Microsoft Security Updates May 2017 release
Microsoft released security updates, and non-security updates, for all supported versions of Microsoft Windows and other company products on the May 2017's Patch Day.
Windows Vista support ended last month, and this is the first month without Windows Vista updates. Coincidentally, May 9th, 2017 is also the day that support for the Windows 10 RTM version ends.
Microsoft switched to a new system in regards to information about product updates. The company did away with security bulletins last month, and things have gotten more complicated in the process as information are not presented as nicely anymore and take longer to go through.
The guide begins with the executive summary, and lists all security, non-security, and security advisory patches and information afterwards. You also find information on how to download the updates, including direct downloads for cumulative updates for Windows 7, Windows 8.1 and Windows 10.
Note: Some users report that they see the Internet Explorer patch KB3008923 again. This patch should not be installed. More info on this at Infoworld.
Microsoft Security Updates May 2017
You can download the following Excel spreadsheet for a list of all security updates that Microsoft released on this May 2017 Patch day: microsoft-windows-may-2017-all-security-updates.zip
- No more Windows Vista patches.
- This is the last patch day for the Windows 10 RTM release. It won't be supported anymore after today.
- Updates were released for all supported client and server versions of Windows.
- Other Microsoft products with patches are: Internet Explorer, Microsoft Edge, Microsoft Office, the Microsoft .NET Framework, and Adobe Flash Player
Operating System Distribution
- Windows 7:Â 26 vulnerabilities of which 4 are rated critical, and 22 important
- Windows 8.1: 22 vulnerabilities of which 4 are rated critical, and the remaining 18 important
- Windows RT 8.1: 20 vulnerabilities of which 4 are rated critical, and 16 important
- Windows 10 version 1703: 22 vulnerabilities of which four are rated critical, and 16 important.
Windows Server products:
- Windows Server 2008:Â 27 vulnerabilities, of which 4 are rated critical, and 23 important
- Windows Server 2008 R2: 27 vulnerabilities, of which 4 are rated critical, and 23 important
- Windows Server 2012 and 2012 R2: 24 vulnerabilities, of which 4 are rated critical and 20 important
- Windows Server 2016: 23 vulnerabilities of which 4 are rated critical, and 19 important
Other Microsoft Products
- Internet Explorer 11: 10 vulnerabilities, 2 critical, 6 important, 2 moderate
- Microsoft Edge: 28 vulnerabilities, 16 critical, the rest important
- Microsoft Office: varies depending on version. See KB4020152 for information.
KB4019263 -- Security-only update for Windows 7 and Windows Server 2008 R2
- Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11 . See Advisory 4010323 for more information.
- Security updates to Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.
KB4019213 -- Security-only update for Windows 8.1 and Windows Server 2012 R2
- Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See Advisory 4010323 for more information.
- Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server and Windows kernel.
KB4018271 -- Cumulative security update for Internet Explorer: May 9, 2017
- Addressed issue where, after installing security update KB4015551, applications that use msado15.dll stop working.
- Addressed issue where, after installing KB3187754, clients can no longer access a file server when using SMB1 and NTLM authentication under certain conditions. No credential dialog appears, and the user receives the error, â€œA specified logon session does not exist. It may already have been terminated.â€
- Security updates to Microsoft Graphics Component, Windows COM, Windows Server, Windows Kernel, Internet Explorer, and Microsoft Windows DNS.
KB4019216 -- Windows Server 2012 monthly rollup.
KB4019108 -- Security Only update for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017
KB4019109 -- Security Only update for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Server 2008 Service Pack 2: May 9, 2017
KB4019110 --Â Security Only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows Server 2012: May 9, 2017
KB4019111 -- Security Only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2: May 9, 2017
Security advisories and updates
Microsoft Security Advisory 4010323 -- Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
Microsoft Security Advisory 4021279 -- Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
Microsoft Security Advisory 4022345 -- Identifying and correcting failure of Windows Update client to receive updates
Microsoft Security Advisory 4022344 -- Security Update for Microsoft Malware Protection Engine (check out our coverage here)
Non-security related updates
KB4019264 -- Monthly rollup for Windows 7 and Windows Server 2008 R2
- Addressed issue where, after installing security update KB4015549, applications that use msado15.dll stop working.
- Updated Internet Explorer 11â€™s New Tab Page with an integrated newsfeed.
- Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
- Security updates to Internet Explorer, Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.
KB4019215 -- Monthly rollup for Windows 8.1 and Windows Server 2012 R2
- same as KB4019264
KB4016871 -- Cumulative update for Windows 10 Version 1703 (OS Build 15063.296 and 15063.297)
- Addressed issue with Surface Hub devices waking from sleep approximately every four minutes after the first two hours.
- Addressed issue where autochk.exe can randomly skip drive checks and not fix corruptions, which may lead to data loss.
- Addressed an issue where Microsoft Edge users in networking environments that do not fully support the TCP Fast Open standard may have problems connecting to some websites. Users can re-enable TCP Fast Open in about:flags.
- Addressed issues with Arc Touch mouse Bluetooth connectivity.
- Security updates to Microsoft Edge, Internet Explorer, Microsoft Graphics Component, Windows SMB Server, Windows COM, Microsoft Scripting Engine, Windows kernel, Windows Server, and the .NET Framework.
KB4020498 -- Update for .NET Framework 4.6.2 on Windows Server 2012 for x64
KB4020499 -- Update for .NET Framework 4.6.2 on Windows 8.1 and Windows Server 2012 R2
KB4020500 -- Update for .NET Framework 4.6, 4.6.1 on Windows Embedded 8 Standard and Windows Server 2012
KB4020502 -- Update for .NET Framework 4.6, 4.6.1 on Windows 8.1 and Windows Server 2012 R2
KB4020503 -- Update for .NET Framework 4.6 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008
KB4020505 -- Update for .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2
KB4020506 -- Update for .NET Framework 4.5.2 on Windows Embedded 8 Standard and Windows Server 2012
KB4020507 -- Update for .NET Framework 4.5.2 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008
KB4020510 -- Update for .NET Framework 4 on WES09 and POSReady 2009
KB4020511 -- Update for .NET Framework 2.0 on Windows Server 2008
KB4020512 -- Update for .NET Framework 3.5 on Windows Embedded 8 Standard and Windows Server 2012
KB4020513 -- Update for .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4020514 -- Update for .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
KB4020517 -- Update for .NET Framework 2.0 SP2 on WES09 and POSReady 2009
KB4015193 -- Update for Windows 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows XP Embedded
KB4015552 -- April, 2017 Preview of Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2
KB4015553 -- April, 2017 Preview of Monthly Quality Rollup for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
KB4015554 -- April, 2017 Preview of Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012
KB4016240 -- Windows 10 Version 1703 OS Build 15063.250 upgrade
- Addressed issue where VMs might experience loss in network connectivity while provisioning IP addresses.
- Addressed issue that does not initiate a remote ring on the device when RemoteRing Configuration Service Provider (CSP) is used.
- Addressed issue where a memory leak occurs in Internet Explorer when hosting pages containing nested framesets that load cross-domain content.
- Addressed issue that causes users to get logged out from Web applications intermittently.
- Addressed issue with a very dim internal monitor that may occur when booting with the external monitor only and then switching to the built-in panel only.
- Addressed issue where running Win32 Direct3D applications or games in full-screen exclusive mode causes the system to become unresponsive when resuming from Connected Standby.
- Addressed issue where when upgrading to Windows 10, version 1703, with the system language set to Chinese, the progress page displays geometric shapes instead of the correct localized strings.
- Addressed issue that prevents the lock screen from being disabled using Group Policy on Professional SKUs.
- Addressed issue in Windows Forms configuration options, which causes antivirus applications to stop working at startup.
- Addressed additional issues with compatibility, Internet Explorer, and Microsoft Edge.
How to download and install the May 2017 security updates
All security updates for Microsoft products are available through Windows Update, various business update services and systems, on the Microsoft Download Center website, and also direct downloads provided on the Microsoft Update Catalog website.
Most Windows systems have automatic updates enabled (as it is the default). This means that updates will be pushed to these systems automatically.
You can run manual checks for updates at any time:
- Tap on the Windows-key on your computer keyboard, type Windows Update, and hit the Enter-key.
- Depending on the configuration, Windows Update will run checks for updates automatically, or when you click on the "check for updates" button.
- Updates are then offered for download, or downloaded automatically depending on system settings.
Direct update downloads
Windows 7 SP1 and Windows Server 2008 R2 SP1
KB4019264: May, 2017 Security Monthly Quality Rollup
- KB4019263: May, 2017 Security Only Quality Update
Windows 8.1 and Windows Server 2012 R2
- KB4019215: May, 2017 Security Monthly Quality Rollup
- KB4019213: May, 2017 Security Only Quality Update
Windows 10 and Windows Server 2016 (version 1703)
- KB4016871 --Â Cumulative Update for Windows 10 Version 1703
After updating Windows 10 CU Home x64 today, IE11 just showed the left and top lines of the box that should show the current Flash release level, which was blank. This problem showed up by testing at
I resolved the problem in IE11 by going to IE11 Tools (top right gear) and enabling Flash.
After updating to latest Windows 10 CU on my x64 Home laptop today, IE11 would not show the Flash current level when going to
https://www.adobe.com/software/flash/about/ . I resolved the problem in IE11 by going to IE11 Tools and enabling Flash.
For what it’s worth, after updating Windows 10 CU on my Home x64 laptop today, KB 4020821 Flash, 4018483 Flash, and 890830 Software Removal Tool are not listed in this article, but do show in my Update History. I am not sure why this is so.
https://portal.msrc.microsoft.com/en-us/security-guidance/summary does list KB4020821,
I’m from Chicago. There is a new scam out there. Well maybe not a new one, but new to me. A 1-800-636-8193
call came to my home. It stated that this is an emergency call that my windows product key had expired and I was
to call a number to rectify this situation. I quickly hung up and did not write down the # to call.
I wonder if anyone on this site has received a similar scam alert in their city or town. I find it hard to believe that
microshaft would stoop so low as to attempt this scam. So Beware of these scammer jammers. Hang up immedi-
It’s not Microsoft. As evil as Microsoft is nowadays (and it is very evil), they have nothing to do with those scammers.
Check this youtube channel, it’s got a few scams recorded:
There’s potential entertainment with these pathetic creatures if you know what you are doing. That being said, it seems they target only english-speaking countries. Unless they learn russian I will never get to have some fun with them :(
There seems to be something you left out. The updates to IE11 on Windows 7 (x64 at least) include a new tab page that is enabled by default. It does News Feeds and Top Sites instead of tracking which websites you use frequently. The control to switch between the two is in a logical, if not very obvious place. Internet Options -> General -> Tabs The Dropbox for When a New Tab is Opened, Open…
I tried it briefly, it connects to MSN and it jumps up resource use. It also asks you to log in to your Microsoft Account. I cannot help wonder if it doesn’t spy on other things.
One more good reason to ditch IE which I haven’t used for about 10 years now.
On Windows 10 CU IE11 is essential to use along with Java if you want to successfully have fun playing with the Wordle site. To my knowledge no other current browser will work.
No word on an update to fix their mistaken blocking of Carrizo CPUs or how their even going to update those clients now they’ve blocked them from downloading updates.
Thanks once again for all the hard work Martin.
I really appreciate all the work going into these systematic monthly overviews, they make life so much easier for many of us.
@chesscanoe, there are alternative Word Cloud generators around which don’t require Java: http://www.wordclouds.com/
P.S. No “Reply” button visible underneath your post.
Thanks for the WordClouds tip. It works well in Chrome without Java, and can do some interesting things well. I’m still learning to use it effectively in conjunction with GIMP and IrfanView.
Is there any easy way to install only security updates for Windows 7 that hasn’t been updated in while without getting all “install W10/telemetry etc. crap”…..
I was wondering about this too. I haven’t been downloading any of the updates when they started to suspiciously bundle them all in one pack, and now I’m a bit confused which package contains what.
WSUS Offline Update (a free third-party utility), with the “security updates only” option enabled. Martin did an article on it four months ago, here:
WSUS Offline Update 10.9: download security updates only – gHacks Tech News
It’s a portable program that doesn’t like long paths. I just put mine in the root of C:, thus: C:\WSUS.
You run it using two separate executables, first a downloader, and then an installer. If I’m remembering correctly, the installer is nested inside a subfolder. (I made shortcuts to them.)
I stopped using Windows Update when Microsoft switched to rollups and a few months later I started using WSUS Offline Update. It seems to have worked pretty well for me so far. I believe it maintains its own blacklist of buggy or questionable patches, which might be why Belarc Advisor still shows me as missing a couple. (You can definitely add your own blacklist.) Regardless, I trust it more than I trust Windows Update.
Ms 2012 R2 cluster serious performance issue after applying KB4019215 quality update, server takes ages to logon and file shares slowdown. this happens on two separate Dell R620 servers, nothing in logs
Anyone else have issues with Resource Monitor opening since the last two patches?
I had not opened or used it since March so I had ran a few updates and this week and now I cannot get Resource Monitor to open (I am not getting a transparent box like others complained about in the past, it is just not opening at all). I tried to open in the Command line as well as from within the task manager. I click and it spins wheel of thinking for a second and then nothing happens.
I have these four updates showing as successfully installed in Windows 8.1 Reliability Monitor a couple of days ago:
Installation Successful: Windows successfully installed the following update: Microsoft.WinJS.1.0
Installation Successful: Windows successfully installed the following update: Microsoft.Media.PlayReadyClient
Installation Successful: Windows successfully installed the following update: Microsoft.VCLibs.120.00.Preview
Installation Successful: Windows successfully installed the following update: Microsoft.VCLibs.110.00
However, they don’t appear in in Windows Update which I have set to “Check for updates but let me choose whether to install them” and neither do they appear anywhere in Programs & Features.
I managed to track them down on a site which dates from 2013, but although it provides instructions for removing them (possibly), I can’t find any info anywhere on how to prevent them from reinstalling again. Here’s the relevant site: https://tweakhound.com/2013/11/04/uninstalling-metro-apps-advanced/
Does anyone know of a registry key to prevent that happening?
Needless to say, I don’t like the idea of Microsoft deciding unilaterally what gets downloaded to my system.
Anyone knows about issues with bitlocker?
ever since kb4019472 I see people ask for recovery key for bitlocker
yeah those updates for may messed up with the power plan and the speed step of my intel cpu on server 2012 r2. i want some power saving plan + ThrottleStop 8.48 and the cpu was to the max no matter what. I installed the preview for june and it came back.