Microsoft Windows Security Updates April 2018 release overview

Welcome to our monthly overview of Microsoft's Windows security updates. We provide you with full details of all released security and non-security updates for Windows and other Microsoft products.

Check out the executive summary at the top if you are in a hurry, or go through the list of released updates and click on the links that point to Microsoft's Knowledgebase to look up additional information.

The overview includes the vulnerability distribution per client and server operating system, as well as for Edge and Internet Explorer, the list of patches, download information, and information about Microsoft Office and security advisories.

Microsoft planned to release the Windows 10 Spring Creators Update, version 1803 today, but it appears that the release has been delayed.

Microsoft Windows Security Updates April 2018

You may download the following Excel spreadsheet that lists all published security updates for all Microsoft products on the April 2018 Patch day: (Download Removed)

Executive Summary

• Microsoft released security updates for all supported client and server versions of the Windows operating system.
• All client and server versions of Windows are affected by critical vulnerabilities.
• Other Microsoft products with patches are: Internet Explorer, Microsoft Office, Microsoft Edge, Adobe Flash Player, Microsoft Visual Studio, Microsoft Azure IoT SDK, ChakraCore
• Microsoft lifted the update block restriction for Windows 7, Windows 8.1 and server variants on devices without HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc Registry setting.

Operating System Distribution

• Windows 7: 21 vulnerabilities of which 6 are rated critical, 1 moderate and 14 important
• Windows 8.1: 23 vulnerabilities of which 6 are rated critical, 1 moderate and 16 important
• Windows 10 version 1607: 25 vulnerabilities of which 6 are rated critical and 19 important
• Windows 10 version 1703: 28 vulnerabilities of which 6 are rated critical and 22 important
• Windows 10 version 1709: 28 vulnerabilities of which 6 are rated critical and 22 important

Windows Server products

• Windows Server 2008 R2: 21 vulnerabilities of which 6 are rated critical, 1 moderate and 14 important
• Windows Server 2012 and 2012 R2: 23 vulnerabilities which 6 are rated critical, 1 moderate and 16 important
• Windows Server 2016: 27 vulnerabilities of which 6 are rated critical, 1 moderate and 20 important

Other Microsoft Products

• Internet Explorer 11: 13 vulnerabilities, 8 critical, 5 important
• Microsoft Edge: 10 vulnerabilities, 8 critical, 2 important

Windows Security Updates

Microsoft released an update for the Microsoft Malware Protection Engine on April 3, 2018.

KB4093112 -- Windows 10 version 1709

• Provides support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs).
• Access violation issue in Internet Explorer.
• Enterprise Mode redirect issue in IE and Edge.
• SVG access violation issue when under high load in Internet Explorer.
• Updated time zone information issues.
• App-V service may stop working on RDS servers that host many users.
• User accounts locking issue when moving apps to a shared platform using App-V.
• ActiveX content printing issue in Internet Explorer.
• Addresses an issue that causes document.execCommand("copy") to always return False in Internet Explorer.
• Internet Explorer did not identify custom controls correctly in some instances.
• Security updates to Internet Explorer, Microsoft Edge, Windows kpp platform and frameworks, Microsoft scripting engine, Windows graphics, Windows Server, Windows kernel, Windows datacenter networking, Windows wireless networking, Windows virtualization and Kernel, and Windows Hyper-V.

KB4093107 -- Windows 10 version 1703

• Same as KB4093112

KB4093119 -- Windows 10 version 1607

• Same as KB4093112

KB4093108 -- Windows 7 SP1 and Windows Server 2008 R2 SP1 -- Security Only

• Lifted blocking of updates via Windows Update and WSUS if "antivirus compatibility" Registry key was not set.
• Stop error when the update from previous month was applied on 32-bit systems with PAE mode disabled.
• Kernel reliability improvements.
• Security updates to Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows datacenter networking, Windows virtualization and kernel, and Windows app platform and frameworks.

KB4093115 -- Windows 8.1 and Windows Server 2012 R2

• Lifted blocking of updates via Windows Update and WSUS if "antivirus compatibility" Registry key was not set.
• Security updates to Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows kernel, Windows datacenter networking, Windows Hyper-V, Windows virtualization and kernel , and Windows app platform and frameworks.

KB4093114 -- Windows 8.1 and Windows Server 2012 R2

• ActiveX printing issue in IE.
• SVG rendering issue causing high load issue in IE.
• Custom controls identifying issue in IE.
• and all of KB4093115.

KB4093118 -- Windows 7 SP1 and Windows Server 2008 R2 SP1 -- Monthly Rollup

• ActiveX printing issue in Internet Explorer
• SVG high load rendering issue in Internet Explorer.
• Issue with identifying custom controls in IE.
• and all updates of KB4093108

KB4093110 -- Security update for Adobe Flash Player: April 10, 2018

KB4091756 -- Windows XP Embedded and Windows Server 2008 -- Denial of Server vulnerability

KB4092946 -- Cumulative Security Update for Internet Explorer

KB4093108 -- Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4093118 -- Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4093123 -- Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4093122 -- Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4093109 -- Cumulative Security Update for Windows 10 Version 1511

KB4093111 -- Cumulative Security Update for Windows 10

KB4093223 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Patches Microsoft graphics remote code execution issue.

KB4093224 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Fixes Microsoft graphics component denial of service vulnerability.

KB4093227 -- Security Update for Windows Server 2008 -- security update for the Windows Remote Desktop Protocol (RDP) denial of service vulnerability

KB4093257 -- Security Update Windows Server 2008 and Windows XP Embedded -- patches a buffer overflow vulnerability in the Microsoft JET Database engine and an elevation of privilege vulnerability in Windows Adobe Type Manager Font Driver.

KB4093478 -- Security Update for Windows Server 2008 -- patches information disclosure vulnerability.

KB4101864 -- Security Update for WES09 and POSReady 2009 for x86-based Systems

Known Issues

Windows 10 version 1709

Windows Update History reports that updates did not install because of 0x80070643 even though they did install.

Windows 7 and Windows Server 2008 R2

• SMB Servers may leak memory
• Stop error on PCs that don't support SIMD or SSE2

Security advisories and updates

ADV180007 -- April 2018 Adobe Flash Security Update

Non-security related updates

KB4089848 for Windows 10 version 1709 -- non security update that fixes lots of issues.

KB4093137 -- Update for Windows 10 Version 1607 -- Servicing stack update for Windows 10, version 1607

KB4093430 -- Update for Windows 10 Version 1507 --Servicing stack update for Windows 10, version 1507

KB4093432 -- Update for Windows 10 Version 1703 -- Servicing stack update for Windows 10, version 1703

KB4099989 -- Windows 10 Version 1709 -- Servicing stack update for Windows 10, version 1709

KB890830 -- Windows Malicious Software Removal Tool

Microsoft Office Updates

Office 2016

KB4018337 -- Excel 2016: security update that patches a remote code execution vulnerability and includes non-security improvements.

KB4011628 -- Office 2016: patches remote code execution vulnerability

KB4018319 -- Office 2016: patches remote code execution vulnerability and includes non-security improvements

KB4018328 -- Office 2016: patches remote code execution vulnerability and includes non-security improvements.

KB4018339 -- Word 2016: patches remote code execution vulnerability and includes non-security improvements.

KB4011667 -- Office 2016: fixes crash that occurs when adding an account that has already signed in.

KB4018322 -- Office 2016: blocks minors from running or obtaining add-ins without parental consent from the online store, and adds translation for the message why an Office add-on cannot be loaded.

KB4018329 -- Office 2016: update for Office 2016 Language Interface Pack.

KB4018326 -- Outlook 2016: adds support for Sync Slider, improves some translations, an issue with favorite folders disappearing under certain circumstances, and an issue where the recipients name may be removed from the recipient list if it matches the sender's display name.

KB4011726 -- PowerPoint 2016: adds help message for Microsoft Equation 3.0 and translation of the message that informs about the end of support for Microsoft Equation 3.0.

KB4018320 -- Project 2016:  fixes a Project opening issue that results in the error message "Sorry, we were unable to open your project. Please try again. If this happens again, contact your administrator.". Fixes a crash furthermore, an issue with Change Working Time dialog boxes, and introduces new information to projects saved in XML format.

Tip: you can restore simple saving by setting SimpleXmlexport to the value of 1 in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\MS Project\Options\Save\

KB4018323 -- Skype for Business 2016 update.

Office 2013

KB4018347 -- Word 2013: patches remote code execution and includes non-security improvements.

KB4018350 -- Excel 2013: patches remote code execution vulnerability and includes non-security improvements.

KB4018330 -- Office 2013: patches remote code execution vulnerability and includes non-security fixes.

KB4018288 -- Office 2013: Patches remote code execution vulnerability

KB3178636 -- Office 2013: fixes a crash in Outlook 2013 when opening messages that contain byte-order mark or zero-width non-breaking space characters in the body.

KB4018333 -- Office 2013: adds translations of messages that inform users why an Office add-in could not be loaded. Also, minors require parental consent to obtain or run add-ins from the online store.

KB4018303 -- Outlook 2013: fixes a crash in Outlook, custom forms with Visual Basic Script issue in shared calendars, sent emails appearing in the wrong Sent Items folder, and authentication prompt that were locked behind the main Outlook window.

KB4018289 -- Powerpoint 2013: same as KB4011726

KB4018335 -- Project 2013: same as KB4018320

KB4018334 -- Skype for Business 2015 update.

Office 2010

KB4018362 -- Excel 2010 security update

KB4018359 -- Word 2010 security update

KB4018357 -- Office 2013 security update

KB4018311 -- Office 2013 security update

KB2965234 -- PowerPoint 2010: Adds "appropriate help message" for Microsoft Equation 3.0.

KB4018312 -- same as KB2965234 but for PowerPoint Viewer.

KB3128038 -- Project 2010: adds new information to saved projects in XML format including name of views, tables, filters, groups, and more.

KB4018317 -- Outlook 2010: custom forms with Visual Basic Script doesn't run in shared calendars.

Update: Microsoft did release patches for Office 2007, SharePoint Server 2016, SharePoint Server 2013, Project Server 2013, and SharePoint Foundation 2013, and SharePoint Server 2013 as well.

How to download and install the April 2018 security updates

Microsoft distributes updates via Windows Update to consumer systems. All versions of Windows are configured to check for, download and install important updates when they are published.

You may run a manual check for updates to pick up the updates as early as possible as the update checking does not happen in realtime.

1. Tap on the Windows-key to open the Start Menu.
2. Type Windows Updates and select the result.
3. Click on the "check for updates" button if the update check is not run automatically.

Windows runs a check for updates and will download and install those it finds automatically.

Note: It is recommended that you create a backup of the system before you install updates as they may break things.

Direct update downloads

Updates for all supported versions of Windows may also be downloaded from the Microsoft Update Catalog website. Just click on the direct links below to do so.

Windows 7 SP1 and Windows Server 2008 R2 SP

•  KB4093118— 2018-04 Security Monthly Quality Rollup for Windows 7
•  KB4093108— 2018-04 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

•  KB4093114— 2018-04 Security Monthly Quality Rollup for Windows 8.1
•   KB4093115— 2018-04 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

•  KB4093119— 2018-04 Cumulative Update for Windows 10 Version 1607 and Windows Server 2016

Windows 10 (version 1703)

• KB4093107 — 2018-04 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709)

• KB4093112 — 2018-04 Cumulative Update for Windows 10 Version 1709

Additional resources

• April 2018 Security Updates release notes
• List of software updates for Microsoft products
• List of security advisories
• Security Updates Guide
• Microsoft Update Catalog site
• Our in-depth Windows update guide
• Windows 10 Update History
• Windows 8.1 Update History
• Windows 7 Update History

 

Advertisement