Microsoft Patch Alert: Patching whack-a-mole continues

Credit to Author: Woody Leonhard| Date: Thu, 30 May 2019 04:16:00 -0700

In a normal month, you need a scorecard to keep track of Windows patches. Now, your scorecards need a scorecard. One ray of hope: It looks like some Windows 10 cumulative updates will include the new “Download and install now” feature.

The May 2019 Windows updates have taken so many twists and turns it’s hard to pin things down, but as of Thursday morning, here’s what we’ve seen.

As of now, all of the recent versions of Win10 (1607/Server 2016, 1703, 1709, 1803, 1809/Server 2019) have had three cumulative updates in May. Depending on where you live (or, more correctly, which locality you’ve chosen for your machine), you’ve been pushed one or two of them. If you’re a “seeker” (and clicked “Check for updates” or downloaded and installed the patches), you’ve had at least two, and maybe three. Got that?

The reason for all the hilarity: The original Win10 cumulative updates broke access to certain sites that end with “gov.uk” for Internet Explorer and Edge users. All 10 of you.

The latest “optional” (meaning for “seekers” only) non-security patches include the usual laundry list of fixes for an unconscionable number of bugs. Win10 1809, which has had an inordinate amount of work lavished on its bug fixes over the past eight months, still has several acknowledged flaws including this one:

When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”

Microsoft officially started pushing Win10 version 1903 on May 21 (see Gregg Keizer’s birth announcement), although I haven’t heard from anyone yet who’s had 1903 pushed onto their systems. Lots of people upgraded to 1903 by clicking on “Check for updates,” and many were already on 1903 when it went legit, by virtue of being in the Windows Insider Release Preview or Slow rings.

For good measure, Microsoft put its first “real” Win10 1903 cumulative update, KB 4497935, through the Release Preview wringer – a practice formerly reserved for Win10 1809 patches, which were notoriously late and arguably better vetted. All sorts of confusion resulted when KB 4497935, the May 29 cumulative update for 1903, was released to the teeming masses. (I heard lots of complaints about update deferral settings not being honored.)

As it happens, the settings for those still in the Insider program are different from the settings for those who received their copies of 1903 without being beta testers. Günter Born has a detailed explanation of what he’s seen in various permutations and combinations.

The single most important fix to Win10 this month arrived on Wednesday with the Win10 1903 KB 4497935 update:

Addresses an issue that may cause an external USB device or SD memory card to be reassigned to an incorrect drive during installation.

Win10 1903, as shipped, had a bug in it that swapped drive letters willy-nilly on external USB drives, SD memory cards, and even some internal drives. Susan Bradley put it this way:

My Lenovo laptop is “throttled” because I have an external usb drive that I am using to upgrade this device. This doesn’t bode well for my Acer that only has 32 gigs that I HAVE to attach an external hard drive in order to upgrade it.

So it now appears as if this cumulative update will fix Win10 1903. But in classic Catch-22 fashion, you can’t install the cumulative update on a machine that needs a USB drive in order to install the update.

In more Win10 1903 news, Trend Micro now says it won’t have a fix for Win10 1903 compatibility problems with its Apex One/OfficeScan XG SP1 products until early June. Microsoft’s release information page doesn’t mention the gaffe, although it does acknowledge the Sandbox fail to start with error code “0x80070002” bug, Dolby Atmos bugs, AMD RAID driver incompatibilities, display brightness issues, and a dozen additional bugs that should keep you from installing 1903 until Microsoft gets its act together.

See what I mean about scorecards?

Microsoft has been talking about – and showing off – a new feature called “Download and install now” that will give everyone some control over when Win10 updates get installed. It’s a tremendous new feature – arguably the most important new feature in Windows 10 since the very first version shipped almost four years ago.

The official explanation of the feature states without reservation that the “Download and install now” option will be available for version changes: Before your machine is upgraded to a new version of Win10, you have to explicitly ask for it. Great. The explanation doesn’tspecifically say that the same “Download and install now” option will be available for cumulative updates.

Earlier this month, I wrote about the implications: “Download and install now” for version changes is tremendous. “Download and install now” for cumulative updates would be a game-changer, at least for those of us concerned about bad patches.

Now comes word from Leopeva64 – who’s been right about several Windows Update revelations – that Microsoft may implement “Download and install now” for (many? most? all?) of the monthly second (or third or fourth) “optional non-security” patches.

Time will tell, but we may be witnessing a real breakthrough.

Earlier this month we had quite a shock when Microsoft announced, with appropriate fanfare, that every Windows XP, Win7, Server 2003, 2008 and 2008 R2 machine needed an inoculation to protect against a very mean “wormable” hole in Windows Remote Desktop Services. Billed as the son of WannaCry, Microsoft had everyone – including me – sounding the alarm to get the crazy thing patched. 

Now, two weeks later, BlueKeep (as Kevin Beaumont has named the hole) is still a threat, but it’s nowhere to be seen. Ends up that creating a real, working, destructive worm using the security hole is a highly non-trivial task.

I’ve asked every expert I can find about an obvious solution — isn’t it sufficient to simply turn off the Remote Desktop Protocol in the user interface? (In Win7, Start > Control Panel > System and Security > System > Remote Settings, in the System Properties dialog box, click Don’t Allow Connections to This Computer.) That, and/or blocking port 3389 (the port RDP uses by default) should be enough to keep any RDP-related malware at bay. At least, it appears that way to me.

But I haven’t received a positive response from any of those experts. The ones who know ain’t sayin’. And the ones who probably do know aren’t willing to stick their necks out. It’s hard to fault them: Microsoft hasn’t provided any guidance on the matter, one way or another, so if blocking RDP ends up being insufficient — no matter how logical — there’s a lot of exposure to the person making the recommendation.

Oh. For the dozens of you who still use Vista, Microsoft initially forgot to mention that the Server 2008 SP2 version of the patch also works with Windows Vista.

Peruse the Patching Pilgrim’s Progress on the AskWoody Lounge

http://www.computerworld.com/category/security/index.rss