More Windows patches, primarily previews, point to escalating problems this month

Credit to Author: Woody Leonhard| Date: Thu, 18 Jan 2018 06:39:00 -0800

Never give a sucker an even break. Yesterday, on a very out-of-band Wednesday, Microsoft released preview patches for Windows 8.1 (but not 7!), Server 2012, and Windows 10 1709 (for bricked AMD machines only), with preview cumulative updates for Win10 1703 and 1607. There are also nine different .NET preview patches.

What should you do? Nothing. More accurately, make sure you DON’T install any of them. Fortunately, all of these patches require that you download and install them — and you’d have to be crazy (or an admin trying to shore up some critical servers) to dive into the cesspool.

It’s the same advice I’ve been giving all month. There’s nothing here that you need right now — there are no known exploits for Meltdown or Spectre in the wild, in particular — and machines are dropping like flies.

Unbootable state for AMD devices in Windows 10 Version 1709 — KB 4073290. This is another one of those weird “install this patch on AMD machines that got bricked” patches where you only know for sure that you need the patch if you already got clobbered by the original 1709 Cumulative Update — and managed to get your machine back and running.

I talked about analogous patches for Win7 and 8.1 machines earlier this week. I’ve seen exactly zero advice from Microsoft about these patches — how to tell if your machine needs KB 4073290 (without bricking your machine) and whether you need to install the cumulative update after you install KB 4073290, just for starters. There’s no indication whether KB 4073290 is a cumulative update or not.

Jan. 17, 2018—KB4057144 (OS Build 15063.877) — Win10 Version 1703 cumulative update. This is the second CU for 1703 so far this month. This patch “addresses [an] issue where some customers with AMD devices get into an unbootable state.” There are a dozen or so additional fixes. Like all of the Meltdown/Spectre patches, you need to use antivirus software that sets the correct registry key before KB 4057144 will install. KB 4057144 isn’t being pushed out Windows Update; it’s only available by manually downloading it from the Update Catalog.

Jan. 17, 2018—KB4057142 (OS Build 14393.2034) — Win10 Version 1607 cumulative update. This is the second one this month. Like the Win10 1703 patch, this one “addresses [an] issue where some customers with AMD devices get into an unbootable state,” but it also includes dozens of additional fixes. Apparently this patch is incompatible with Microsoft’s Windows Defender Credential Guard — the KB article states:

After installing this update, servers where Credential Guard is enabled may experience an unexpected restart with the error, “The system process lsass.exe terminated unexpectedly with status code -1073740791. The system will now shut down and restart.”

This isn’t the only patch that’s throwing the Credential Guard error. Microsoft has gone back in to the KB articles for the past four Win10 1607/Server 2016 cumulative updates and added that same admonition, going back to Nov. 27.

Jan. 17, 2018—KB4057402 (Preview of Monthly Rollup) — a Monthly Rollup Preview for Server 2012. Oddly, the KB article doesn’t say anything about fixing the problem that bricks AMD processors.

Jan. 17, 2018—KB4057401 (Preview of Monthly Rollup) — ditto for Win8.1/ Server 2012 R2.

That’s it for Windows. I have no idea why the two Monthly Rollup Preview patches don’t specifically refer to the AMD bluescreens caused by this month’s earlier Monthly Rollups. And I have no idea why there’s no Win7 Monthly Rollup Preview.

The .NET patch previews read like a Most Wanted list:

No, Microsoft hasn’t bothered to standardize the naming of .NET patches just yet.

These .NET patches are particularly welcome because the .NET patches released so far this month have been riddled with bugs. On the MSDN blog, @abbodi86 notes:

The KB4055002 Security and Quality Rollup for .NET Framework 4.7.1 on Windows 7 messes up .NET 4.7.1 installation. It replaces some 4.7.1 files with older 4.7 files including GlobalUserInterface.CompositeFont  

That, in turn, has led to all sorts of problems with font selection in WPF applications.

The patch carnage this month has been horrendous. If my notes are accurate, so far this month Microsoft has had patches on:

And that doesn’t include the Surface firmware and driver patches.

Once again, the entire patching situation has turned into a steaming pile of cow dung. Your only safe option is to refrain from patching until Microsoft gets its act together. Take solace in the likelihood that the first widespread Meltdown/Spectre malware is likely to get attached to a web browser — and the browser manufacturers are circling the wagons quickly.

Poster @Sessh on AskWoody has a very sobering observation:

Microsoft issues a Windows 10 update that renders people’s computers useless forcing the casual computer user (read: most PC owners) to have to pay money out of pocket to fix a problem directly caused by Microsoft’s incompetence and was not in any way their fault? How does that even make sense? It’s amazing the hoops users are expected to jump through just to make their W10 PC’s work at all which now includes doing BIOS updates to prevent said updates from ruining your computer? Seriously? There are people that are actually cool with this level of incompetence? It’s unbelievable what some people are willing to put up with these days.

Special thanks to @MrBrian, @abbodi86 and @PKCano

Join us for group therapy on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss