Microsoft Patch Alert: Mainstream August patches look remarkably good, but watch out for the bad boys

Credit to Author: Woody Leonhard| Date: Thu, 23 Aug 2018 14:01:00 -0700

So far this month we’ve only seen one cumulative update for each version of Windows 10, and one set of updates (Security only, Monthly Rollup) for Win7 and 8.1. With a few notable exceptions, those patches are going in rather nicely. What a difference a month makes.

We’ve also seen a massive influx of microcode updates for the latest versions of Windows 10, running on Intel processors. Those patches, released on Aug. 20 and 21, have tied many admins up in knots, with conflicting descriptions and iffy rollout sequences.

At this point, I’m seeing complaints about a handful of patches:

The rest of the slate looks remarkably clean. Haven’t seen that in a long while.

If August follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates next Tuesday, “dee” Tuesday, Aug. 28. At the same time we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.

In the past couple of months, Microsoft has released massive firmware/driver updates for almost all of the latest Surface devices.

At this point, I’m still seeing problems with the July 26 set of fixes for the Surface Pro 4, which have been blamed for touchscreens that don’t touch, pens that don’t pen, batteries that go out to lunch, and all sorts of boorish behavior.

Of course, there have been no solutions.

Microsoft released oodles and gobs (that’s a technical term) of microcode fixes for Win10 1803 and 1709, passing along Intel’s fixes for the Meltdown and Spectre V1, 2, 3, and 4 security holes. People have been pulling their hair out by the roots. Helen Bradley has a great birds-eye view:

Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way way more time worrying about this than we should.  I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc etc, way more than someone will use these side channel attacks to gain information from me.  Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack.  Also keep in mind that we won’t really have a full fix for this issue for several years.  Intel and AMD will need to redesign the chips to ultimately get fixed.

If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.

If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here. No matter which approach you take, make sure that you don’t publish any before-and-after performance data, which Intel has unilaterally declared verboten. See Bruce Perens’s article Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed!

After all the problems last month, it’s a relief to have only a handful of glaring problems this month. I suggest you wait another day or two before installing the August patches.

The only significant breach of a recently patched security hole that I’ve found involves North Korea, Internet Explorer 11, VBScript, and China. That’s probably not a combination that’ll keep you up at night — and there’s little reason to rush into installing the August patches unless you’re in a Chinese organization that’s run afoul of the North Korean government.

I continue to recommend that you keep 1803 off your Win10 machines. No reason to go there until you’re forced. Susan Bradley’s Master PatchList has details for individual patches.

Thx to @sb, @abbodi86 and @PKCano

Patching problems? Join us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss