{"id":12132,"date":"2018-04-25T12:30:05","date_gmt":"2018-04-25T20:30:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/25\/news-5901\/"},"modified":"2018-04-25T12:30:05","modified_gmt":"2018-04-25T20:30:05","slug":"news-5901","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/25\/news-5901\/","title":{"rendered":"Microsoft Patch Alert: April patches infested with bugs, but most are finally contained"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 25 Apr 2018 12:06:00 -0700<\/strong><\/p>\n

People think I\u2019m joking when I refer to bug fixing as Microsoft\u2019s next billion-dollar business. I\u2019m not. This month woefully demonstrated why patching Windows has become much bigger \u2013 and more critical \u2013 than developing new versions. Microsoft\u2019s hell-bent move to bring out new versions of Windows twice a year \u201cas a service\u201d makes things worse, but quality control problems dog patches to every version of Windows. Except, arguably, Windows 8.1.<\/p>\n

In April, we\u2019ve seen a return to two massive cumulative updates per month for all supported versions of Windows 10. The second cumulative update, with luck, fixes the bugs in the first cumulative update. Windows 7 turned into a fiery pit when it was discovered in late March that every\u00a0<\/em><\/strong>patch to Win7 (and Server 2008R2) pushed out this year enables the Total Meltdown bug. Fortunately, by April 23, we finally saw some stability return to the process.<\/p>\n

If you\u2019re using Windows 10, you saw big multiple patches in April:<\/p>\n

There was yet another update for Win10 1709, 1703 and 1607 released on April 24. KB 4078407<\/a> is supposed to be the software side of the fix for Spectre variant 2. It has to be combined with microcode updates to work and it\u2019s only available by download from the Microsoft Update Catalog<\/a>. We\u2019re following its progress closely on AskWoody<\/a>.<\/p>\n

Of course we\u2019re all waiting for Win10 version 1803 to appear. There\u2019s still no word on when that might happen, or what it\u2019ll be called. (Inveterate leaker Faikee points to a Chinese-language letter to dealers<\/a> saying it\u2019ll be released May 9.)<\/p>\n

Two words: Total Meltdown. We now know that every 64-bit Windows 7 and Server 2008 R2 patch released this year, up to March 29, contained a bug that opens a security hole dubbed Total Meltdown<\/a>. Microsoft spent most of April in Keystone Kops patching mode, where one patch after another introduced more and different bugs, and new patches replaced older patches at a truly mind-boggling rate.<\/p>\n

As the month\u2019s now winding down, there\u2019s a bit of good news. As of Monday night, it appears as if the (re-re-re-released) April Monthly Rollup, KB 4093118, has lost its boorish tendency to re-re-re-install itself<\/a>. That means, to a first approximation, Win7 and Server 2008 R2 users can install one patch and wipe out the Total Meltdown threat.<\/p>\n

All of this is unfolding as a real, live working Total Meltdown exploit<\/a> is in the works. Of course, Meltdown (as opposed to Total Meltdown) and Spectre have absolutely no known exploits. None.<\/p>\n

Those who insist on installing Security-only patches, eschewing the Monthly Rollups, face an unanswered question: If you\u2019ve installed the earlier, buggy version of the NIC and static-IP defending patch KB 4099950, do you need to uninstall it before proceeding? The official documents are mum. We\u2019re also following that question on AskWoody<\/a>.<\/p>\n

There continue to be reports from people who installed this month\u2019s updates and had to struggle with recovering their user profile. Microsoft acknowledged the problem, of and on, and even posted a Knowledge Base article<\/a> with workaround steps.<\/p>\n

There don\u2019t appear to be any pressing problems with this month\u2019s Office patches. Susan Bradley\u2019s Master Patchwatch List<\/a> gives them a clean bill of health, although there are a number of acknowledged problems listed on the official Fixes pages<\/a>.<\/p>\n

In short, it looks like Microsoft has fixed the problems that it introduced earlier in the month. The fixes to security holes Microsoft installed with this year\u2019s Win7 and Server 2008 R2 are almost ready. We just have a couple of niggling problems before it\u2019s time to get the March patches installed.<\/p>\n

Stay tuned.<\/p>\n

Join us for the latest on the <\/em>AskWoody Lounge<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 25 Apr 2018 12:06:00 -0700<\/strong><\/p>\n

\n
\n

People think I\u2019m joking when I refer to bug fixing as Microsoft\u2019s next billion-dollar business. I\u2019m not. This month woefully demonstrated why patching Windows has become much bigger \u2013 and more critical \u2013 than developing new versions. Microsoft\u2019s hell-bent move to bring out new versions of Windows twice a year \u201cas a service\u201d makes things worse, but quality control problems dog patches to every version of Windows. Except, arguably, Windows 8.1.<\/p>\n

In April, we\u2019ve seen a return to two massive cumulative updates per month for all supported versions of Windows 10. The second cumulative update, with luck, fixes the bugs in the first cumulative update. Windows 7 turned into a fiery pit when it was discovered in late March that every\u00a0<\/em><\/strong>patch to Win7 (and Server 2008R2) pushed out this year enables the Total Meltdown bug. Fortunately, by April 23, we finally saw some stability return to the process.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-12132","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12132"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12132\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12132"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}