Stung by a festering pile of bugs on Patch Tuesday, MS releases 27 more patches

Credit to Author: Woody Leonhard| Date: Tue, 17 Jul 2018 09:21:00 -0700

In what is becoming a common occurrence, Microsoft’s Patch Tuesday brought along so many bugs that they necessitated a remediation round. This month, unusually, it took only six days to get the exterminators out.

Since these fixes are aimed at four specific bugs introduced on Patch Tuesday, they don’t include the massive patches normally appearing on the second Patch Whateverday of the month. My guess is we’ll see at least one more big set of Windows patches before the month is out. Oh, boy.

Yesterday, Monday, July 16, Microsoft released 27 new security patches for Windows, bringing the total number of patches so far this month up to 156. The new patches fall into six separate groups:

All six of the groups say they fix the same basic bugs. Er, issues. All of the acknowledged issues look like this:

Win10 1703, Win8.1 and Win7 don’t list the DHCP Failover bug.

Yes, you read that correctly. If you installed any of the Patch Tuesday patches for Windows, you got hit with at least three of those bugs. They won’t affect most of you. But for folks relying on those specific features, the bugs are deadly.

How bad was it? On Sunday — five days after the buggy Patch Tuesday swarm came out of the underground — the Microsoft Exchange Team blog posted a candidate evaluation:

The Exchange team is aware of issues with the Windows Operating System updates published July 10th, 2018, causing Exchange to not function correctly. The Windows servicing team has advised us that they will be releasing updates to the affected packages. We encourage Exchange customers to delay applying the July 10th updates, including the security updates released on the same date, on to an Exchange server until the updated packages are available.

That’s a good warning, but if you weren’t perusing the Exchange Team blog on a Sunday afternoon, you may have missed it. Gawrsh.

If you head over to Windows Update right now (ProTip: DON’T), you may or may not find the July updates waiting. There’s at least one report that you have to install last month’s Preview before you can see the Patch Tuesday Win7 Monthly Rollup.

Yet another reason to hold off on installing this month’s Win7 patch. As if you needed another one. Günter Born reports on his blog about a reader who says:

After those recent updates, web servers are also not functioning well. When restarting a server under IIS, the server refuses to start again unless you do a reboot. Also all our custom services listening to a socket refuse to restart.

Is anyone also having these issues? For a quick troubleshooting, I uninstalled KB4338818 and issue went away.

Life as a server administrator dealing with broken updates s*cks!

Born also reports that some Apache servers get stomped, too. It isn’t clear to me if yesterday’s Win7 patch, KB 4345459, fixes the problem — but if it does, the KB article doesn’t bother to mention the fix.

That’s not all. There are five new .NET patches, falling into these groups:

According to the KB articles, both of these patches continue to exhibit this “known issue”:

Users receive a “0x80092004” error when they try to install the July 2018 Security and Quality Rollup update KB4340557 or KB4340558 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 after they install the June 2018 .NET Framework Preview of Quality Rollup updates KB4291497 or KB4291495 on systems that are running on .NET Framework 4.7.2, 4.7.1, 4.7, 4.62, 4.6.1, or 4.6.

As Martin Brinkmann explains on his Ghacks site:

It is possible that Microsoft did not update the description yet and that the issue is resolved.

To answer the most obvious question, no, it doesn’t appear as if anyone tests these things before they’re shoved out the Windows Update chute.

Thx to @abbodi86, @PKCano, @gborn, @ghacks and the legions of AskWoody sleuths.

You can comment on this article on the AskWoody Lounge, but be forewarned: I goofed and let the SSL certificate expire Saturday night. You’ll have to poke through your browser’s defenses to get into the site. Hope to have it working again later today.

http://www.computerworld.com/category/security/index.rss