Microsoft Patch Alert: Windows 7 takes the brunt of March patching problems

Credit to Author: Woody Leonhard| Date: Wed, 28 Mar 2018 10:30:00 -0700

An enormous number of patches spewed out of Microsoft this month, with two ponderous cumulative updates for each version of Windows 10, a third “bonus” bug fix for Win10 Fall Creators Update (version 1709), and a just-described bug in Windows 7 that’ll leave you begging for a Win7 patch that works.

There’s also a bit of comic relief with a patch for Win10 1709, KB 4094276, that “makes improvements to ease the upgrade experience to Windows 10 Version 1709.” That’s a wonderful example of a self-referential fix.

If you’re running Win10, you saw multiple big patches in March:

March also presented us with the third, uh, opportunity to get forcibly pushed from Win10 1703 to 1709 – even on systems specifically set to block the upgrade.

At various points in March, users also saw updates to the Servicing Stacks for all three Win10 versions. Apparently, they resolved the race condition-related bugs that left USB drivers, in particular, dead in the water. If you’re installing the Win10 cumulative updates manually, make sure you install the respective Servicing Stack Update before you install the cumulative update.

Microsoft released a buggy Office 2016 security patch, KB 4011730, which left Word 2016 in such a bad state that it couldn’t save – or sometimes even open – files. We discovered later that if you install the March non-security patch for Office 2016, KB 4018295, Word 2016 suddenly got its mojo back.

Microsoft is researching this problem and will post more information in this article when the information becomes available.

Of course.

All of which serves as prelude to the massive cluster-cluck that engulfed Windows 7 in March.

Win7 and Server 2018 R2 received a relatively modest Monthly Rollup, KB 4088875, and the obligatory Security-only, manually installed patch, KB 4088878, on Patch Tuesday, March 13. Almost immediately, we started seeing reports of networking problems with the patches, and some bluescreens. Shortly afterward, two specific problems with broken manual IP addresses and disabled Network Interface Cards (vNICs) bubbled up.

At first, Microsoft didn’t acknowledge the bugs; instead it stopped the Monthly Rollup from installing automatically (for those of you naïve enough to have Automatic Update enabled). As days passed, Microsoft finally published a detailed list of “known issues in this update.”

At this point, some users report that KB 4088875 appears in Windows Update as an “important” update that isn’t checked, and which doesn’t install by default. But there’s more. Others say it’s off the Windows Update list, but apparently it’s still being pushed out via WSUS servers.

Microsoft released, then re-released, an ad-hoc VBScript program that was supposed to fix the problem. But the script has raised all sorts of questions. Poster MrBrian reports that the script was changed on March 27, with no notification. Poster abbodi86 has an improved version posted on Pastebin.

But there’s more to the story.

Yesterday, security researcher UlfFrisk posted a report about a new big security hole in Windows 7. Bucking the recent trend, UlfFrisk avoided a massive publicity campaign, replete with pre-defined exploit names and cute logos, but his “Total Meltdown” exploit almost defies imagination. As Günter Born says:

Microsoft’s Meltdown updates shipped in January 2018 and February for Windows 7 (and Server 2008 R2) intended to mitigate the Meltdown vulnerability rip open a huge security hole. This allows any process under Windows 7 to read and write to any memory area without exploits…

Unfortunately, an accident happened in the January 2018 [Win7] patch (and also in February 2018 patch) when… if a (user) process has read/write access to the page tables, it is [trivial] to access the entire physical memory.

This isn’t “Sky is Falling” time. But it means that if you’re running Win7 64-bit or 2008R2 64-bit on an Intel machine, and you installed either the January or February Win7 Monthly Rollups or Security-only patches, Microsoft flipped the wrong bit, and you now have a big hole in your machine that will let any running program look at and change everything in memory. Note that you have to be running a destructive program in the first place – Total Meltdown doesn’t make it easier to run bad programs – but the security hole appears to be massive, by any estimation.

The problem is solved by the March Win7 patches, but…, well, you can see what a mess those have become.

Thx to @PKCano, @sb, @MrBrian, @abbodi86.

Having problems with this month’s patches? Join us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss