Microsoft Patch Alert: April patches infested with bugs, but most are finally contained
Credit to Author: Woody Leonhard| Date: Wed, 25 Apr 2018 12:06:00 -0700
People think I’m joking when I refer to bug fixing as Microsoft’s next billion-dollar business. I’m not. This month woefully demonstrated why patching Windows has become much bigger – and more critical – than developing new versions. Microsoft’s hell-bent move to bring out new versions of Windows twice a year “as a service” makes things worse, but quality control problems dog patches to every version of Windows. Except, arguably, Windows 8.1.
In April, we’ve seen a return to two massive cumulative updates per month for all supported versions of Windows 10. The second cumulative update, with luck, fixes the bugs in the first cumulative update. Windows 7 turned into a fiery pit when it was discovered in late March that every patch to Win7 (and Server 2008R2) pushed out this year enables the Total Meltdown bug. Fortunately, by April 23, we finally saw some stability return to the process.
If you’re using Windows 10, you saw big multiple patches in April:
There was yet another update for Win10 1709, 1703 and 1607 released on April 24. KB 4078407 is supposed to be the software side of the fix for Spectre variant 2. It has to be combined with microcode updates to work and it’s only available by download from the Microsoft Update Catalog. We’re following its progress closely on AskWoody.
Of course we’re all waiting for Win10 version 1803 to appear. There’s still no word on when that might happen, or what it’ll be called. (Inveterate leaker Faikee points to a Chinese-language letter to dealers saying it’ll be released May 9.)
Two words: Total Meltdown. We now know that every 64-bit Windows 7 and Server 2008 R2 patch released this year, up to March 29, contained a bug that opens a security hole dubbed Total Meltdown. Microsoft spent most of April in Keystone Kops patching mode, where one patch after another introduced more and different bugs, and new patches replaced older patches at a truly mind-boggling rate.
As the month’s now winding down, there’s a bit of good news. As of Monday night, it appears as if the (re-re-re-released) April Monthly Rollup, KB 4093118, has lost its boorish tendency to re-re-re-install itself. That means, to a first approximation, Win7 and Server 2008 R2 users can install one patch and wipe out the Total Meltdown threat.
All of this is unfolding as a real, live working Total Meltdown exploit is in the works. Of course, Meltdown (as opposed to Total Meltdown) and Spectre have absolutely no known exploits. None.
Those who insist on installing Security-only patches, eschewing the Monthly Rollups, face an unanswered question: If you’ve installed the earlier, buggy version of the NIC and static-IP defending patch KB 4099950, do you need to uninstall it before proceeding? The official documents are mum. We’re also following that question on AskWoody.
There continue to be reports from people who installed this month’s updates and had to struggle with recovering their user profile. Microsoft acknowledged the problem, of and on, and even posted a Knowledge Base article with workaround steps.
There don’t appear to be any pressing problems with this month’s Office patches. Susan Bradley’s Master Patchwatch List gives them a clean bill of health, although there are a number of acknowledged problems listed on the official Fixes pages.
In short, it looks like Microsoft has fixed the problems that it introduced earlier in the month. The fixes to security holes Microsoft installed with this year’s Win7 and Server 2008 R2 are almost ready. We just have a couple of niggling problems before it’s time to get the March patches installed.
Stay tuned.
Join us for the latest on the AskWoody Lounge.