Microsoft Patch Alert: Despite weird timing, September’s Windows and Office patches look good
Credit to Author: Woody Leonhard| Date: Thu, 20 Sep 2018 08:40:00 -0700
As we near the end of patching’s “C Week” (which is to say, the week that contains the third Tuesday of the month), there are no show-stopping bugs in the Windows and Office patches and just a few gotchas. As long as you avoid Microsoft’s patches for Intel’s Meltdown/Spectre bugs, you should be in good shape.
On Sept. 17, Microsoft released two very-out-of-band cumulative updates for Windows 10:
Both of the cumulative updates fix a bug that was introduced in the July 24 cumulative updates. The bug causes Microsoft’s Intune to stutter because it looks in the wrong place for user profiles. The second cumulative update also fixes an obscure VPN bug.
I have no idea why Microsoft released those patches on a Monday. They certainly could’ve waited until Tuesday – the “C Week” Tuesday traditionally being used to fix bugs introduced on Patch Tuesday. Somebody clearly jumped the gun, and folks who patch for a living aren’t really happy about having their chains jerked.
We never did get a cumulative update for Win10 1703. Maybe it wasn’t affected by the July 24 bug. Maybe it’s just too long in the tooth, with support for 1703 due to expire next month.
We also got a way-out-of-band cumulative update for Windows 7 Internet Explorer, KB 4463376, on a “B Week” Friday afternoon.
If September follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates during “D Week” – next Tuesday, Sept. 25. At the same time, we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.
We’re getting more and more firmware updates for Microsoft Surface devices. In the past month, there’ve been firmware/driver patches for the Surface Pro 3, Surface Pro 4, Surface Pro 2017, Surface Book, and even the Surface Studio. It’s an across-the-board makeover (or massive fix) that hasn’t been extended to the Surface Laptop, Book 2, or Go. Yet.
Meanwhile, I’m still hearing complaints about the Surface Pro 4 update.
While there has yet to be any credible Meltdown or Spectre threat (Spectre v 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 2, 3, 3a, 4 or 5), Microsoft continues to release microcode updates for Intel processors on machines running Win10 version 1709 and 1803. Sometimes the installers try to install the Intel updates on AMD processors, but what the hay.
I go back to Helen Bradley’s statement last month:
Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way, way more time worrying about this than we should. I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc., etc. way more than someone will use these side channel attacks to gain information from me. Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack. Also keep in mind that we won’t really have a full fix for this issue for several years. Intel and AMD will need to redesign the chips to ultimately get fixed.
If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.
If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here.
July patching was an unmitigated disaster. August fared substantially better. Now, although the month isn’t yet over, September seems to be doing well – if you ignore the Patch Monday gaffe and throw up your hands over Meltdown and Spectre.
In spite of several Chicken Little warnings this month, there haven’t been any widespread attacks that warrant rushing out and installing any of the September patches just yet.
Susan Bradley’s Master PatchList looks relatively serene.
There’s something to look forward to. In October we get an “E Week” – there are five Tuesdays in October. It’ll be the first “E Week” since Microsoft adopted the “A Week” “B Week” bafflegab. What wonders await?
Thx to @sb and @PKCano
Patching problems? Join us on the AskWoody Lounge.