Microsoft released security updates for the company's Windows operating system, and other company products on the October 2017 Patch Tuesday.
Our monthly series provides you with information on Microsoft's Patch Day. It features an overview of all security and non-security updates that Microsoft released since the last Patch day in September 2017.
The monthly guide lists how different versions of Windows -- client and server -- and Microsoft's browsers Edge and Internet Explorer are affected. It features links to resources, direct download links for cumulative Windows updates, new and updated security advisories, and information on how to download the updates to Windows machines.
You can download the following Excel spreadsheet if you want a list of all security updates for all Microsoft products that the company released since the September 2017 Patch Tuesday.
Click on the following link to download the basic Excel spreadsheet to your device: Security-Updates-Microsoft-Windows-October-2017.zip
Click on this link to download the full (with all details) Excel spreadsheet instead: october-2017-full-updates-security-windows.zip
Executive Summary
Operating System Distribution
Windows Server products:
Other Microsoft Products
KB4041676 -- Windows 10 Version 1703
KB4041691 -- Windows 10 Version 1607 and Windows Server 2016
KB4041689 -- Windows 10 Version 1511 -- End of Support after this update.
KB4042895 -- Windows 10 RTM
KB4041693 -- Windows 8.1 and Windows Server 2012 Monthly Rollup (see also security-only update KB4041687)
KB4041681 -- Windows 7 and Windows Server 2008 R2 Monthly Rollup (see also security-only update KB4041678)
KB4040685 -- Cumulative Security Update for Internet Explorer -- The fixes are included in the Security Monthly Quality Rollup.
KB4041671 -- Security Update for Windows Server 2008 -- Patches information disclosure vulnerability that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass.
KB4041679 -- 2017-10 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012.
KB4041681 -- 2017-10 Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4041683 -- 2017-10 Security Update for Adobe Flash Player for Windows 10 Version 1607, Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, and Windows Server 2012
KB4041690 -- 2017-10 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012
KB4041944 -- Security Update for Windows Server 2008
KB4041995 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042007 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042050 -- Security Update for Windows Server 2008
KB4042067 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042120 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042121 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042122 -- Security Update for Windows Server 2008 and Windows XP Embedded
KB4042123 -- Security Update for Windows Server 2008
KB4042723 -- Security Update for Windows Server 2008 and Windows XP Embedded
ADV170012 | Vulnerability in TPM could allow Security Feature Bypass - A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. After you have installed software and/or firmware updates, you will need to re-enroll in any security services you are running to remediate those services.
ADV170013 | September 2017 Flash Security Update
ADV170014 | Optional Windows NTLM SSO authentication changes -- Microsoft is releasing an optional security enhancement to NT LAN Manager (NTLM), limiting which network resources various clients in the Windows 10 or the Windows Server 2016 operating systems can use NTLM Single Sign On(SSO) as an authentication method. When you deploy the new security enhancement with a Network Isolation Policy defining your organization's resources, attackers can no longer redirect a user to a malicious resource outside your organization to obtain the NTLM authentication messages.
ADV170015 | Microsoft Office Defense in Depth Update
ADV170016 -- Windows Server 2008 Defense in Depth
ADV170017 | Office Defense in Depth Update
KB4043766 -- 2017-10 Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
KB4043767 -- 2017-10 Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
KB4043768 -- 2017-10 Quality Rollup for .NET Framework 2.0 on Windows Server 2008
KB4043769 -- 2017-10 Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded 8 Standard and Windows Server 2012
KB890830 -- Windows Malicious Software Removal Tool - October 201
KB4038801 -- Update for Windows 10 Version 1607 and Windows Server 2016
KB4040724 -- Update for Windows 10 Version 1703
KB4036479 -- Update for Windows 8.1 and Windows Server 2012 R2 -- Eliminate restarts in virtual machine initial configuration in Windows Server 2012 R2
Microsoft Office 2016
Microsoft Office 2013
Office 2010
Office 2007
SharePoint Server 2016
SharePoint Server 2013, Project Server 2013, and SharePoint Foundation 2013
SharePoint Server 2010
The October 2017 security updates are made available via Windows Updates. All client versions of Windows are configured to check for and download important updates automatically.
This is not a real-time check though, and you may run a manual check for updates to get the updates earlier.
As always, create a backup before you update so that you can restore the system to a pre-update state if things go wrong.
You may download the cumulative updates for Windows 10, Windows 8.1 and Windows 7 from Microsoft's Update Catalog website as well. Direct download links are listed below.
Windows 7 SP1 and Windows Server 2008 R2 SP
Windows 8.1 and Windows Server 2012 R2
Windows 10 and Windows Server 2016 (version 1607)
Windows 10 and Windows Server 2016 (version 1703)
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Mine is still downloading…
I am sure it will be full of bugs… but hey, them bugs got some good protein too! :D
KB 4041676 causes ODBC connections to MS Access with linked Excel tables to fail with error:
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’
[Microsoft][ODBC Microsoft Access Driver] Unexpected error from external database driver (1)
This is beyond annoying – can’t continue development of an important project !
See also:
https://www.computerworld.com/article/3233260/microsoft-windows/excel-access-external-db-driver-errors-linked-to-this-month-s-patches.html
Hopefully this fixed the problem that is preventing sign in on a clean/restore of 8.1
Here are the updates for IE 11 http://www.catalog.update.microsoft.com/Search.aspx?q=kb4040685
I’m glad you posted that because the link on the summary update site at https://support.microsoft.com/en-hk/help/4040685/cumulative-security-update-for-internet-explorer opens the catalog updates for September, not October. Trust Microsoft to screw up again!
Well, it doesn’t say anything about fixes in regards to W8.1 signing into your MSN account from a local account or otherwise.
Ms should change update policy for edge, it gets very few updates in current cycle, if they want to attract users towards edge, they need to release updates at a faster rate
Am I wrong, or are Windows updates are getting more and more complicated? A few years ago, updating Windows took just a few minutes more time than checking the weather. Today, the process is definitely not user friendly.
In France since by all means they started the economic war.. all US companies are now considered “not user friendly” anyway.
I blame MacDonald, Coca-Cola, Sprite, 7up, Philips Morris, Donald Trump and myself.
The latest scandal, for a majority of people, General Electric against Alstom sabotaging our energy independence with the help of the NSA was felt as a declaration of war. Not only the fault of The Clown.
@ Anonymous:
You’d probably be interested in the Cash Investigation segment on Microsoft’s contract with the French Ministry of Defense (YouTube, Cash Investigation, “Marchés publics, le grand dérapage”, starting at about 41m32s).
@A different Martin, better this one:
http://www.lcp.fr/emissions/droit-de-suite/285363-alstom-une-affaire-detat
@ Anonymous:
I’m already familiar with the very broad strokes of the Alstom turbine sale — who opposed it, who pushed it through, and how seriously General Electric took its commitments to France afterwards — but I wouldn’t mind seeing this program. The problem is, I can’t see that LCP offers on-demand podcasts of its shows. Is it just real-time streaming, on a schedule? I’m on the US Pacific Coast.
I only offered my link because it pertained to Microsoft in France (more relevant to the blog, the article, and the comments than Alstom), not because the story is more important and definitely not because the “gotcha” journalism of Cash Investigation is a paragon of documentary excellence. Still, I have to wonder what kind of open-source expertise, customizations, and code contributions the French Ministry of Defense could have developed in-house for €120 million.
@A different Martin, Microsoft is like other major US companies, like GE in my example, on the one hand they use the NSA to spy and threaten foreign competitors etc, an army of lawyers and “lobbyists” to circumvent the laws of states, to steal the tax departments, on the other side they corrupt deputies and senators to steal public markets, to invade public school, to spy on our army etc etc, destroying our country etc. To download streams on LCP just use the addon “Video DownloadHelper”.
@ Anonymous:
You’re preaching to the converted. I have a pretty good idea of what my country actually is, how its corporations behave, whom our government actually works for, and what our government and corporations do here and abroad on behalf of their true principals. As for Microsoft, I’ve been following its business practices since before the US v. Microsoft case, the outcome of which marked the death of public antitrust enforcement in the US. If it’s any consolation, I expect that when the US can no longer use its military to force other countries to sell their oil for dollars and the petrodollar sputters out, the US will sink to the ranks of former world hegemons like Spain and Britain. The downside is that I don’t expect whatever country replaces it — probably China — will behave any less rapaciously than Spain, Britain, and the US did in their day.
As for the video, while I’ve been reasonably successful at downloading streaming videos using NetVideoHunter and DownThemAll, I went ahead and installed Video DownloadHelper in Firefox, Firefox ESR, and Chrome. (It’s not compatible with Pale Moon, so I installed the recommended alternative, Complete YouTube Saver, instead.) The problem with the LCP video is that I can’t start or even detect a stream, even though the page is okayed in uBlock Origin and all domains are allowed in NoScript. (I don’t have a script-blocker installed in Chrome, since it’s my fallback for pages that are just too much hassle to get working in my “Firefox-family” browsers.) Maybe LCP doesn’t like Malwarebytes Anti-Exploit Beta or the fact that I’m streaming to a non-French IP address. I suppose I could try using a French proxy, but it’s starting to seem like an awful lot of effort at this point. ;-)
@A different Martin
It seems you have to change your IP effectively
https://frenchtogether.com/watch-french-tv/
Or try to download the tv programs with this software: https://captvty.fr/
VDH 6.31 is compatible with Pale Moon, just install it with the add-on “Moon Tester Tool” made by Justoff: https://addons.palemoon.org/addon/moon-tester-tool/
That’s “by design.”
@A different Martin; about LCP particularly I read “You can watch it online from anywhere in the world”. So maybe have you an issue with your browser or something? first you should try with a fresh profile…
@A different Martin
AllFrTV (To register programs in real time):
http://forum-racacax.ga/viewtopic.php?f=69&t=1057
Zip files: http://racacaxtv.ga/setupl.php?type=zip
Back from a busy weekend, with a fairly busy week ahead of me. Thanks for all the tips!
Given all the caveats in Moon Tester Tool’s description, I’m a little wary of using it to install Video DownloadHelper in Pale Moon — at least until I have used it successfully in Firefox and seen that it offers markedly better functionality than NetVideoHunter. I don’t keep unlimited versioned backups of my profiles, and if a latent problem were to crop up far down the line, it might take me more work to recover from than I’d like.
Yes, I could try using a fresh profile in Firefox and/or Pale Moon. I’m not enthusiastic about it, because I love my profiles, but it would be a good troubleshooting tool. My Google Chrome isn’t too far from plain-vanilla, and I couldn’t get the LCP video to work in that. I didn’t think to try Internet Explorer, and my IE is very close to plain-vanilla (only Flash and Java have been added — it’s now my secondary fallback browser, after Chrome). I think I’ll give IE a shot before messing with profiles in my Firefox-family browsers.
It’s going to take me a little while to check out your links and suggestions and implement them, but I’ll get back to you when I have.
Again, many thanks for the tips!
@A different Martin, ok I’ll wait here to see your progress…
Downloading from LCP using captvty: https://s1.postimg.org/115h6s9len/LCP.gif
Hopefully this fixes the issue with Outlook2010 and having to create a new profile every other day.
I’ll wait for Simplix Pack to be updated so I’ll update my Win7 PC ^^ WU is completely disabled here.
I’m not familiar with Simplix Pack. Any advantages over WSUS Offline Update?
same here, ive integrate the updates with simplix script and windows 7 is running smoth. WU is a real-non needed pain
Martin, FYI:
https://about.flipboard.com/inside-flipboard/flipboards-self-service-platform-opens-for-publishers-around-the-world/
Thanks a lot !
Thanks for the information, always appreciated.
Things always go much smoother for me when I simply download the cumulative update and install it manually.
Also wondering, do we need to install the Delta Update for Windows 10 Version 1703 for x64-based Systems (KB4041676)?
Thanks again Martin, for this month October 2017 list of upgrade with I use to control my self or everything main system should install on updates is correctly and also completely installed.
Ferry useful is also the 2017-10-10 – Ms. Security updates links – 2017-10 – (October 2017) spreadsheet (.xlsx) you have given the link to (Wow 187 updates to choose from this list becomes more and more a forest by which you cant see the trees anymore (What you really need))
And maybe that I image things but are taking the updates longer than they use to do even with a faster internet connection, than a few mounts ago?
For the spreadsheet’s “forest and trees” problem, use filtering.
To avoid all this nonsense, just disable automatic updates and run WSUS and get the security updates without the rollup telemetry.
http://download.wsusoffline.net/
Careful. A friend and I use WSUS Offline Update with the Security Updates Only option selected on our Windows 7 systems, and a couple of Patch Tuesdays ago we both noticed that a bunch of telemetry and diagnostics features had been re-enabled after the “security-only” updates had been applied. It didn’t happen the following month, but still, it doesn’t inspire confidence in Microsoft’s definition of “security only.” Now we have added an additional step to our updating routine, namely, to run WPD (a privacy utility) after each month’s “security-only” patches have been applied.
Addendum: It didn’t happen this month, either, but I’m still going to run WPD after every Windows “security-only” update.
So M$ is lying about what their updates are. Color me surprised.
I still think using WSUS is the best option.
And after running WPD (https://getwpd.com/) takes care of this for you?
What settings do you use?
@www.com:
In WPD I just disable all the telemetry and diagnostics that WPD targets, and I apply the Firewall block list. I don’t think I’ve run into any problems with the block list so far. (I run Windows 7, and I seem to recall that WPD is the only privacy tool Martin mentioned that supports 7 rather than just 10, or 8/8.1/10.)
Yeah, when my “security only” patches from a few Patch Tuesdays ago — applied via WSUS Offline Update, but still from Microsoft — re-enabled a bunch of telemetry and diagnostics, I may have been only half surprised but I was fully pissed off. You see, it turns out that a couple/few months before Windows 10 was released, a rogue Microsoft “Windows 10 readiness” diagnostics update started running every night on my laptop, starting in the wee hours of the morning. When I investigated, I figured out that it had been pegging out one core of the CPU at 100% and running the fan at full speed for hours at a time. Unfortunately, by the time I realized what was going on, it had already completely melted the thermal compound between the CPU and the heatsink and burned out the ventilation fan, requiring hours of painstaking surgery to repair, not to mention the cost and shipping delay of parts and supplies. It was actually my friend (who also sticks to “security-only” updates) who tipped me off to the more recent diagnostics re-enabling. He noticed that the fan on the computer closest to his bedroom was going into high gear for no apparent reason in the wee hours of the morning. I instantly suspected that the (then) most recent round of “security-only” updates had re-enabled telemetry and diagnostics, and sure enough, that was the case. And that’s why I’m going to continue double-checking telemetry and diagnostics after every Microsoft update — “security only” or not.
You correctly mention KB4041676 for Windows 10 x64 CU, but there is no mention of KB890830 re the Malicious Software Removal Tool, nor the two update levels of KB2267602 for Defender also installed on my PC today in the Patch Tuesday Update. If this omission is intentional, why so?
2017-10 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4041676) won’t install and then uninstalls itself and screws up my computer. Any ideas how to fix this?
October 2016 – October 2017 Windows 7 Windows Updates : none processed, and I’ll keep it that way as long as I remain using Windows 7, avoiding the mess.
Martin, you didn’t mention the updates for NET Framework: https://support.microsoft.com/en-us/help/4043767/october-2017-security-and-quality-rollup-for-net-framework-3-5-4-5-2-4
Thanks. Microsoft is often a tad slow when it comes to publishing all update information. I edit the guide.
Thanks for the spreadsheet. Is this something you created or got from somewhere else? It’s very handy. Hope you keep doing it!
Microsoft has contacted some of their larger EA customers and told them to not install the October 2017 windows 10 updates as they may cause the system to no longer boot.
Yep I confirm ! Some of our computers can’t boot after the update !
Exemple: https://www.reddit.com/r/sysadmin/comments/75o0oq/windows_security_updates_broke_30_of_our_machines/
Is is interesting to me on Windows 10 x64 Home latest CU update, M$ chose to not add a new Flash feature to Edge and IE11 – per
http://get.adobe.com/flashplayer/about/ they remain at version 27.0.0.130.
The latest Opera and Chrome x64 beta run Flash at 27.0.0.159 .
Now the latest Flash update for Chrome 64 beta and latest Opera stable is Flash 27.0.0.170 . Windows 10 x64 CU Flash re EDGE and IE11 remain back level at 27.0.0.130 . Perhaps Microsoft will update them in the FCU?
At 13:05 EDT Windows Update made available the Flash version 27.0.0.170 for Edge and IE11 with KB4049179. This is prior to any offer to install the FCU.
Martin – can you tell me if this was included in the update? Thanks!
ISSUE
After installing the August 8, 2017, update for Word 2016 (KB3213656) or the September 5, 2017, update for Word 2016 (KB4011039), you may encounter the following issues:
If you merge vertical cells in a table, the cell content disappears, and you can’t select the merged cell.
If you open an existing document that has a table with merged cells, the cells will appear to be blank.
This issue occurs only for those who receive Office 2016 updates using Windows Installer technology (MSI). If you have a Click-to-Run edition of Office, such as Office 365 Personal, you won’t encounter this issue.
WORKAROUND
As a workaround, you can uninstall both KBs and your tables will return to normal. We anticipate releasing the fix for this issue in the next monthly update, tentatively scheduled for October 3, 2017.
It was fixed on October 3, 2017.
https://support.microsoft.com/en-us/help/4011039/september-5-2017-update-for-word-2016-kb4011039
KB4011140 replaced that broken update.
https://support.microsoft.com/en-us/help/4011140/october-3-2017-update-for-word-2016-kb4011140
Get KB4041681 on Windows7 but not the Update for .NET Framework
KB4043766 — 2017-10 Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
https://support.microsoft.com/kb/4043766
What’s the reason for?
Maybe a missing component? > Important: All updates for .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 require the D3 Compiler to be installed. We recommend that you install the included D3 Compiler before applying this update. For more information about the D3 Compiler, see KB 4019990.
MS jet driver updates in this version cause excel driver to no longer select any data and returns empty values…
I also ran into issues with excel oledb driver on many machines after this update
Yup. Luckily we have a couple of C# programs using Jet and XLS files that are only run on a couple of PCs. The update, Jet and XLSX files work fine. For the time being the rollup KB has been removed from a couple of PCs.
Interestingly, if you open up a XLS file in EXCEL, keep it open and run a .NET (C#) program that opens the same XLS, the program runs fines.
I had (very small) hopes that if you opened up a XLS in Excel over a network and started up one the programs on another PC grabbing the same XLS, that it would work. Unfortunately it did not work, but I never really expected it to.
https://www.ghacks.net/2017/10/10/microsoft-security-updates-october-2017-release/#comment-4250010
I has had the same problem and KB4019990 was installed. I don’t know , may there is
a special microsoftlike procedure but a shortcut microsoft obvious wanting:
Install NET Framework4.7, automatic deinstall NET Framework4.5.2.
After,
KB4043766 — 2017-10 Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
is up.