Microsoft Patch Alert: Full of sound and fury, signifying nothing

Credit to Author: Woody Leonhard| Date: Fri, 30 Aug 2019 10:27:00 -0700

What happens when Microsoft releases eight – count ‘em, eight – concurrent beta test versions of Win10 version 1909 without fixing bugs introduced into 1903 on Patch Tuesday?

Pan. De. Moaaan. Ium.

No doubt, you recall the first wave of pain inflicted by the August 2019 patching regimen. Microsoft somehow managed to mess up Visual Basic (an old custom programming language), Visual Basic for Applications (for Office macros) and VBScript (a largely forgotten language primarily used inside Internet Explorer). Folks running applications in any of those languages would, on occasion, receive “invalid procedure call error” messages when using apps that had been working for decades.

Some companies’ commercial applications stopped working intermittently. More importantly, many large corporations’ internal custom programs turned belly-up.

The bug affects every single version of Windows – all the way from Win7 to Win10 version 1903. I think of it as Patching as a Keystone Kops Service.

If you’ve been following the details, you know that on Aug. 16, three days after Patch Tuesday, Microsoft released fixes for the bug in:

Then on Saturday (!), Aug. 17, we got fixes for:

And on Monday, Aug. 19, Microsoft released a fix for:

As of today, Aug. 30, we still don’t have a fix for Win10 1903, the latest version of the last version of Windows. It’s not clear why, but I have a guess that Microsoft’s so wrapped up in beta testing Win10 1903 that it somehow fell through the cracks. We still don’t have the second August cumulative update for Win10 1903 – the one that’s common called “optional non-security,” with varying degrees of accuracy. And therein lies a tale.

Normally, beta testing doesn’t have much of an influence over month-to-month patching. But this month it looks like we had a significant divergence of direction.

For the past year, Microsoft has been testing its Win10 1903 patches thoroughly, using the Windows Insider Release Preview ring. That’s great – it’s what the Release Preview ring was made for.

During the month of August, though, the Microsoft beta people took over a corner of the Release Preview ring and pushed the beta version of 1909 onto (supposedly) 10% of the 1903 testers. The official announcement came on Aug. 26:

For a small subset of Insiders (around 10%) in the Release Preview ring, we have enabled the “seeker” experience for version 1909 [Editor’s note: MS calls it 19H2, just to confuse you]. For these Insiders, if they go to Settings > Update & Security > Windows Update, they will see that there is a Windows 10, version 1909 update available. They will be able to choose to download and install this update on their PC. After the update finishes, they will be on version 1909 [Editor’s note: I changed it again] Build 18363.327.

That seems complicated, but reasonable enough – until you realize that the Win10 1909 beta currently has eight different versions. Some of those versions are being distributed to people who are in the Release Preview ring. In particular, the 18362.327 preview of the Win10 1903 patch went out at the same time “the 10%” got a Win10 1909 patch called 18363.327 (see how 18362 changes to 18363?)

Apparently that build wasn’t good enough, so on Aug. 29 we got the latest bifurcated patch 18362.329 (for the 90%) and 18363.329 (for the 10%). It looks like we’re waiting until Microsoft gets the bifurcated patch to work on both Win10 version 1903 and on the beta of version 1909.

Regardless of the genesis, those of you waiting to get a fix for the VB/VBA/VBScript problem in Win10 version 1903 will have to wait a little longer.

All of this would be frustratingly academic, if it weren’t for the fact that DejaBlue – a new set of “wormable” security holes in Windows itself – made its debut this month. While I’ve read lots of Chicken Little reports that DejaBlue has been exploited, none of those warnings has come true. As of this moment, there are no publicly available DejaBlue exploits.

Of course, plenty of people are trying to build them.

Until Microsoft releases a fix for the VB/VBA/VBScript problem in Win10 1903, you have two choices – either patch, protect yourself from DejaBlue, but break VB. Or you can hold back on patching, keep VB working, but leave your system open to a DejaBlue infection.

Nice choice, eh?

We’ve had loads of additional fun ‘n games this month:

Have a patching problem? Don’t we all. Join us on AskWoody.com.

http://www.computerworld.com/category/security/index.rss