Not directly. The Windows Updates, however, can impact OPC
DA, OPC AE, and OPC HDA communications with KEPServerEX.
Background
A
discovered vulnerability in processor chips can allow malicious programs
running with few permissions to access information those programs do not own
and should not access. Local access is required to perform this exploit.
Microsoft has released updates to the operating systems of affected devices to
tighten security and reduce risk. These updates can affect communications and
client access.
Since the original publication of this article, Microsoft has released new patches without these problems. Below is a summary of initial patches and updated patches that do not suffer the communications problems. The below solution is only necessary if the recommended patches are not installed.
Windows 10 version 1507 Enterprise
Introduced in: KB4056893
Fixed in: KB4075199
Windows 10 version 1511
Introduced in: KB4056888
Fixed in: KB4075200
Windows 10 version 1607, Windows Server 2016
Introduced in: KB4056890
Fixed in: KB4057142
Windows 10 version 1703
Introduced in: KB4056891
Fixed in: KB4057144
Windows 10 version 1709
Introduced in: KB4056892
Fixed in: KB4073291 (x86), KB4058258
Windows Server 2012 Standard
Introduced in: KB4056896, KB4056899
Fixed in: KB4057402
Windows Server 2012 R2 Standard
Introduced in KB4056898
Fixed in KB4057402
Performance
There were some initial reports of some applications having degraded performance following the installation of the patches. Although not exhaustive, Kepware's testing showed no noticeable difference in driver performance after installing the Microsoft patches.
Different hardware platforms can be impacted differently, but Kepware's limited testing revealed no noticeable performance degradation. The performance testing was performed on Windows 7 Pro using the Haswell processor architecture.
Details
Microsoft updates (specific numbers below) contain a
known issue that causes a programmatic call of CoInitializeSecurity to fail if
attempting to set Default Authentication Level to RPC_C_IMP_LEVEL_NONE or the
Default Impersonation Level to RPC_C_AUTHN_LEVEL_NONE.
CoInitializeSecurity is a COM function that is
optionally used to register and set security values for a process. If a process
does not call this function, security is set according to the values saved in
the registry and adjusted using Component Services. Fortunately, Kepware products
default to using the registry for setting up DCOM and are not susceptible to
the known issue in the update. However, it does have an option to disable DCOM switch
to a pre-configured CoInitializeSecurity call.
CAUTION: It
is important to independently test and validate all Microsoft patches in the
actual environment to ensure the proper functioning. Microsoft has noted
performance implications after applying these patches, so testing specific
applications and interfaces is highly recommended.
Problems
after Windows Update:
- Client applications can no longer connect
to KEPServerEX.
- OPC DA Client driver can no longer connect
to other OPC DA servers.
- OPC Quick Client cannot browse to a local
instance of KEPServerEX.
Solutions:
Prevent KEPServerEX from calling CoInitializeSecurity by enabling the use of DCOM settings.
- Right-click on the KEPServerEX Administration icon in the System Tray and select Settings.
- Click to view the Runtime Options tab.
- Under the OPC Connection Security group, verify the Use DCOM configuration settings option is enabled (default).
- Configure DCOM according to the Remote OPC DA Quick Start guide.
Prevent OPC Quick Client from calling CoInitializeSecurity by enabling the use of DCOM settings.
- Launch OPC Quick Client.
- Select Tools | Options.
- Ensure Use DCOM for remote security is checked.
- Close and re-launch OPC Quick Client.
Ensure that client server applications interacting with KEPServerEX do not programmatically call CoInitializeSecurity using RPC_C_IMP_LEVEL_NONE and RPC_C_AUTHN_LEVEL_NONE.
Microsoft Update KBs that have this known issue:
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056891
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056892
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056893
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056895
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056898
Kepware and PTC are currently evaluating and validating initial test findings and guidance from Microsoft. This article will be updated if there are any additional recommendations.