Microsoft Security Updates May 2017 release

by Martin Brinkmann on May 09, 2017 in Companies, Microsoft - Last Update: May 22, 2018 - 22 comments

Microsoft released security updates, and non-security updates, for all supported versions of Microsoft Windows and other company products on the May 2017's Patch Day.

Windows Vista support ended last month, and this is the first month without Windows Vista updates. Coincidentally, May 9th, 2017 is also the day that support for the Windows 10 RTM version ends.

Microsoft switched to a new system in regards to information about product updates. The company did away with security bulletins last month, and things have gotten more complicated in the process as information are not presented as nicely anymore and take longer to go through.

The guide begins with the executive summary, and lists all security, non-security, and security advisory patches and information afterwards. You also find information on how to download the updates, including direct downloads for cumulative updates for Windows 7, Windows 8.1 and Windows 10.

Note: Some users report that they see the Internet Explorer patch KB3008923 again. This patch should not be installed. More info on this at Infoworld.

Microsoft Security Updates May 2017

You can download the following Excel spreadsheet for a list of all security updates that Microsoft released on this May 2017 Patch day: microsoft-windows-may-2017-all-security-updates.zip

Executive Summary

No more Windows Vista patches.
This is the last patch day for the Windows 10 RTM release. It won't be supported anymore after today.
Updates were released for all supported client and server versions of Windows.
Other Microsoft products with patches are: Internet Explorer, Microsoft Edge, Microsoft Office, the Microsoft .NET Framework, and Adobe Flash Player

Operating System Distribution

Windows 7: 26 vulnerabilities of which 4 are rated critical, and 22 important
Windows 8.1: 22 vulnerabilities of which 4 are rated critical, and the remaining 18 important
Windows RT 8.1: 20 vulnerabilities of which 4 are rated critical, and 16 important
Windows 10 version 1703: 22 vulnerabilities of which four are rated critical, and 16 important.

Windows Server products:

Windows Server 2008: 27 vulnerabilities, of which 4 are rated critical, and 23 important
Windows Server 2008 R2: 27 vulnerabilities, of which 4 are rated critical, and 23 important
Windows Server 2012 and 2012 R2: 24 vulnerabilities, of which 4 are rated critical and 20 important
Windows Server 2016: 23 vulnerabilities of which 4 are rated critical, and 19 important

Other Microsoft Products

Internet Explorer 11: 10 vulnerabilities, 2 critical, 6 important, 2 moderate
Microsoft Edge: 28 vulnerabilities, 16 critical, the rest important
Microsoft Office: varies depending on version. See KB4020152 for information.

Security Updates

KB4019263 -- Security-only update for Windows 7 and Windows Server 2008 R2

Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11 . See Advisory 4010323 for more information.
Security updates to Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.

KB4019213 -- Security-only update for Windows 8.1 and Windows Server 2012 R2

Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See Advisory 4010323 for more information.
Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server and Windows kernel.

KB4018271 -- Cumulative security update for Internet Explorer: May 9, 2017

Addressed issue where, after installing security update KB4015551, applications that use msado15.dll stop working.
Addressed issue where, after installing KB3187754, clients can no longer access a file server when using SMB1 and NTLM authentication under certain conditions. No credential dialog appears, and the user receives the error, “A specified logon session does not exist. It may already have been terminated.”
Security updates to Microsoft Graphics Component, Windows COM, Windows Server, Windows Kernel, Internet Explorer, and Microsoft Windows DNS.

KB4019216 -- Windows Server 2012 monthly rollup.

KB4019108 -- Security Only update for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017

KB4019109 -- Security Only update for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Server 2008 Service Pack 2: May 9, 2017

KB4019110 -- Security Only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows Server 2012: May 9, 2017

KB4019111 -- Security Only update for the .NET Framework 3.5 Service Pack 1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2: May 9, 2017

Security advisories and updates

Microsoft Security Advisory 4010323 -- Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11

Microsoft Security Advisory 4021279 -- Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege

Microsoft Security Advisory 4022345 -- Identifying and correcting failure of Windows Update client to receive updates

Microsoft Security Advisory 4022344 -- Security Update for Microsoft Malware Protection Engine (check out our coverage here)

Non-security related updates

KB4019264 -- Monthly rollup for Windows 7 and Windows Server 2008 R2

Addressed issue where, after installing security update KB4015549, applications that use msado15.dll stop working.
Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed.
Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
Security updates to Internet Explorer, Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.

KB4019215 -- Monthly rollup for Windows 8.1 and Windows Server 2012 R2

same as KB4019264

KB4016871 -- Cumulative update for Windows 10 Version 1703 (OS Build 15063.296 and 15063.297)

Addressed issue with Surface Hub devices waking from sleep approximately every four minutes after the first two hours.
Addressed issue where autochk.exe can randomly skip drive checks and not fix corruptions, which may lead to data loss.
Addressed an issue where Microsoft Edge users in networking environments that do not fully support the TCP Fast Open standard may have problems connecting to some websites. Users can re-enable TCP Fast Open in about:flags.
Addressed issues with Arc Touch mouse Bluetooth connectivity.
Security updates to Microsoft Edge, Internet Explorer, Microsoft Graphics Component, Windows SMB Server, Windows COM, Microsoft Scripting Engine, Windows kernel, Windows Server, and the .NET Framework.

KB4020498 -- Update for .NET Framework 4.6.2 on Windows Server 2012 for x64

KB4020499 -- Update for .NET Framework 4.6.2 on Windows 8.1 and Windows Server 2012 R2

KB4020500 -- Update for .NET Framework 4.6, 4.6.1 on Windows Embedded 8 Standard and Windows Server 2012

KB4020502 -- Update for .NET Framework 4.6, 4.6.1 on Windows 8.1 and Windows Server 2012 R2

KB4020503 -- Update for .NET Framework 4.6 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008

KB4020505 -- Update for .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2

KB4020506 -- Update for .NET Framework 4.5.2 on Windows Embedded 8 Standard and Windows Server 2012

KB4020507 -- Update for .NET Framework 4.5.2 on Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008

KB4020510 -- Update for .NET Framework 4 on WES09 and POSReady 2009

KB4020511 -- Update for .NET Framework 2.0 on Windows Server 2008

KB4020512 -- Update for .NET Framework 3.5 on Windows Embedded 8 Standard and Windows Server 2012

KB4020513 -- Update for .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4020514 -- Update for .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2

KB4020517 -- Update for .NET Framework 2.0 SP2 on WES09 and POSReady 2009

KB4015193 -- Update for Windows 8.1, Windows Server 2012 R2, Windows Embedded 8 Standard, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows XP Embedded

KB4015552 -- April, 2017 Preview of Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2

KB4015553 -- April, 2017 Preview of Monthly Quality Rollup for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4015554 -- April, 2017 Preview of Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4016240 -- Windows 10 Version 1703 OS Build 15063.250 upgrade

Addressed issue where VMs might experience loss in network connectivity while provisioning IP addresses.
Addressed issue that does not initiate a remote ring on the device when RemoteRing Configuration Service Provider (CSP) is used.
Addressed issue where a memory leak occurs in Internet Explorer when hosting pages containing nested framesets that load cross-domain content.
Addressed issue where Internet Explorer 11 does not save JavaScript files when exporting to an MHT file.
Addressed issue that causes users to get logged out from Web applications intermittently.
Addressed issue with a very dim internal monitor that may occur when booting with the external monitor only and then switching to the built-in panel only.
Addressed issue where running Win32 Direct3D applications or games in full-screen exclusive mode causes the system to become unresponsive when resuming from Connected Standby.
Addressed issue where when upgrading to Windows 10, version 1703, with the system language set to Chinese, the progress page displays geometric shapes instead of the correct localized strings.
Addressed issue that prevents the lock screen from being disabled using Group Policy on Professional SKUs.
Addressed issue in Windows Forms configuration options, which causes antivirus applications to stop working at startup.
Addressed additional issues with compatibility, Internet Explorer, and Microsoft Edge.

How to download and install the May 2017 security updates

All security updates for Microsoft products are available through Windows Update, various business update services and systems, on the Microsoft Download Center website, and also direct downloads provided on the Microsoft Update Catalog website.

Most Windows systems have automatic updates enabled (as it is the default). This means that updates will be pushed to these systems automatically.

You can run manual checks for updates at any time:

Tap on the Windows-key on your computer keyboard, type Windows Update, and hit the Enter-key.
Depending on the configuration, Windows Update will run checks for updates automatically, or when you click on the "check for updates" button.
Updates are then offered for download, or downloaded automatically depending on system settings.

Direct update downloads

Windows 7 SP1 and Windows Server 2008 R2 SP1

KB4019264: May, 2017 Security Monthly Quality Rollup
KB4019263: May, 2017 Security Only Quality Update

Windows 8.1 and Windows Server 2012 R2

KB4019215: May, 2017 Security Monthly Quality Rollup
KB4019213: May, 2017 Security Only Quality Update

Windows 10 and Windows Server 2016 (version 1703)

KB4016871 -- Cumulative Update for Windows 10 Version 1703

Additional resources

Summary

Article Name

Microsoft Security Updates May 2017 release

Description

Microsoft released security updates, and non-security updates, for all supported versions of Microsoft Windows and other company products on the May 2017's Patch Day.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Comments

chesscanoe said on May 9, 2017 at 8:05 pm


After updating Windows 10 CU Home x64 today, IE11 just showed the left and top lines of the box that should show the current Flash release level, which was blank. This problem showed up by testing at
https://www.adobe.com/software/flash/about/
I resolved the problem in IE11 by going to IE11 Tools (top right gear) and enabling Flash.
chesscanoe said on May 9, 2017 at 8:17 pm


After updating to latest Windows 10 CU on my x64 Home laptop today, IE11 would not show the Flash current level when going to
https://www.adobe.com/software/flash/about/ . I resolved the problem in IE11 by going to IE11 Tools and enabling Flash.
chesscanoe said on May 9, 2017 at 9:12 pm


For what it’s worth, after updating Windows 10 CU on my Home x64 laptop today, KB 4020821 Flash, 4018483 Flash, and 890830 Software Removal Tool are not listed in this article, but do show in my Update History. I am not sure why this is so.
1. chesscanoe said on May 10, 2017 at 4:35 pm
  
  
  https://portal.msrc.microsoft.com/en-us/security-guidance/summary does list KB4020821,
Anton said on May 9, 2017 at 9:24 pm


I’m from Chicago. There is a new scam out there. Well maybe not a new one, but new to me. A 1-800-636-8193
call came to my home. It stated that this is an emergency call that my windows product key had expired and I was
to call a number to rectify this situation. I quickly hung up and did not write down the # to call.

I wonder if anyone on this site has received a similar scam alert in their city or town. I find it hard to believe that
microshaft would stoop so low as to attempt this scam. So Beware of these scammer jammers. Hang up immedi-
ately.
1. Yuliya said on May 9, 2017 at 9:39 pm
  
  
  It’s not Microsoft. As evil as Microsoft is nowadays (and it is very evil), they have nothing to do with those scammers.
  
  Check this youtube channel, it’s got a few scams recorded:
  [https://www.youtube.com/channel/UCQrAHGpBz3PqBV4-_9PdDcA/videos]
  
  There’s potential entertainment with these pathetic creatures if you know what you are doing. That being said, it seems they target only english-speaking countries. Unless they learn russian I will never get to have some fun with them :(
Coriy said on May 10, 2017 at 5:09 am


There seems to be something you left out. The updates to IE11 on Windows 7 (x64 at least) include a new tab page that is enabled by default. It does News Feeds and Top Sites instead of tracking which websites you use frequently. The control to switch between the two is in a logical, if not very obvious place. Internet Options -> General -> Tabs The Dropbox for When a New Tab is Opened, Open…

I tried it briefly, it connects to MSN and it jumps up resource use. It also asks you to log in to your Microsoft Account. I cannot help wonder if it doesn’t spy on other things.
1. TelV said on May 10, 2017 at 9:46 am
  
  
  One more good reason to ditch IE which I haven’t used for about 10 years now.
  1. chesscanoe said on May 10, 2017 at 12:31 pm
    
    
    On Windows 10 CU IE11 is essential to use along with Java if you want to successfully have fun playing with the Wordle site. To my knowledge no other current browser will work.
Corky said on May 10, 2017 at 8:11 am


No word on an update to fix their mistaken blocking of Carrizo CPUs or how their even going to update those clients now they’ve blocked them from downloading updates.
TelV said on May 10, 2017 at 9:43 am


Thanks once again for all the hard work Martin.
1. Henk van Setten said on May 10, 2017 at 1:18 pm
  
  
  +1!
  I really appreciate all the work going into these systematic monthly overviews, they make life so much easier for many of us.
TelV said on May 10, 2017 at 1:05 pm


@chesscanoe, there are alternative Word Cloud generators around which don’t require Java: http://www.wordclouds.com/

P.S. No “Reply” button visible underneath your post.
1. chesscanoe said on May 10, 2017 at 9:05 pm
  
  
  Thanks for the WordClouds tip. It works well in Chrome without Java, and can do some interesting things well. I’m still learning to use it effectively in conjunction with GIMP and IrfanView.
JAke said on May 11, 2017 at 7:19 pm


Is there any easy way to install only security updates for Windows 7 that hasn’t been updated in while without getting all “install W10/telemetry etc. crap”…..
1. Dingding said on May 12, 2017 at 8:06 am
  
  
  I was wondering about this too. I haven’t been downloading any of the updates when they started to suspiciously bundle them all in one pack, and now I’m a bit confused which package contains what.
2. A different Martin said on May 12, 2017 at 10:08 am
  
  
  WSUS Offline Update (a free third-party utility), with the “security updates only” option enabled. Martin did an article on it four months ago, here:
  
  WSUS Offline Update 10.9: download security updates only – gHacks Tech News
  https://staging-ghacksnet.kinsta.cloud/2017/01/11/wsus-offline-update-10-9-download-security-updates-only/
  
  It’s a portable program that doesn’t like long paths. I just put mine in the root of C:, thus: C:\WSUS.
  
  You run it using two separate executables, first a downloader, and then an installer. If I’m remembering correctly, the installer is nested inside a subfolder. (I made shortcuts to them.)
  
  I stopped using Windows Update when Microsoft switched to rollups and a few months later I started using WSUS Offline Update. It seems to have worked pretty well for me so far. I believe it maintains its own blacklist of buggy or questionable patches, which might be why Belarc Advisor still shows me as missing a couple. (You can definitely add your own blacklist.) Regardless, I trust it more than I trust Windows Update.
howard arnault-ham said on May 12, 2017 at 9:32 am


Ms 2012 R2 cluster serious performance issue after applying KB4019215 quality update, server takes ages to logon and file shares slowdown. this happens on two separate Dell R620 servers, nothing in logs
Ozzie said on May 15, 2017 at 6:44 am


Anyone else have issues with Resource Monitor opening since the last two patches?

I had not opened or used it since March so I had ran a few updates and this week and now I cannot get Resource Monitor to open (I am not getting a transparent box like others complained about in the past, it is just not opening at all). I tried to open in the Command line as well as from within the task manager. I click and it spins wheel of thinking for a second and then nothing happens.
TelV said on May 18, 2017 at 5:11 pm


I have these four updates showing as successfully installed in Windows 8.1 Reliability Monitor a couple of days ago:

Installation Successful: Windows successfully installed the following update: Microsoft.WinJS.1.0
Installation Successful: Windows successfully installed the following update: Microsoft.Media.PlayReadyClient
Installation Successful: Windows successfully installed the following update: Microsoft.VCLibs.120.00.Preview
Installation Successful: Windows successfully installed the following update: Microsoft.VCLibs.110.00

However, they don’t appear in in Windows Update which I have set to “Check for updates but let me choose whether to install them” and neither do they appear anywhere in Programs & Features.

I managed to track them down on a site which dates from 2013, but although it provides instructions for removing them (possibly), I can’t find any info anywhere on how to prevent them from reinstalling again. Here’s the relevant site: https://tweakhound.com/2013/11/04/uninstalling-metro-apps-advanced/

Does anyone know of a registry key to prevent that happening?

Needless to say, I don’t like the idea of Microsoft deciding unilaterally what gets downloaded to my system.
Rahamim said on May 22, 2017 at 8:39 am


Anyone knows about issues with bitlocker?
ever since kb4019472 I see people ask for recovery key for bitlocker
wee said on June 9, 2017 at 1:23 pm


yeah those updates for may messed up with the power plan and the speed step of my intel cpu on server 2012 r2. i want some power saving plan + ThrottleStop 8.48 and the cpu was to the max no matter what. I installed the preview for june and it came back.

Microsoft Security Updates May 2017 release