Microsoft Security Updates August 2017 release

Microsoft released security updates for all supported versions of Microsoft Windows and other company products on August 8, 2017.

This guide provides you with detailed information on these updates. It lists the products that are affected by vulnerabilities, and starts with an Executive Summary that highlights the most important bits of information.

The operating system and other Microsoft product distribution listing follows which highlights how Windows Client and Server products and other company products are affected this month,

The next part of the guide lists new security advisories, and non-security updates that Microsoft released this month.

You find direct links to cumulative security and monthly rollup updates for Windows 10, Windows 8.1 and Windows 7 (and server variants), and download instructions afterwards.

You can check out the July 2017 Patch day overview for information in case you missed it.

Microsoft Security Updates August 2017

You can download the following Excel spreadsheet which lists all security updates that Microsoft released since the last Patch Tuesday in July.

Just click on the following link to download the spreadsheet to your system:  microsoft-security-updates-august-2917-1.zip

Executive Summary

• Microsoft released security patches for all versions of Microsoft Windows.
• Other Microsoft products with patched vulnerabilities are Microsoft Edge, Internet Explorer, Microsoft SharePoint and Microsoft SQL Server

Operating System Distribution

• Windows 7:  9 vulnerabilities of which 2 are rated critical, 7 important
• Windows 8.1: 11 vulnerabilities of which 4 are rated critical, 7 important
• Windows 10 version 1703: 14 vulnerabilities of which 5 are rated critical, 9 important

Windows Server products:

• Windows Server 2008 R2: 10 vulnerabilities, of which 3 are rated critical, 7 important
• Windows Server 2012 and 2012 R2: 11 vulnerabilities, of which 4 are rated critical 7 important
• Windows Server 2016: 12 vulnerabilities of which 4 are rated critical, 8 important

Other Microsoft Products

• Internet Explorer 11: 8  vulnerabilities, 7 critical, 1 important
• Microsoft Edge: 28 vulnerabilities, 21 critical,  7 important, 1 moderate

Security Updates

KB4034674 -- August 8, 2017 Cumulative update for Windows 10 Version 1703

• Addressed issue where the policies provisioned using Mobile Device Management (MDM) should take precedence over policies set by provisioning packages.
• Addressed issue where the Site to Zone Assignment List group policy (GPO) was not set on machines when it was enabled.
• Addressed issue where the AppLocker rules wizard crashes when selecting accounts.
• Addressed issue where the primary computer relationship is not determined when you have a disjoint NetBIOS domain name for your DNS Name. This prevents folder redirection and roaming profiles from successfully blocking your profile or redirects folders to a non-primary computer.
• Addressed issue where an access violation in the Mobile Device Manager Enterprise feature causes stop errors.
• Security updates to Microsoft Edge, Microsoft Windows Search Component, Microsoft Scripting Engine, Microsoft Windows PDF Library, Windows Hyper-V, Windows Server, Windows kernel-mode drivers, Windows Subsystem for Linux, Windows shell, Common Log File System Driver, Internet Explorer, and the Microsoft JET Database Engine.

KB4034679 -- August 8, 2017 Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP1

• Security updates to Windows Server, Microsoft JET Database Engine, Windows kernel-mode drivers, Common Log File System Driver, Microsoft Windows Search Component, and Volume Manager Driver.

KB4034664 -- August 8, 2017 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1

Same as KB4034679

KB4034672 -- August 8, 2017 Security only update for Windows 8.1 and Windows Server 2012 R2

• Addressed issue where a LUN connection that was received after the buffer allocation during iSCSI statistic collection overflowed the buffer and caused error 0x19. A UI issue that hides the iSCSI targets will be addressed in an upcoming release.
• Security updates to Windows Server, Microsoft Windows Search Component, Volume Manager Driver, Common Log File System Driver, Microsoft Windows PDF Library, Microsoft JET Database Engine, Windows kernel-mode drivers, and Windows Hyper-V.

KB4034681 -- August 8, 2017 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2

same as KB4034672, plus

• Addressed issue with a port and thread leak that can cause a broad array of symptoms including unresponsive systems and iSCSI target connection failures. This occurs after installing monthly updates released between April 11, 2017 (KB4015550) through July 11, 2017 (KB4025336). This issue was called out as known issue in the corresponding release notes for these releases.
• Addressed issue where LSASS.EXE encounters a deadlock and the server must be rebooted.
• Addressed issue where the Remote Desktop idle timeout warning did not appear after setting the idle time.
• Addressed issue with MSiSCSI where the system process has a very high number of threads or the server runs out of ephemeral ports. This causes the system to stop responding or throw an error.
• Addressed issue where when a failover cluster fails over from one server to another, a clustered IP address resource does not come online and causes the failover to stop functioning.
• Addressed issue where a DNS server may crash after the import of the DSSet file when configuring secure, delegated child zones.
• Addressed issue where a LUN connection that was received after the buffer allocation during iSCSI statistic collection overflowed the buffer and caused error 0x19. A UI issue that hides the iSCSI targets will be addressed in an upcoming release..
• Addressed issue where if there was an error on a storage controller, some paths could not fail over to other paths. Instead, access to the disk was completely lost.
• Addressed issue to prevent user logon delays when processes that have registered top-level windows fail to respond to BroadcastSystemMessages sent by the Group Policy Preference client-side extensions.
• Addressed issue where Windows Server 2012R2 throws error “STOP 0XCA (Duplicate PDO)” when redirecting certain USB devices using RemoteFX. To fix this, do the following:Go to the registry location SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations.
  Create a new DWORD value “fUniqueInstanceID ”.
  Set the value to “1”.
  Reboot after setting this registry.
• Addressed issue where enabling the policy “Display information about previous logons during user logon” prevents Remote Desktop Protocol providers from allowing logins with no user interaction.
• Addressed issue where the TsPubRPC service running in Svchost.exe experiences a memory leak when RemoteApp applications are configured with file type associations.
• Addressed issue where files and folders accumulate in the UvhdCleanupBin folder in Remote Desktop session hosts. These files are not deleted when a user logs off if the path limit is exceeded. In extreme cases, this issue can cause logon failures.
• Addressed issue where a Microsoft Enterprise CA cannot request that a Microsoft subordinate CA template be used for key encipherment. A single certificate can provide multiple usages like key encipherment and CRL signing.
• Addressed issue to allow NPS servers to accept certificates with multiple usages.
• Addressed issue where both transient and listener process TCP ports for the loopback sockets leak because of a leaked reference count. Such ports do not appear in NETSTAT.
• Addressed issue to enable logging to detect weak cryptography.
• Addressed issue with wireless network clients that disconnect from wireless access points after the EAPOL key retransmission timeout (5 minutes). This occurs because the M2 bit is incorrectly set during the four-way handshake.
• Addressed issue where a request to a website results in a 503 response when IIS runs in "Dynamic Site Activation (DSA) Mode". This occurs when the default app pool identity is a specific user/password and a specific app pool’s identity is configured to use "ApplicationPoolIdentity".
• Addressed issue where NetInfo_list may not contain all the network interfaces information. Additionally, the DNS client cannot use all the connected network interfaces while sending the query. This occurs when the host is running in low memory when the NetInfo_Build gets started.
• Addressed issue where if an interface is unavailable during the NetInfo_Build, the DNS client will not use that interface to send queries for the next 15 mins even if the interface comes back before 15 minutes.
• Addressed issue to implement a callback function to receive a notification when an interface comes back after an unavailable state. This callback prevents a host from going into the sleep state.

Known Issues

None

Security advisories and updates

Microsoft Security Advisory 4038556 --  Guidance for securing applications that host the WebBrowser Control

Non-security related updates

KB4034335 -- Update for Windows 10 Version 1703 -- Some system applications don't work as expected after you upgrade to Windows 10 Version 1703

KB4035508 -- Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded 8 Standard and Windows Server 2012

KB4035509 -- Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1 and Windows Server 2012 R2

KB4035510 -- Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4019276 -- Update for Windows Server 2008 -- Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2

KB4032113 -- July, 2017 Preview of Quality Rollup for .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4032114 -- July, 2017 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.7 on Windows Embedded 8 Standard and Windows Server 2012

KB4032115 -- July, 2017 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4032116 -- July, 2017 Preview of Quality Rollup for .NET Framework 2.0 on Windows Server 2008

KB4033428 -- Update for Windows Server 2012 R2 -- Windows Server 2012 R2 processor generation detection reliability update: July 18, 2017

KB4032188 -- Windows 10 Build 15063.502 update July 31, 2017

• Addressed issue that causes a Microsoft Installer (MSI) application to fail for standard (non-admin) users when installed on a per user basis.
• Addressed issue to enable support in the DevDetail Configuration Service Provider (CSP) to return the UBR number in the D part of the SwV node.
• Addressed issue where NTFS sparse files were unexpectedly truncated (NTFS sparse files are used by Data Deduplication—deduplicated files may be unexpectedly corrupted as a result). Also updated chkdsk to detect which files are corrupted.
• Addressed issue where the IME pad was not launching correctly in the Microsoft Edge browser for certain markets.
• Addressed issue to allow Win32 applications to work with various Bluetooth LE devices including head tracking devices.
• Addressed issue in the Mobile Device Manager Enterprise feature to allow headsets to work correctly.
• Addressed issue where device drivers are not loading.
• Addressed a reliability issue when playing specific types of spatial sound content.
• Addressed issue with a dropped key on Microsoft Surface Keyboard and Microsoft Surface Ergo Keyboard, and addressed Wacom active pen connection failures.
• Addressed issue to improve stability for USB type C during device arrival and removal during system power changes.
• Addressed USB host controller issue where the host controller no longer responds to the attached peripherals.
• Addressed MP4 compatibility issue while playing content from a social media site in Microsoft Edge.
• Addressed issue with audio headsets connected to a PC through Xbox 360 controllers.
• Addressed a reliability issue with launching a Settings app while another application is using the camera device concurrently.
• Addressed issue with notifications (SMS, Calendar) for an activity tracker.
• Addressed issue with video playback artifacts during transitions from portrait to landscape on mobile devices.
• Addressed issue with Skype calls becoming unresponsive after about 20 minutes when using Bluetooth headsets with Hands-Free Profile (HFP) connections with negotiated mSBC codec (Wideband Speech).
• Addressed issue where a service using a Managed Service Account (MSA) fails to connect to the domain after an automatic password update.
• Addressed issue where, in some cases, a drive that utilizes on-drive hardware encryption would not automatically unlock at system startup.
• Addressed issue where “cipher.exe /u” fails on client machines that are deployed with InTune, Windows Information Protection (WIP), and an updated Data Recovery Agent (DRA) certificate. Cipher.exe will fail with one of the following errors: “The request is not supported" or "The system cannot find the file specified”.
• Addressed issue where a memory leak occurs in a nonpaged pool with the “NDnd” memory tag when you have a network bridge set up.
• Addressed issue where you cannot add Work and School accounts in Windows Store, and you may get an error that reads, “We encountered an error; please try signing in again later.”
• Addressed issue issue where if a Surface Hub enters Sleep mode and then resumes, it may require the user to sign in to Skype again.
• Addressed issue where some Windows Forms (WinForms) applications that use DataGridView, Menu controls, or call a constructor for a Screen object experienced performance regressions in .NET 4.7. This was caused by additional Garbage Collections. In some cases, there was an empty UI because of a lack of GDI+ handles.
• Addressed issue where Magnifier Lens users cannot click on buttons or select web content in Microsoft Edge or Cortana results.
• Addressed issue introduced in the June updates where some applications may not launch when a device resumes from Connected Standby mode.

How to download and install the August 2017 security updates

PCs that run Windows are configured by default to search for, download, and install security updates automatically.

The check does not happen in real-time though, and you may run a manual check to have the updates for devices picked up as quickly as possible.

Note: it is suggested that you create a backup of your system before you install any update on it.

To run a manual check for updates, do the following:

1. Tap on the Windows-key, type Windows Update, and hit the Enter-key.
2. Depending on how Windows Update is configured, you either need to click on the "check for updates" button, or that happens automatically.
3. Again, depending on the configuration, Windows may download and install these updates automatically when found, or on user request.

Direct update downloads

Windows 7 SP1 and Windows Server 2008 R2 SP

• KB4034664 -- August 8, 2017 Monthly Rollup
• KB4034679 --  August 8, 2017 Security-only update

Windows 8.1 and Windows Server 2012 R2

• KB4034681 -- August 8, 2017 Monthly Rollup

• KB4034672 -- August 8, 2017 Security-only update

Windows 10 and Windows Server 2016 (version 1703)

• KB4034674 -- Cumulative Update for Windows 10 Version 1703

Additional resources

• August 2017 Security Updates release notes
• List of software updates for Microsoft products
• List of security advisories
• Security Updates Guide
• Microsoft Update Catalog site
• Our in-depth Windows update guide
• Windows 10 Update History
• Windows 8.1 Update History
• Windows 7 Update History

Advertisement