Microsoft Patch Alert: Still reeling from one of the worst patching months ever

Credit to Author: Woody Leonhard| Date: Thu, 26 Jul 2018 14:31:00 -0700

If you ever wondered why people — and organizations — are taking longer and longer to willfully install patches, take a look at what happened this month. After a disastrous start, Windows 10 patches seem to be OK, but .NET and Server patches still stink.

For most of the year, we’ve seen two big cumulative updates every month for each of the supported Win10 versions. This month, so far, we’ve had three. Microsoft’s claim that it will install the Win7 and Win8.1 Monthly Rollups defies logic. The .NET patches are in such bad shape that the .NET devs have thrown in the towel. And here we sit not knowing exactly which way is up.

On Patch Tuesday, July 10, as usual, Microsoft rolled out cumulative updates for all of the supported versions of Windows 10. Almost immediately we heard screams of pain as four big bugs, later officially acknowledged, hit the fan. Six days later, Microsoft released a second set of cumulative updates, again for all versions of Win10. Those updates were specifically designed to fix the bugs introduced by the original updates. The build numbers in the Knowledge Base articles didn’t match the build numbers that people actually installed but, well, that’s Microsoft.

A week after that, on July 24, Microsoft released a third set of cumulative updates, again for all versions of Win10. At least, I think they were released on July 24. The dates in the Update Catalog and on the files themselves don’t line up. But we definitely have three cumulative updates for every version, so far this month. Beefy bug fixes.

It’s still too early to tell whether the third round of patches is viable. We’ve only had them for two days.

As usual, Win7/Server 2008 R2 and Win8.1/Server 2012 R2 both received a single Monthly Rollup (along with a Security-only patch) on July 10. Both contained three of the four bugs introduced in the Win10 Patch Tuesday security patches, including the Stop 0xD1 bug. Microsoft released manual download-only fixes for the bugs for Win7 and 8.1 on July 16.

Then, on July 18, Microsoft released Monthly Rollup Previews for both Win7/Server 2008 R2 and Win8.1/Server 2012 R2, which apparently contain the manual download-only fixes. Like all good Monthly Rollup Previews, they’re released as Optional patches, so you have to specifically check them in order to get them — a procedure I never recommend.

Except, golly gee, on July 24, Microsoft announced:

The Windows Update classification for the following update packages has been changed from Optional to Recommended: KB 4338821 (Preview Monthly Rollup for Win7/Server 2008 R2), KB 4338816 (Preview Monthly Rollup for Server 2012), KB 4338831 (Preview Monthly Rollup for Win 8.1/Server 2012 R2). These packages will be installed automatically if the operating system is configured to receive automatic updates.

It’s a setting that, as best I know, is completely unprecedented in the history of Monthly Rollup Previews. Hard to imagine a Preview — by definition, a fix that isn’t ready for prime time — that’s pushed onto all machines. As of today, I haven’t seen those Previews pushed onto Win7 or 8.1 machines with automatic update enabled. It appears as if the announcement only applies to Servers — but that’s just conjecture at this point.

A poster named Francis says:

Since only the server preview rollups are updated in the catalog, I think Microsoft is not telling us the whole truth. Probably only the server preview rollups will be installed automatically if the operating system is configured to receive automatic updates AND the option to receive recommended updates is set in the Windows Update client settings

That corresponds to what I’ve seen. (If you aren’t confused, you haven’t been following along.)

The .NET patches released on Patch Tuesday were bad. They were so bad that Microsoft itself has disavowed any knowledge of their actions. On July 20 — 10 days late and $10 short — ‘Softie Rich Lander posted on the official .NET blog:

The July 2018 Security and Quality Rollup updates for .NET Framework was released earlier this month. We have received multiple customer reports of applications that fail to start or don’t run correctly after installing the July 2018 update… We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month’s updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.

Since that time, we’ve seen some fancy footwork to stop the disease from spreading. It now appears as if the patches are either not available or, if available through Windows Update, aren’t checked for automatic installation. The official apology hasn’t been updated with any word of a fix.

Microsoft pulled the bad Office 2016 non-security patch KB 4018385 on July 12, nine days after its release on the first Tuesday of the month. As I explained at the time:

What we’re seeing is a non-security patch for a bug in three-month-old security patch that crashed Office … and the new non-security patch also crashes Office. That’s progress.

No word on a fix.

If you have a Surface Pro 4 or a Surface Laptop, Microsoft has released dozens of firmware/driver fixes for your machine. Some of the “new” drivers are a year or more old. I hold out some hope that the fixes will cure some of the outstanding problems we’ve seen with the Surface Pro 4, especially with flakey keyboards and super slow write speeds.

On July 24, we saw another bunch of Intel microcode fixes, specifically targeting the Spectre v2 vulnerability. There are separate patches for Win10 version 1803 and 1709— and no new updates, so far at least, for earlier versions. Microsoft’s summary post for the microcode KBs contains links.

Just about every aspect of patching this month revealed significant screw-ups. If your machine is set to automatically install new updates as soon as they’re released, you were likely stung at least once. Add to that the stunning lack of transparency and obvious documentation inconsistencies, and you have one of the worst patching months in recent memory. Let’s hope it doesn’t get worse.

I continue to recommend that you keep 1803 off your Win10 machines. The volume (and quality!) of patches doesn’t bode well. Of course, the other Win10 versions weren’t much better this month. Susan Bradley’s Master PatchList has details for individual patches.

Thx to @sb, @abbodi86 and @PKCano

Problems with patches? Yeah, join the club. Visit us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss