Microsoft Windows Security Updates July 2018 release overview

Jul 10, 2018

Updated • Jul 13, 2018

It is July 10, 2018 today and that means it is time for our monthly Microsoft Patch Day overview. Microsoft releases security updates for company products on the second Tuesday of each month.

Our coverage includes all important information about today's releases. It begins with an executive summary that lists the most important information right away. We look at the operating system distribution of patches for all supported client and server versions of Windows, and list all released updates afterward.

Links are provided to Microsoft Support pages to look up additional information and to download the updates.

Our overview includes security advisories and known issues, direct downloads of security patches, and links to resources.

Check out last month's overview here.

Microsoft Windows Security Updates July 2018

The following Excel spreadsheet contains all security updates that Microsoft released today for all of its products. Click on the following link to download it:Â Â July 2018 Windows Security Updates

Executive Summary

Microsoft released security updates for all client and server versions of Windows.
No critical vulnerabilities for all client and server versions of Windows.
Critical vulnerabilities in Edge and Internet Explorer.
Other Microsoft products with security updates are: Microsoft Office, .NET Framework, ASP.NET, Visual Studio, Skype for Business and Microsoft Lync, and Internet Explorer / Microsoft Edge

Operating System Distribution

Windows 7: 7 vulnerabilities of which 7 are important.
Windows 8.1: 9 vulnerabilities of which 9 are important.
Windows 10 version 1607: 8 vulnerabilities of which 8 are important.
Windows 10 version 1703: 8 vulnerabilities of which 8 are important.
Windows 10 version 1709: 8 vulnerabilities of which 8 are important.
Windows 10 version 1803: 7 vulnerabilities of which 7 are important.

Windows Server products

Windows Server 2008 R2: 8 vulnerabilities of which 8 are important.
Windows Server 2012 and 2012 R2: 9 vulnerabilities of which 9 are important.
Windows Server 2016: 8 vulnerabilities of which 8 are important.

Other Microsoft Products

Internet Explorer 11: 6 vulnerabilities, 4 critical, 2 important
Microsoft Edge: 19 vulnerabilities, 12 critical, 7 important

Windows Security Updates

KB4338823 -- Windows 7 SP1 Security-only update

Protection againstÂ Lazy Floating Point (FP) State Restore (CVE-2018-3665) for 64-Bit (x64) versions of Windows.
Security updates to Internet Explorer, Windows apps, Windows graphics, Windows Shell, Windows datacenter networking, Windows wireless networking, and Windows virtualization.

KB4338818 --Â Windows 7 SP1 Monthly rollup

Same asÂ KB4338823.
Internet Explorer update to conform to the policy that disabled the launch of Developer Tools.
Fixed DNS requests disregarding proxy configurations in IE and Edge (copy and paste gone wrong, Edge not available for Windows 7).

KB4338824 -- Windows 8.1 Security-only update

Protection againstÂ Lazy Floating Point (FP) State Restore (CVE-2018-3665) for 64-Bit (x64) versions of Windows.
Provides protections from an additional subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass (CVE-2018-3639). (see here (client) and here (server)
Provides support to control usage of Indirect Branch Prediction Barrier (IBPB) on some AMD processors (CPUs) for mitigating CVE-2017-5715 (see here and here)
Security updates to Internet Explorer, Windows apps, Windows graphics, Windows Shell, Windows datacenter networking, Windows virtualization, and Windows kernel.

KB4338815 -- Windows 8.1 Monthly Rollup

Same asÂ KB4338824
Internet Explorer update to conform to the policy that disabled the launch of Developer Tools.
Fixed DNS requests disregarding proxy configurations in IE and Edge (copy and paste gone wrong, Edge not available for Windows 8.1).
Fixed mouse stopped working after switching between local and remote sessions.

KB4338814 -- Windows 10 version 1607

Updates support for the draft version of the Token Binding protocol v0.16.
Fixed form submission issue in IE.
Updates Internet Explorer's Inspect Element feature to conform to the policy that disables the launch of Developer Tools.
Fixed wrong IME mode chosen on an IME-active element.
Fixed DNS requests issue where requests disregarded proxy configurations in IE and Edge.
Evaluates the Windows ecosystem to help ensure application and device compatibility for all updates to Windows (what does that mean?)
Security updates to Internet Explorer, Microsoft Edge, Windows apps, Windows graphics, Windows datacenter networking, Windows virtualization, Windows kernel, and Windows Server.

KB4338826 -- Windows 10 version 1703

Fixed form submission issue in IE.
Updates Internet Explorer's Inspect Element feature to conform to the policy that disables the launch of Developer Tools.
Fixed wrong IME mode chosen on an IME-active element.
Fixed DNS requests issue where requests disregarded proxy configurations in IE and Edge.
Fixed issues with updated time zone information.
Evaluates the Windows ecosystem to help ensure application and device compatibility for all updates to Windows (what does that mean?)
Security updates to Internet Explorer, Microsoft Edge, Windows apps, Windows graphics, Windows virtualization, Windows kernel, and Windows Server.

KB4338825 -- Windows 10 version 1709

Fixed wrong IME mode chosen.
Fixed form submission issue in Internet Explorer.
Fixed DNS requests disregarding proxy configurations in IE and Edge.
Addressed updated time zone information issues.
Fixed a Google Chrome not working issue on Cobalt devices.
Evaluates the Windows ecosystem to help ensure application and device compatibility for all updates to Windows (what does that mean?)
Security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Windows apps, Windows graphics, Windows datacenter networking, Windows virtualization, Windows kernel, and Windows Server.

KB4338819 - Windows 10 version 1803

Microsoft Edge DevTools Preview app allows debugging of WebView content in UWP apps.
Improved Universal CRT Ctype family of functions by correctly handling EOF as valid input.
Addresses an issue that may cause the Mitigation Options Group Policy client-side extension to fail during GPO processing. Error message is "Windows failed to apply the MitigationOptions settings. MitigationOptions settings might have its own log file" or "ProcessGPOList: Extension MitigationOptions returned 0xea".
Evaluates the Windows ecosystem to help ensure application and device compatibility for all updates to Windows (what does that mean?)
Security updates to Internet Explorer, Windows apps, Windows graphics, Windows datacenter networking, Windows wireless networking, Windows virtualization, Windows kernel, and Windows Server.

KB4134651 --Â Security Update for WES09 and POSReady 2009 for x86-based Systems

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory.
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory.

KB4291391 --Â Security Update for Windows Server 2008 and Windows XP Embedded

A denial of service vulnerability exists in the Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses.

KB4293756 --Â Security Update for Windows Server 2008

A denial of service vulnerability exists when Windows improperly handles File Transfer Protocol (FTP) connections.

KB4295656 --Â Security Update for Windows Server 2008

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory.

KB4338597 --Â Security Only Update for .NET Framework 3.0 on WES09 and POSReady 2009

KB4338598 --Â Security Only Update for .NET Framework 4 for WES09 and POSReady 2009

KB4338615 --Â Security Only Update for .NET Framework 2.0 on WES09 and POSReady 2009

KB4338820 --Â Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4338830 --Â Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4338832 -- Adobe Flash Player update

KB4339093 --Â Cumulative Security Update for Internet Explorer

KB4339291 --Â Security Update for WES09 and POSReady 2009

A security feature bypass vulnerability exists when Microsoft WordPad improperly handles embedded OLE objects.

KB4339503 --Â Security Update for Windows Server 2008

An elevation of privilege vulnerability exists when Windows fails a check, allowing a sandbox escape.

KB4339854 --Â Security Update for WES09 and POSReady 2009

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory.

KB4340004 --Â Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4340005 --Â Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012

KB4340006 --Â Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2

KB4340007 --Â Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008

KB4340556 --Â Security and Quality Rollup for .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4340557 --Â Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012

KB4340558 --Â Security and Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4340559 --Â Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008

KB4340583 --Â Security Update for Windows Server 2008

A denial of service vulnerability exists when Windows improperly handles objects in memory.

Notes

The release notes list CVEs with FAQs that offer additional information:

Known Issues

Windows 7 SP1

There is an issue with Windows and third-party software related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

Workaround:

LaunchÂ devmgmt.msc, device may appear under Other Devices.
Select Scan for hardware changes from the Action menu.
Alternatively: Right-click on the device and select update. Activate search automatically for updated driver software, or browse my computer for driver software.

Windows 10 version 1709

Localization issues for select strings. The strings may be displayed in English instead of then localized language.

Update: new issue affectsÂ also Windows 10 version 1607

After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.

Microsoft expects to have a working solution available mid-July.

KB4340558

Users receive a "0x80092004" error when they try to install the July 2018 Security and Quality Rollup update KB4340557 or KB4340558 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 after they install the June 2018 .NET Framework Preview of Quality Rollup updates KB4291497 or KB4291495 on systems that are running on .NET Framework 4.7.2, 4.7.1, 4.7, 4.62, 4.6.1, or 4.6.

Security advisories and updates

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities (update)

ADV180012 | Microsoft Guidance for Speculative Store Bypass (update)

ADV180015 | Microsoft Office Defense in Depth Update

ADV180016 | Microsoft Guidance for Lazy FP State Restore

ADV170017 | Microsoft Office Defense in Depth Update (updated)

Non-security related updates

KB2952664 --Â Update for Windows 7

Compatibility update for keeping Windows up-to-date in Windows 7

KB2976978 --Â Update for Windows 8.1

Compatibility update for keeping Windows up-to-date in Windows 8.1 and Windows 8

KB4054529 --Â Microsoft .NET Framework 4.7.2 Language Packs for Windows 7 and Windows Server 2008 R2

KB4054530 --Â Microsoft .NET Framework 4.7.2 for Windows 7 and Windows Server 2008 R2

KB4054533 --Â Microsoft .NET Framework 4.7.2 Language Packs for Windows Embedded 8 Standard and Windows Server 2012

KB4054534 --Â Microsoft .NET Framework 4.7.2 Language Packs for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4054535 --Â Microsoft .NET Framework 4.7.2 Language Packs for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10

KB4054542 --Â Microsoft .NET Framework 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012

KB4054566 --Â Microsoft .NET Framework 4.7.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4054590 --Â Microsoft .NET Framework 4.7.2 for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10

KB4073120 --Â Microsoft .NET Framework 4.7.2 for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10

KB4073705 --Â Microsoft .NET Framework 4.7.2 Language Packs for Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 Version 1507, and Windows 10

KB4338852 --Â Dynamic Update for Windows 10 Version 1709

This update makes improvements to ease the upgrade experience to Windows 10, Version 1709.

KB4339277 --Â Dynamic Update for Windows 10 Version 1803

This update makes improvements to ease the upgrade experience to Windows 10, version 1803.

KB4339420 --Â Update for Windows 10 Version 1709

Servicing stack update for Windows 10, version 1709: July 10, 2018

KB890830 --Â Windows Malicious Software Removal Tool - July 2018

Microsoft Office Updates

Microsoft released non-security updates for Office last week. Check out the article in case you missed it.Â You find security releases that Microsoft published today below:

Office 2016

KB4022172 -- Patches a remote code execution vulnerability in Microsoft Office.

KB4022176 -- Same asÂ KB4022172.

KB4018338 -- Security update for Access that resolves vulnerabilities that could allow remote code execution attacks.

KB4022221 -- Skype for Business 2016 update. Fixes remote code execution vulnerabilities.

KB4022218 -- Word 2016 update that patches remote code execution vulnerabilities.

Office 2013

KB4022188 -- Same asÂ KB4022172.

KB4022189 --Â Same asÂ KB4022172.

KB4018351 -- Same asÂ KB4018338

KB4022225 -- Skype for Business 2015 update that fixes remote code execution vulnerabilities.

KB4022224 -- Same asÂ KB4022218 (but for Word 2013)

Office 2010

KB4022200 -- Fixes issues that could lead to remote code execution.

KB4022208 --Â Same asÂ KB4022172.

KB4022206 --Â Same asÂ KB4022172.

KB4022202 --Â Same asÂ KB4022218Â (but for Word 2010)

Other Office products

How to download and install the July 2018 security updates

Security updates for client versions of Windows are provided via the built-in updating system Windows Update. Organizations can make use of Enterprise-specific update tools to download and deploy updates.

Updates are also provided as direct downloads on Microsoft's Update Catalog website.

Windows Update, if enabled, checks for new updates regularly but not in real-time. If you want to download and install the new batch of updates directly, do the following to run a manual check for updates (which should pick up the updates).

Note: It is highly recommended that you create a backup before you install new updates so that you may restore the system if things go wrong.

Do the following to run a manual update check:

Tap on the Windows-key to open the Start Menu.
Type Windows Updates and select the result.
Click on the "check for updates" button if the update check is not run automatically.

Direct update downloads

Microsoft publishes downloads of all updates that it releases on the company's Microsoft Download Center website.

Just click on the direct links below to do so.

Windows 7 SP1 and Windows Server 2008 R2 SP

KB4338818 -- 2018-07 Security Monthly Quality Rollup for Windows 7
KB4338823 â€” 2018-07 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

KB4338815 â€” 2018-07 Security Monthly Quality Rollup for Windows 8.1
KB4338824 â€” 2018-07 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

KB4338814 â€” 2018-07 Cumulative Update for Windows 10 Version 1607

Windows 10 (version 1703)

Â KB4338826 â€” 2018-07 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709)

KB4338825 â€” 2018-07 Cumulative Update for Windows 10 Version 1709

Windows 10 (version 1803)

KB4338819 â€” 2018-07 Cumulative Update for Windows 10 Version 1709

Additional resources

Summary

Article Name

Microsoft Windows Security Updates July 2018 release overview

Description

Microsoft released security and non-security updates for client and server versions of Windows and other products on the July 2018 Patch Day.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Comments

Sylvio Haas said on July 10, 2018 at 9:06 pm


Hello – To donate a fix amount every month what is the correct procedure – do I have to become a patron or is there also a monthly donation option? Thank you.
1. Martin Brinkmann said on July 11, 2018 at 6:23 am
  
  
  Hi Sylvio, Patreon is the only option right now for monthly support donations. I’m still looking at alternatives, have added cryptocurrencies to the support page yesterday.
  
  Still working on getting a bank account set up for Ghacks so that direct bank transfers become an option as well (it should be free within the Euro-zone then).
Paul(us) said on July 10, 2018 at 10:12 pm


Thanks, Martin, For this ferry helpfull monthly post.

Did you or anyone else have the same problem with upgrading your Windows 10 professional version 1803 build 17112.137, to version 1803 build 17112.165?

Main one system rejected the updated twice before sticking finally!
Has that maybe something to do that I earlier today already installed the Adobe Flash Player 30.0.0.134 64-bit, Firefox update?
Franck said on July 10, 2018 at 10:28 pm


Awesome sum-up, thanks a lot !!!
GoneToPlaid said on July 10, 2018 at 10:42 pm


KB2952664 and KB2976978 have nothing to do with keeping Windows up-to-date, and neither of these KBs are for compatibility. You should call both KBs for what they are — updates which install deep telemetry into Windows 7 and Windows 8x computers.
1. jan said on July 12, 2018 at 4:11 pm
  
  
  You are right.
  
  KB2952664 — Update for Windows 7. Compatibility update for keeping Windows up-to-date in Windows 7 is just a load of BS.
  
  This KB is “offered” a few times per year in case you did not install it, in the hope that you install it by accident.
  NEVER INSTALL IT!!
  1. AJ North said on July 12, 2018 at 6:03 pm
    
    
    From Woody Leonhard in Computerworld (2018.07.12):
    
    Old snoops will out
    
    This month marked a re-re-reâ€¦-appearance of the snooping patches KB 2952664 for Win7 and KB 2976978 for Win8.1. You remember the Microsoft Party Line:
    
    This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.
    
    Poster Bill C has a good take on the claim:
    
    They say they will not do GWX again, OK, but the real question is what WILL they do?
    
    Weâ€™ve seen, over and over again, that the Customer Experience Improvement Program settings have no bearing on these patchesâ€™ increased telemetry. If youâ€™re even remotely tempted to install either of these â€œimportant,â€ checked patches, see @PKCanoâ€™s AskWoody KB article on the subject, AKB 2952664.
    
    ProTip: Microsoft has no incentive to improve Win7. None. Unless youâ€™re offered a clearly identified security patch, you donâ€™t want it, checked or not.
    
    https://www.computerworld.com/article/3289506/microsoft-windows/patch-tuesday-problems-abound-server-2016-crashes-and-a-net-patch-goes-down-in-flames.html
AJ North said on July 11, 2018 at 12:11 am


Thank you as always, Martin!
gef50 said on July 11, 2018 at 2:15 am


Hi Martin,

Windows update shows both cumulative update for win 1709 build 16299.547 (KB4338825) and feature update windows ver 1803.

Is it okay to install these two in a single session? Or should I defer feature update for a day or two, after I install KB4338825?

Thanks in advance
1. Martin Brinkmann said on July 11, 2018 at 6:25 am
  
  
  You don’t really need KB4338825 if you plan to upgrade to Win 10 1803. You could install the new version of Windows 10 and see how it goes. Make sure you create a system backup before you do though.
pHROZEN gHOST said on July 11, 2018 at 3:13 am


As always, this is a great summary.

This updte brought about the v1803 update to my PC. When the smoke cleared, there were 3 WAN Mimport devices with an error. Aparently this is a common issue. Lots o people are mentioning it. But nobody has a real solution. MS claims it’s becaus of 3rd party VPN software installed on the PC. But, I don’t have this. So, I merely disabled all of the WAN Miniport devices because for now I don’t use VPN.
Anonymous said on July 11, 2018 at 5:54 am


We have an issue on Windows 8.1, error:Code 80092004 “Windows Update ran into a problem” while trying to install the update KB4340558 (51.1MB). Anyone encountered this too?
1. Martin Brinkmann said on July 11, 2018 at 6:50 am
  
  
  That’s an error that was thrown last month already. I read about an unofficial workaround. You need to disable Internet Explorer 11 under Features in the Control Panel, restart, and then search for updates. It should work now if that is the same issue.
  1. macauln said on July 11, 2018 at 12:06 pm
    
    
    the disabling IE doesn’t work, well not on server 2012 r2 where this update has failed on all our test server group hosts.
2. Anonymous said on July 11, 2018 at 8:31 am
  
  
  @anonymous : yes, same error here. Code 80092004 when trying to install KB4340558 on Windows Server 2012 R2
  No idea how to fix this…
  1. Luka said on July 11, 2018 at 9:53 am
    
    
    Same error for my server…
3. Martin Brinkmann said on July 11, 2018 at 2:31 pm
  
  
  Just read over on GÃ¼nter Born’s website that it seems likely that the update is broken. See https://www.borncity.com/blog/2018/07/11/net-framework-update-kb4340558-fehlerhaft-error-0x80092004/
Microfix said on July 11, 2018 at 8:23 am


Many thanks Martin for your astute summary.
Thesegotoeleven said on July 11, 2018 at 11:04 am


So after the cumulative update for win 1803 AGAIN failed to install on my 3 computers, I have now spent the morning installing the much better cumulative update KDE Neon on 2 of them. The installs were very fast and the laptops have never ever been faster, around 300MB RAM on idle compared to 1,5GB with Windows 10. The fans are quiet now too, with Windows 10 I could use them to heat my room. Thank you Microsoft for showing me the way. Laptop number 3 will join the other two this afternoon.
chesscanoe said on July 11, 2018 at 1:08 pm


Fantastic monthly summary. Small point – you say
“Do the following to run a manual update check:

Tap on the Windows-key to open the Start Menu.
****Type Windows Updates and select the result.”
______________________________________________

****Type UPD or Windows Update and select the result is faster.
Ruan said on July 11, 2018 at 4:06 pm


Hi Martin,

“KB4339291 — Security Update for WES09 and POSReady 2009”

“KB4339854 — Security Update for WES09 and POSReady 2009”

Both updates are also listed for Windows Server 2008.
Dave said on July 11, 2018 at 5:07 pm


Today I got this,

https://support.microsoft.com/en-us/help/4023057/update-to-windows-10-versions-1507-1511-1607-and-1703-for-update-relia

It installs a program in c:\program files\rempl and runs it. This program then attempts to connect to the internet.

It says…

“This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly on your device and help to improve the reliability and security of devices running Windows 10.”

I’m wondering if the translation to human is “We’re trying another tactic to force 1803 on to your PC even though you don’t want it”?
1. gef950 said on July 12, 2018 at 3:26 am
  
  
  Probably, because 1803 is now on semi annual channel too.
  
  https://www.microsoft.com/en-us/itpro/windows-10/release-information
Anonymous said on July 11, 2018 at 5:41 pm


Thanks for the download links.

https://support.microsoft.com/en-gb/help/4054530/microsoft-net-framework-4-7-2-offline-installer-for-windows

“Note The package installer (NDP472-KB4054530-x86-x64-AllOS-ENU.exe) was updated on July 10, 2018. If you downloaded the installer before July 10, 2018, we recommend that you download the latest version (4.7.3081.0) of the installer to get the additional fixes included in the update.”

Then you click on the download link and you get NDP472-KB4054530-x86-x64-AllOS-ENU.exe. No link for the update 4.7.3081.0.

I hate Microsoft.
1. Martin P. said on July 12, 2018 at 12:01 am
  
  
  Here’s the link for the updated (en-us version) .NET 4.7.2 offline installer:
  
  https://go.microsoft.com/fwlink/?LinkID=863265
  
  resolves to:
  
  https://download.microsoft.com/download/6/E/4/6E48E8AB-DC00-419E-9704-06DD46E5F81D/NDP472-KB4054530-x86-x64-AllOS-ENU.exe
  1. Anonymous said on July 12, 2018 at 8:30 am
    
    
    Thank you. Until next time :)
  2. Luka said on July 12, 2018 at 8:58 am
    
    
    Martin, this is still not OK for my Win 2012 R2 server, even with offline instalation I can’t install Fremework ver 4.7.2.
    and same is for KB4340558, I have tried on few different servers and on all I have same error: Code 80092004 â€œWindows Update ran into a problemâ€
    
    Any other idea how to solve this?
  3. Martin P. said on July 13, 2018 at 5:56 am
    
    
    Mmmm you got me there. I got the download link for .NET Framework 4.7.2 from this URL:
    
    https://www.microsoft.com/net/download/windows
    
    1) Selected the download for “.NET Framework 4.7.2 offline installer” (further down on page)
    2) Step 1 got me to “https://www.microsoft.com/net/download/thank-you/net472-offline” which auto-started the download of the offline .NET Framework 4.7.2 installer.
    3) On the same page, the “Problem downloading? Try again.” link is “https://go.microsoft.com/fwlink/?LinkID=863265” which resolves to “https://download.microsoft.com/download/6/E/4/6E48E8AB-DC00-419E-9704-06DD46E5F81D/NDP472-KB4054530-x86-x64-AllOS-ENU.exe”
    
    I’ve downloaded the installer again from the above URLs and it produces the same hashes as the original file I used to install .NET Framework 4.7.2 on my Win 7 Pro x64 box.
    
    Wish I could be more help. Sorry.
soda_popinsky said on July 11, 2018 at 6:24 pm


New update on KB4338825 page, there’s a new issue:

“After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.”

https://support.microsoft.com/en-in/help/4338825/windows-10-update-kb4338825
1. gef950 said on July 12, 2018 at 2:13 am
  
  
  “…Enterprise clients may receive an invalid configuration when requesting a new IP address…”
  
  Windows home & pro aren’t affected, right?
Coriy said on July 11, 2018 at 8:36 pm


The only problem I’ve had is with KB4338818 (for Win7x64), all of the other updates for Windows 7 installed. I did the works though, resetting Windows Update, SFC, and even installing the offline version. None of that works. So I’m betting that there’s something wrong with KB4338818 itself.
So I’ve hidden it, so I don’t get pestered again.
1. AJ North said on July 12, 2018 at 5:31 am
  
  
  Hello Coriy,
  
  Have you tried installing the two stand-alone security-only updates for Win7, the Security Only Quality Rollup (KB4338823), followed by the Cumulative Security Update for Internet Explorer (KB4339093)? (I ran into a similar problem with two Win7 x64 rigs a few months ago; fortunately for both, these security-only monthly updates have solved that problem.) Good luck.
  
  AJN
2. Anonymous said on July 12, 2018 at 5:48 pm
  
  
  Same problem with installing the 8.1 equivalent KB4338815 too, keeps failing. Even offline install doesn’t work. What to do?
  1. AJ North said on July 12, 2018 at 7:02 pm
    
    
    Similarly to Win7, try installing the July Windows 8.1 Security Only Quality Rollup (KB4338824), followed by the Cumulative Security Update for Internet Explorer (KB4339093).
  2. Anonymous said on July 14, 2018 at 10:52 am
    
    
    Thanks, your suggestion worked, those updates did install. But I am still getting notification to install KB4338815 and when I try to install it still fails. What could be the problem?
  3. AJ North said on July 14, 2018 at 1:03 pm
    
    
    Glad to hear that you were successful.
    
    KB4338824 & KB339093 together supersede (replace) KB4338815, which is therefore no longer required. (That is why I suggested trying to install them in lieu of the single Monthly Quality and Security Rollup, which wasn’t installing.) You can now simply right-click on KB4228815, then left-click on Hide Update. (The same applies to the respective patches for Win 7.)
    
    (Remember, KB4338823 and KB4228824 are the Win 7 & 8.1 security patches, respectively; they not cumulative roll-ups. A quick web search will provide full details.)
    
    For a comprehensive free check to make sure that all security patches are present & properly installed, I recommend the free Belarc Advisor; see: https://www.lifewire.com/belarc-advisor-review-2625784 .
    
    Regards,
    
    AJN
  4. Anonymous said on July 14, 2018 at 6:07 pm
    
    
    Thank you. This was the first month where the quality and security rollup patch fails to install. Previous rollup installations were all flawless. Will see what happens next month.
  5. Anonymous said on July 19, 2018 at 4:19 pm
    
    
    Any update on this issue?
John S said on July 12, 2018 at 1:04 pm


Thanks for the update summary, fingers crossed it doesn’t muck up anything.
Cigologic said on July 13, 2018 at 12:21 am


@ Martin — Your summaries for the respective Win 7 & Win 8.1 “Security-Only update” indicate “Security updates to Internet Explorer, Windows apps, […]”.

I understand that all along, Win 7/8.1’s Monthly Security-Only updates do NOT include any IE updates. It is only Win 7/8.1’s “Security Monthly Quality” Rollups that include IE updates — both security & quality (ie. non-security).

As such, users of Win 7/8.1’s Monthly Security-Only updates also need to install the monthly-offered IE Cumulative Security-Only update, if they wish to keep IE (& Win OS components closely-integrated with IE) protected.

It might be good to explicitly include the link to IE’s monthly Cumulative Security Update in your Windows Updates summaries, since the majority of Win OS users worldwide are still on Win 7, with a small minority on Win 8.x.

Cumulative Security Update for Internet Explorer (10 July 2018):
https://support.microsoft.com/en-us/help/4339093/cumulative-security-update-for-internet-explorer
Ayahuasca Sage said on July 13, 2018 at 3:46 am


I am using XP on a VM hosted in a FOSS OS. I am OK.
soda_popinski said on July 13, 2018 at 9:10 am


New update, another issue on 1709

“After installing this update, some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.”

https://support.microsoft.com/en-in/help/4338825/windows-10-update-kb4338825
Paul H said on July 13, 2018 at 12:51 pm


Hi All,

Just wondering if anyone has this problem. Event ID 4227 – TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint.

This is on 2012R2 VCenter server and it has started dropping heartbeats to the remote hosts which in turn is causing disconnects.

I came accross this thread whilst doing some research and cant help but this MS have done it again:

https://www.reddit.com/r/windowsserver2012/comments/68vgss/april_2017_windows_patches_on_windows_server_2012/

Yes I am using iSCSI.
1. Paul H said on July 13, 2018 at 5:21 pm
  
  
  Just as a FYI, I un-installed the patches and the symptoms went away. I have just logged a ticket with MS.
2. a P said on July 14, 2018 at 5:04 pm
  
  
  These entries also started to show up on two of our servers (2k16 and 2k8 R2) without iSCSI.
  
  We have a “lot” of outgoing connections mostly towards localhost. Increasing the limits (maxuserport / maxfreetcbs) to around 20k didn’t help either. On the 2k8 R2 server certain tcp using processes cannot exit / be killed.
  1. BT said on July 16, 2018 at 8:20 pm
    
    
    Same observation here on Windows 2008R2 servers. TCP/IP system warning 4227 started to show up after installing updates, and went away after uninstalling them. I’d be interested in what Microsoft would reply to Paul H’s ticket.
  2. BT said on July 16, 2018 at 11:50 pm
    
    
    UPDATE – The TCP dynamic port range had been shrunk significantly. Prior to the WU installation, the TCP dynamic port range had a start port of 1025 and a number of 64506. After the WU installation, this had been changed to 49152 and 16384. Uninstalling the WU restores the initial values, but they can also be changed manually. Please refer to this Microsoft document: https://docs.microsoft.com/en-us/biztalk/technical-guides/settings-that-can-be-modified-to-improve-network-performance for commands to check/change.
3. Tim F said on July 17, 2018 at 5:43 am
  
  
  This TCP port issue seems to be noted here under known issues now:
  https://support.microsoft.com/en-gb/help/4338820/windows-server-2012-kb4338820
  
  With a workaround for Server 2012:
  https://support.microsoft.com/en-gb/help/4345425/improvements-and-fixes-windows-server-2012
  
  I’m going to try it to see if it fixes our vCenter and Veeam backup issues.
  1. Paul H said on July 17, 2018 at 10:00 am
    
    
    Thanks both BT & Tim F. Glad that a fix is already available and I will also apply this update.
    
    The official reply from MS break fix (2 days ago) was to un-install the updates and they said they would report the issues upstream to the products team. I will follow up with them again today, but looks like enough people are having problems now that they have acknowledged there are multiple issues from these updates.
  2. Paul H said on July 17, 2018 at 10:29 am
    
    
    None of the fixes listed in KB4345425 apply to 2008R2, 2012R2 or 2016! Well done. How many companies are still using those OS’s!
  3. Tim F said on July 19, 2018 at 8:57 am
    
    
    Hi Paul,
    
    It looks like 2008R2 and 2012R2 each have their own KB update to fix this. They are listed in the known issues for each update:
    2008R2:
    https://support.microsoft.com/en-gb/help/4338823/windows-7-update-kb4338823
    https://support.microsoft.com/en-gb/help/4345459
    
    2012R2:
    https://support.microsoft.com/en-gb/help/4338824/windows-81-update-kb4338824
    https://support.microsoft.com/en-gb/help/4345424
  4. Paul H said on July 19, 2018 at 10:25 am
    
    
    Thanks Tim! You would have thought the MS break fix team would know about these! I will install these over the next few days/w-end and report back.
  5. Tim F said on July 17, 2018 at 2:11 pm
    
    
    I applied the KB4345425 update to our 2012 server. It did not adjust the dynamic port range. After the update it was still:
    Start Port : 49152
    Number of Ports : 16384
    
    One of our unpatched 2012 servers (July 10 update not installed) uses this port range:
    Start Port : 6005
    Number of Ports : 58321
    
    So I used BT’s guide to increase the port range to the above. Will see how it goes overnight.
  6. Paul H said on July 17, 2018 at 7:18 pm
    
    
    Un-patched 2008R2:
    
    Start Port : 6005
    Number of Ports : 59530
    
    Patched 2008R2:
    
    Start Port : 49152
    Number of Ports : 16384
    
    Patched or Un-patched 2012R2:
    
    Start Port : 49152
    Number of Ports : 16384
    
    Conclusion: I don’t think the number of ports available has anything to do with the problems. 16 thousand is plenty of free ports. Looks like its been that way in 2012 R2 for a while.
  7. Tim F said on July 19, 2018 at 8:50 am
    
    
    Paul, I think you are right, I don’t think it’s the dynamic port range size but perhaps how the system handles opening/closing of used ports.
    
    I installed the KB4345425 update (https://support.microsoft.com/en-gb/help/4345425) on the two 2012 servers that were having problems and set the dynamic port range back to default (Start: 49152, size: 16384) and it has resolved the problems. The number of ports did not need to be increased.
Maxim said on July 16, 2018 at 9:49 am


These M$ updates have messed up my entire infrastructure again! G-r-r-r–rrrrr! Using win 2k8 server as vCenter server and ESXi host randomly disappears and connect again in a few minutes. I got about 500 e-mails in this weekend!
PamKoryn said on July 16, 2018 at 12:07 pm


I’ve got Windows 7 and noticed that somewhere around July 12th – 2 of the updates that had been showing had disappeared. Now missing are the monthly rollup (KB4338818) and the .NET Framework (KB4340556). One day they were there – the next gone. I hadn’t installed any updates yet – waiting to see how everything shakes out but I’m wondering if this has happened to anyone else? Another odd thing under the Optional Updates it’s showing what appears to be updates from last month – they’re both listed at 2018-06 KB4284842 (monthly rollup) and KB4291493 (.Net Framework). I never install optional updates – but these showed up when the above mentioned updates went missing. Any ideas?
Anonymous said on July 16, 2018 at 12:08 pm


We’ve seen the issue with vCenter alerting that hosts have disconnected when in reality they are fine.
We’ve also seen issues with NPS and our switches failing to authenticate using 802.1x – the RADIUS requests time out.

vCenter settled down following removal of kb4338815
Removing kb4338815 does not yet appear to have fixed NPS though :(
Guilherme Rudnitzki said on July 16, 2018 at 7:27 pm


We are experiencing the following problems after installing the July’18 updates in our servers running Windows 2012 and Windows 2016:

1) We can no longer restart the www service. The service locks in “stopping” forever and we have to restart the server.

2) We can no longer instantiate .NET .DLLs (interop) in classic ASP using server.createobject. We receive the error 0x800A01AD “ActiveX component can’t create object”.

We could only fix both problems after uninstalling ALL the July KB’s: KB4284815, KB4338815, KB4338424, KB4338419, KB4054566
1. Jack Schlott said on July 17, 2018 at 10:34 pm
  
  
  We are having the same problem as your number 2
  
  2) We can no longer instantiate .NET .DLLs (interop) in classic ASP using server.createobject. We receive the error 0x800A01AD â€œActiveX component canâ€™t create objectâ€.
  
  Any view of a correction ? We will be uninstalling the KB 4340006. But would like a better solution if possible.
BT said on July 16, 2018 at 8:23 pm


Other than the TCP/IP error 4227 mentioned earlier in these comments, we’re also experiencing problems with IIS restarts. The WWW Publishing services will lock up in a “stopping” state and IIS cannot be started again. A server reboot is required. Observed on 2008R2. Uninstalling update KB338420 (which came as part of KB4340556) resolves this problem. Official MS thread regarding this issue can be found here: https://forums.iis.net/t/1239061.aspx?IISRESET+results+in+W3SVC+stuck+in+stopping+status+after+July+2018+patches.
chesscanoe said on July 17, 2018 at 1:13 am


I manually checked Windows Update and it found new 1803 Cumulative Update KB4345421 for my Windows 10 x64 Home laptop. FYI.
1. chesscanoe said on July 17, 2018 at 3:34 am
  
  
  KB 4345421 brought my Windows 10 1803 to Build 17134.167 per winver command.
A different Martin said on July 18, 2018 at 8:06 pm


I no longer trust Microsoft’s own Windows Update feature to keep my Windows 7 x64 system up to date without borking it or sneaking in unwanted diagnostics and telemetry. However, I’m not a professional sysadmin and I don’t like spending a huge amount of time each month researching and manually installing missing updates, so this has been my updating procedure for the past year and a half or so:

* Wait for a few days after Patch Tuesday. [This gives Microsoft time to pull grossly buggy patches, Belarc developers time to update their security-patch database, and WSUS Offline Update developers time to update *their* various databases, including their blacklists.]

* Run Belarc Advisor and see how many (and which) security updates it flags as missing.

* Run WPD (Windows Privacy Dashboard); make sure that all of the “Base privacy settings” are still set to disabled; and update the “Spy” Firewall rules.

* Theoretically, run a full anti-malware scan. (I don’t do this unless I have grounds for suspicion. I practice safe computing, I use decent browser protections, I have a good real-time antivirus, I run a scheduled weekly scan in background, and I haven’t detected even a *trivial* malware threat in … ten years?)

* Run a basic disk check and repair on the system drive. [Requires a reboot.]

* Update apps with the help of SUMo.

* Manually double-check to see whether a newer version of WSUS Offline Update is available. [SUMo doesn’t always timely flag available updates for WSUS Offline Update, I’m guessing because most people who use both programs forget to add WSUS’s “install” folder — it’s a portable app — as an “additional folder” that SUMo should scan. WSUS Offline Update will notify you itself if a newer version is available, but only at the *end* of a first-stage run. Why waste the time?]

* Reboot again to make sure there aren’t any pending boot-time operations waiting to be executed.

* Optionally (I guess), clean out “junk” files and obsolete or incorrect registry entries using CCleaner. [Some people get hysterical about the dangers and uselessness of registry cleaning, but CCleaner has *never* screwed me, in *years* of use. Besides, I maintain backups of all but the top two categories of registry entries. Additionally, I’m moderately conservative in the categories of “junk”/temporary files I select for permanent deletion. I regularly get rid of junk; it clears up large amounts of drive space on my computer; and it’s never affected my system’s integrity or usability.]

* Use Macrium Reflect to clone the system drive (provided the system has been running well — if not, stick with the previous clone). [As my primary line of defense against catastrophic system drive borkage/corruption/failure, I rely on having a fairly up-to-date clone that I can physically swap in. If you have a system drive that can’t be replaced without major surgery, I suppose a recent drive image would do the trick.]

* Theoretically, run Lenovo System Update, to check for BIOS, driver, and OEM utility updates. [My laptop is eight years old and System Update hasn’t offered me anything new in quite a while.]

* Run the first stage of WSUS Offline Update (the update “generator”/downloader) with the “SECURITY ONLY UPDATES” option ENABLED. [Sometimes the download run aborts due to an error. So far, I have been able to find solutions to these occasional aborts by searching the Web. On a couple of occasions, I have had to disable the “C++ and .NET” option to get the download stage to run to completion. On one occasion I had to delete the contents of WSUS’s client\md folder, which I believe just contains hash files for integrity checking.]

*Search the download stage log from the bottom up for instances of “error” and “warning” in the current download session. Don’t worry about missing update warnings. If the missing updates are important to security, they will show up in the next Belarc Advisor scan and you can investigate them then.

* Run the second stage of WSUS Offline Update (the update installer) with all desired, non-grayed-out options in the Installation section enabled, and with the “Verify,” “Automatic reboot and recall,” and “Show log” options in the Control section enabled.

* At the end of the run, search the log file from the bottom up for instances of “error” and “warning” in the most recent run. [I don’t recall having ever found any.]

* After personal Desktop settings finish loading — they are temporarily disabled by the “Automatic reboot and recall” option and aren’t re-enabled until the automatically displayed log file is closed — run Belarc Advisor again and investigate any security updates still flagged as missing. [These are usually false positives or updates that WSUS Offline Update’s developers have blacklisted as buggy or otherwise problematic. However, I did once run into a true positive that I had to download and install separately, manually. One missing update in a year and a half of relying on WSUS Offline Update isn’t a bad track record, especially compared to the parade of horribles we’ve seen from Windows Update since roughly spring of 2015.]

* Run WPD again, to make sure that none of Microsoft’s “security-only” updates didn’t reactivate unwanted telemetry or diagnostics. [This happened to me once, back in August or September 2017, I think.]

So far, so good. No borkage, no unwanted telemetry or diagnostics, and a clean bill of health from Belarc. (And this is true for five other computers I look after, in addition to my own.) It looks like a lot of work, and I suppose it is, but I would follow the same procedure if I used Windows Update. The only thing I do differently is that I’ve substituted WSUS Offline Update for Windows Update because I trust it more not to screw me or my computer.
Anonymous said on July 19, 2018 at 6:18 pm


Good news: Microsoft is aware of the .NET DLL access denied errors and is already working on a solution:Â https://support.microsoft.com/am-et/help/4345913/access-denied-errors-after-installing-july-2018-security-rollup-update

Bad news: we tried all the workarounds they suggest in the above article with no success.
Paul H said on July 20, 2018 at 5:36 pm


Has anyone been brave enough to update exchange yet?

https://blogs.technet.microsoft.com/exchange/2018/07/16/issue-with-july-updates-for-windows-on-an-exchange-server/
Anonymous said on July 31, 2018 at 11:02 pm


Yesterday Microsoft finally published a resolution for the “ActiveX component can’t create object” error: https://support.microsoft.com/en-us/help/4345913/access-denied-errors-after-installing-july-2018-security-rollup-update. I tested it in Windows Server 2012 R2 and Windows 2016 and it worked OK.

Microsoft Windows Security Updates July 2018 release overview