2018-windows-update-removes-virtual-network-adapter-creates-new-default-one?forum=winserversecurity

Thanks for the heads-up! But wait, thereā€™s more!

There are some reports about problems introduced in the March 2018 patch rollups from Microsoft. Iā€™m still gathering info but this is what Iā€™ve seen so far:

  1. Windows 7 and Windows 2008 R2 Virtual Machines, using the vmxnet3 virtual network card, may have their interfaces reset / lose IP addresses / need to be reconfigured. Likely caused by kb4088878.
  2. May also be occurring on older physical workstations (see Reddit thread ā€“ HP 8100, 8200, 8300; Dell Optiplex 9020, nothing we use that I found).
  3. SMB servers may leak memory
  4. STOP error may occur on 32-bit Win7/Win2008 with Physical Address Extension (PAE) mode disabled
  5. Word may crash, have slow performance, or be unable to open a document by double-clicking the file.
  6. To enable mitigations for CredSSP fixes, additional steps are required. See https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 for information on Group Policy settings.

Microsoft has downgraded the Windows 7 rollup to ā€œImportantā€, so itā€™s not being delivered automatically through Windows Update but is still available via the Update Catalog. Thatā€™s usually an indication that theyā€™re preparing to withdraw the update.

https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878

https://social.technet.microsoft.com/Forums/en-US/ae0d91d5-6c82-4cc5-b60a-8bdfa0bddbad/march-2018-windows-update-removes-virtual-network-adapter-creates-new-default-one?forum=winserversecurity

https://support.microsoft.com/en-us/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2

https://social.technet.microsoft.com/Forums/office/en-US/ac34c866-ee49-439e-b650-33c8231ae1ca/kb4011730-breaks-word-2016?forum=Office2016ITPro

Yeah, we ran into this issue patching last night. Lost static IP settings on about 20 virtual machines. Anyone know if IBM will be pulling the fixlet? I see itā€™s still in the Patches for Windows site. Iā€™m going to pull it from our baseline for now, but was hoping to see some sort of update by now.

I encountered the Word issue after KB4011730 this morning (Win10 1709 x64, Office 2016 Professional x32).
Installing KB4011732 did not fix it, Iā€™m trying KB4018295 now.

There are not currently Fixlets available for KB4011732 or KB4018295, Iā€™ll post again if KB4018295 fixes it.

Installing KB4018295 corrected the problem for me.
On another system encountering the same problem, removing KB4011730 also fixes it.

Can anyone from BigFix comment on whether youā€™re looking at adding content for KB4018295? It doesnā€™t seem to be listed as a Security issue so Iā€™m not certain whether itā€™s in your plansā€¦

Pinging @Jason_L and @jgstew for availability of fixlet for Word update KB4018295ā€¦ ?

1 Like

I found reference to a VBS Script that resolves the issue with KB4088875 can be added to a copy of the IBM provided Fixlet ID#408887503.

My original attempt was to create task to run the Script as part of a Baseline, but that didnā€™t resolve the issue.

Modifying a copy of the Fixlet by adding the script directly to it, DOES seem to have worked on at least one Win2008R2 VM so far. The initial IF/ENDIF clause is so we only run the script on Virtual servers. I got lazy and pulled the relevance from a property, it really should be limited to just systems running under VMware. Iā€™m also going to be adding some additional code to exclude any of our Citrix servers, but this is the code I added between the Patch installation waithidden command and the action requires restart command.

if {(if ((version of client < "8.0") or (if (windows of operating system) then (platform id of operating system = 3) else false) or (if (version of client >= "8.2.1078.0") then in proxy agent context else false) or (if ((windows of it OR name of it starts with "Linux") of operating system) then false else true)) then "N/A" else (if exists true whose (if true then( (((item 0 of it contains "VMware") or ((item 0 of it contains "Microsoft") and not (item 1 of it as lowercase contains "surface")) or (item 0 of it contains "Xen")) of ((value "manufacturer" of it as string, value "product_name" of it as string) of structure "system_information" of smbios))) else false) then "Virtual" else "Physical")) as string as lowercase = "virtual"}
	delete _createfile
	delete C:\Windows\Temp\RecoverNic.vbs

createfile until ##END##
Option Explicit
Const HKEY_LOCAL_MACHINE = &H80000002
Dim oReg : Set oReg = GetObject("winmgmts:{{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
Dim oShell : Set oShell = CreateObject("WScript.Shell")
Dim sPath, aSub, sKey, aSubToo, sKeyToo, dwValue, Result, SaveResult
Dim NotDeleted
 
NotDeleted = 0
 
' Get all keys within sPath
sPath = "SYSTEM\CurrentControlSet\Enum\PCI"
oReg.EnumKey HKEY_LOCAL_MACHINE, sPath, aSub
 
' Loop through each key
For Each sKey In aSub
    ' Get all subkeys within the key 'sKey'
    oReg.EnumKey HKEY_LOCAL_MACHINE, sPath & "\" & sKey, aSubToo
    For Each sKeyToo In aSubToo
      Result = oReg.DeleteKey(HKEY_LOCAL_MACHINE, sPath & "\" & sKey & "\" & sKeyToo & "\" & "\Device Parameters" & "\SlotPersistentInfo")
      ' Allow failure only if key never existed
      If (Result = 1) Or (Result > 2) Then
        NotDeleted = 1
        SaveResult = Result
      End If
    Next
Next
 
If (NotDeleted > 0) Then 
  Wscript.Echo "One or more SlotPersistentInfo keys still exist under HKLM\System\CurrentControlSet\Enum\PCI\<deviceid>\<subdeviceid>\Device Parameters.  Please delete manually. Result = " & Result
End If 
##END##
move __createfile "C:\Windows\Temp\RecoverNic.vbs"

wait "{pathname of system folder}\cscript.exe" "C:\Windows\Temp\RecoverNic.vbs" >> "C:\Windows\Temp\RecoverNic.log"
endif

So far, Iā€™ve only tested it on one server. Iā€™ll have it tested on more in a little bit. We were fortunate enough to find this yesterday, before we tried to patch several thousand virtualized servers.

3 Likes

Donā€™t understand why IBM BigFix releases those affected patches released by Microsoft.

Do we have any alternate solutions rather than not applying these patches.

Please suggest.

Of course BigFix is going to release the fixlets, if Microsoft releases the patches!

It is up to us as systems administrators to evaluate them. Every action is a balance of risk - the risk of the patch breaking a functionality, vs the risk of an unpatched system getting compromised.

Iā€™ll tell you, even knowing the flaws in this month patch rollups, I am moving ahead with the patches. (So far.) Iā€™ve evaluated my systems, and Iā€™m not using the vmxnet3 adapter and I have a workaround for the Word issues. My risk/impact of compromise is still higher than the risk of the patch breaking my systems.

I will go slow & careful, deploying to my development and test systems first. But I do that every month. I know there are some known problems with this momthā€™s patch rollups. But they have those every month too. Go read last monthā€™s rollup bulletins, check the ā€˜known issuesā€™ section. Or the month before that.

I noticed that was missing from BigFix too, is this something that will become available? what is IBMā€™s stance on implementing content for fixes like this one? just curious if I can expect it to be generated or if I should expect to generate it myself etc.

Jason, when you tested your rollback process, did you just use the built-in rollback wizard or did you take another approach? I tried to use the wizard and it generated a fixlet that was not relevant, and Iā€™m not entirely sure the scripting it generated is correct. just curious if thereā€™s a built in tool you use, or if you generate your own using wusa /uninstall /kb:####### etcā€¦

1 Like

I manually rolled back one client to see whether that fixed the problem (it does).

Instead, Iā€™m moving forward with both the rollup and a custom fixlet for KB4018295

Yeah weā€™re still having a big issue with this. No patch despite it being available for nearly 2 weeks? Not a good look.

And I as well, am having an issue with creating a rollback task for this. No matter what we try, we can not get any computers to show up. We know they have 4011730 installed, we made sure the KB was right in name, made sure the OS was right. Nada. Iā€™m sure for this part weā€™re just missing something very simple, but weā€™re frustrated. We canā€™t roll back, and thereā€™s no patch to push outā€¦ so were looking at another way to push the patch.

Hey Entaille, had a similar problem you had. Created the rollback process based on relevancy, and it would not catch a single computer even though we knew it had dozens of machines with 4011730. Instead, I targeted a specific computer in the wizard and it says it worked, however the patch above was not removed. Support claims that the RollBack tool is only for OS updates and not application updates.

BigFix does plan on releasing content for KB4011732 & KB4018295.
Work looks to be in progress but I donā€™t want to provide a hard eta on these.
I will follow up on this and report back.

1 Like

Thanks much for the update!

BigFix content for KB4011732 & KB4018295 has been released in version 2950 of the Patches for Windows.

2 Likes

Much appreciated, thanks for this!

This is much easier than the VBscript Microsoft is pushing on people. Plus if you run this before the reboot then you shouldnā€™t have a NIC issue when it comes back up.

get-childitem -path HKLM:\SYSTEM\CurrentControlSet\Enum\PCI -Recurse -force -erroraction silentlycontinue | where-object Name -like ā€œ*SlotPersistentInfoā€ | Remove-Item

Thatā€™s only the PowerShell command to change the registry key. Are you meaning to reference this .vbs script:

Dim strPciFileVersion
Dim WindirFilePath
set WshShell = WScript.CreateObject("WScript.Shell")
WindirFilePath = WshShell.ExpandEnvironmentStrings("%WinDir%")
   
Dim fs
Set fs = CreateObject("Scripting.FileSystemObject")
   
strPciFileVersion = fs.getfileversion(WindirFilePath & "\\system32\\drivers\\pci.sys")
Dim strAryFileVersion1
strAryFileVersion1 = Split(strPciFileVersion, ".")
If (strAryFileVersion1(0) = 6 And strAryFileVersion1(1) = 1 And strAryFileVersion1(2) = 7601) Then
                If (strAryFileVersion1(3) < 17630 Or (strAryFileVersion1(3) > 20000 And strAryFileVersion1(3) < 21744)) Then
                               
                                Const HKEY_LOCAL_MACHINE = &H80000002
                                Dim oReg : Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
                                Dim oShell : Set oShell = CreateObject("WScript.Shell")
                                Dim sPath, aSub, sKey, aSubToo, sKeyToo, dwValue, Result, SaveResult
                                Dim NotDeleted
                               
                                NotDeleted = 0
                               
                                ' Get all keys within sPath
                                sPath = "SYSTEM\CurrentControlSet\Enum\PCI"
                                oReg.EnumKey HKEY_LOCAL_MACHINE, sPath, aSub
                               
                                ' Loop through each key
                                For Each sKey In aSub
                                                ' Get all subkeys within the key 'sKey'
                                                oReg.EnumKey HKEY_LOCAL_MACHINE, sPath & "\" & sKey, aSubToo
                                                For Each sKeyToo In aSubToo
                                                  Result = oReg.DeleteKey(HKEY_LOCAL_MACHINE, sPath & "\" & sKey & "\" & sKeyToo & "\" & "\Device Parameters" & "\SlotPersistentInfo")
                                                  ' Allow failure only if key never existed
                                                  If (Result = 1) Or (Result > 2) Then
                                                                NotDeleted = 1
                                                                SaveResult = Result
                                                  End If
                                                Next
                                Next
                               
                                If (NotDeleted > 0) Then
                                  Wscript.Echo "SlotPersistentInfo keys still exist under HKLM\System\CurrentControlSet\Enum\PCI\<deviceid>\<subdeviceid>\Device Parameters.  Please delete all manually and then install the updates. Result = " & Result
                                End If
                Else
                                WScript.Echo "Your system is ready to install the updates"
                End If     
Else
                                WScript.Echo "Your system is ready to install the updates"
End If

I found the above on Microsoftā€™s Technet article for KB4088878 https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878

New article found related to win 7 patches

1 Like