{"id":12778,"date":"2018-07-12T06:31:04","date_gmt":"2018-07-12T14:31:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/07\/12\/news-6546\/"},"modified":"2018-07-12T06:31:04","modified_gmt":"2018-07-12T14:31:04","slug":"news-6546","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/07\/12\/news-6546\/","title":{"rendered":"Patch Tuesday problems abound, Server 2016 crashes, and a .Net patch goes down in flames"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 12 Jul 2018 06:18:00 -0700<\/strong><\/p>\n

You know it\u2019s going to be an Alice in Wonderland month when some sites report that Microsoft plugged 54 vulnerabilities on Patch Tuesday, while others report 53. Fact is, patching has become so brutal \u2014 and so banal \u2014 that there\u2019s no consensus on counting, much less on what\u2019s good and bad.<\/span><\/p>\n

Suffice to say that, once again this month, there was a huge number of security patches (129 individual patches, according to the <\/span>Microsoft Update Catalog<\/span><\/a>), with no pressing security fixes unless you\u2019re using the Edge browser or Internet Explorer. Microsoft changed Win10 version 1803 to \u201cSemi-Annual Channel,\u201d but the term now means less than it ever has before. If that\u2019s possible.<\/span><\/p>\n

Moral of the story: Don\u2019t use IE or Edge, and wait a few weeks to see if any of the other patches blow up \u2014 which is pretty close to the same Patch Tuesday advice I\u2019ve doled out monthly for the past year.<\/span><\/p>\n

For a comprehensive listing of all the patches, see <\/span>Martin Brinkmann\u2019s list on Ghacks<\/span><\/a>. For the best in-depth analysis, see Dustin Childs\u2019s review on the <\/span>Zero Day Initiative blog<\/span><\/a>.<\/span><\/p>\n

The SANS<\/span> Internet Storm Center<\/span><\/a> says there are no known exploits for any of the patches, although three of the exploits have been disclosed to the patching community. None of the three is particularly interesting, unless you use Edge.<\/span><\/p>\n

There are \u201ccritical\u201d fixes for Edge (12 critical) and Internet Explorer (four critical), but no \u201ccritical\u201d fixes for any Windows version. It still amazes me how many major security problems crop up, month after month, for Edge.<\/span><\/p>\n

Our evergreen snooping patches, KB 2952664 for Win7 and KB 2976978 for Win8.1 make a reappearance, this time marked \u201cImportant,\u201d checked and ready to load. Similarly, <\/span>KB 4023057<\/span><\/a>\u00a0\u2014 an <\/span>\u201cupdate reliability\u201d patch<\/span><\/a> for older Win10 versions \u2014 has appeared again. Unless you want Microsoft to push you to a new version of Windows, you don\u2019t need or want them \u2014 they only <\/span>shuffle more telemetry data<\/span><\/a> off to Microsoft.<\/span><\/p>\n

The craziest Patch Tuesday blip wasn\u2019t a patch at all. Win10 April 2018 update \u2014 good ol\u2019 version 1803 \u2014 now appears in the <\/span>Windows 10 release information<\/span><\/a> list as \u201cSemi-Annual Channel.\u201d What\u2019s more the <\/span>bizarre blurb that appeared<\/span><\/a> as a footnote in that post on Tuesday morning is now gone:<\/span><\/p>\n

(1) Windows 10, version 1803 designation has been updated to reflect the servicing option available in the operating system and to reflect existing deferral policies. We recommend organizations broadly deploy the latest version of Windows 10 when they are ready, and not wait until the \u201cTargeted\u201d designation has been removed.<\/span><\/p>\n

\u2026 surely one of the worst cases of Microsoft bafflegab ever.<\/span><\/p>\n

On June 14, <\/span>Microsoft declared<\/span><\/a>:<\/span><\/p>\n

Based on the update quality and reliability we are seeing through our AI approach, we are now expanding the release broadly to make the April 2018 Update (version 1803) fully available for all compatible devices running Windows 10 worldwide. Full availability is the final phase of our rollout process.<\/span><\/p>\n

Now, it seems, version 1803 has been kicked up from \u201c(Targeted)\u201d to, uh, “Not (Targeted)” \u2014 without fanfare, and with no explanation. How “Not (Targeted)” differs from \u201cfully available\u201d remains a mystery.<\/span><\/p>\n

Here\u2019s the best way I found to parse the current announcement:<\/span><\/p>\n

At least, I think that\u2019s what it means. Neither the \u201creflect existing deferral policies\u201d footnote in the old KB article nor the June 14 declaration of \u201cfully available for all compatible devices\u201d mean much of anything, as best I can tell. Marketing pabulum.<\/span><\/p>\n

If you want to keep 1803 off your machine, make sure the <\/span>feature deferral setting is large<\/span><\/a>. And pray that Microsoft doesn\u2019t go rogue on forced updates again.<\/span><\/p>\n

We\u2019re slowly unraveling this knot on the <\/span>AskWoody Lounge<\/span><\/a>.<\/span><\/p>\n

Yet another patch that never should\u2019ve made it through quality control: The <\/span>KB 4338814 article<\/span><\/a> says:<\/span><\/p>\n

After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases. <\/span><\/p>\n

Currently, there is no workaround for this issue. Microsoft is working on a resolution and estimates a solution will be available mid-July.<\/span><\/p>\n

The patch was reissued on July 11, but it looks like there was only a change in detection logic (\u201cmetadata\u201d). An <\/span>anonymous poster on AskWoody<\/span><\/a> says it was yanked from WSUS. There\u2019s an \u2026 entertaining \u2026 <\/span>thread on Reddit<\/span><\/a> that blasts Microsoft for releasing a patch that, knowingly, blows away fundamental Server functions. What on earth is Microsoft thinking?<\/span><\/p>\n

Permit me to rephrase that. <\/span>Is<\/i><\/strong> Microsoft thinking?<\/span><\/p>\n

If you tried to install KB 4340558, the \u201cSecurity and Quality Rollup updates for .Net Framework 3.5 SP1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 8.1, RT 8.1, and Server 2012 R2\u201d and had it crash with an error <\/span>0x80092004, you aren\u2019t alone. AskWoody poster <\/span>macauln82 says<\/span><\/a> he\u2019s seen it happen on all of his Server 2012 R2 machines. G\u00fcnter Born has a <\/span>detailed explanation<\/span><\/a>. <\/span><\/p>\n

@abbodi86 offers <\/span>this explanation and fix<\/span><\/a>:<\/span><\/p>\n

It\u2019s caused by the .NET 4.x rollup component <\/span>KB 4338419<\/span><\/a>, which somehow conflicts with the last two rollups <\/span>KB 4229727 <\/span><\/a>(the Preview from June) and <\/span>KB 4096417<\/span><\/a> (the May rollup). <\/span><\/p>\n

The solution: Uninstall KB 4229727 & KB 4096417, then clean up the leftovers by running<\/span><\/p>\n

Dism \/Online \/NoRestart \/Cleanup-Image \/StartComponentCleanup<\/span><\/p>\n

(you may also run Disk Cleanup > Windows Update Cleanup)<\/span><\/p>\n

Reboot and KB 4338419 will install successfully.<\/span><\/p>\n

According to an <\/span>anonymous poster <\/span><\/a>on AskWoody:<\/span><\/p>\n

If you\u2019re on Windows 10 1803, Windows Update takes care of the botched up .NET 4.7.2 release shipped with that Windows version. If .NET 4.7.2 was installed before today on a previous Windows version, make sure to check out the <\/span>offline installer <\/span><\/a>and reinstall again from the updated installer! Re-running the updated .NET 4.7.2 should not cause any issues. In order to re-install .NET 4.7.2 without reboot, make sure to shut down all .NET apps (including Web apps running in IIS) before running the installer.<\/span><\/p>\n

If the .NET 4.7.2 SDK was installed before today as well, make sure to <\/span>download it<\/span><\/a> and reinstall again.<\/span><\/p>\n

This .Net patch is also failing, with the same error code, in Windows 8.1. That\u2019s a remarkable achievement because Win8.1 continues to be the most stable version of Windows available.<\/span><\/p>\n

The old Win7 NIC problem \u2014 introduced by a <\/span>security patch in March<\/span><\/a>\u00a0\u2014 still hasn\u2019t been fixed. The KB article says:<\/span><\/p>\n

Symptom: There is an issue with Windows and a third-party software that is related to a missing file (<\/span>oem<number>.inf<\/span><\/i>). Because of this issue, after you apply this update, the network interface controller will stop working.<\/span><\/p>\n

Workaround:<\/span><\/p>\n

a. Alternatively, install the drivers for the network device by right-clicking the device and choosing <\/span>Update<\/strong>. Then choose <\/span>Search automatically for updated driver software<\/strong> or <\/span>Browse my computer for driver software<\/strong>.<\/span><\/p>\n

If you can figure out that logic, yer a better hack than me, Gunga Din.<\/span><\/p>\n

I\u2019m beginning to think that Microsoft <\/span>won\u2019t ever fix<\/span><\/a> this NIC problem. If it decides to pass on a solution, I hope Microsoft just comes out and says it, instead of burying the decision and <\/span>doctoring old documentation<\/span><\/a> to cover it up. It’d be nice if Microsoft would identify the offending NICs as well. Let’s hear it for transparency.<\/span><\/p>\n

This month marked a re-re-re\u2026-appearance of the <\/span>snooping patches KB 2952664 for Win7 and KB 2976978 for Win8.1<\/span><\/a>. You remember the Microsoft Party Line:<\/span><\/p>\n

This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update. <\/span><\/p>\n

Poster Bill C has a <\/span>good take <\/span><\/a>on the claim:<\/span><\/p>\n

They say they will not do GWX again, OK, but the real question is what WILL they do?<\/span><\/p>\n

We\u2019ve seen, over and over again, that the Customer Experience Improvement Program settings have no bearing on these patches\u2019 increased telemetry. If you\u2019re even remotely tempted to install either of these \u201cimportant,\u201d checked patches, see @PKCano\u2019s AskWoody KB article on the subject, <\/span>AKB 2952664<\/span><\/a>.<\/span><\/p>\n

ProTip: Microsoft has no incentive to improve Win7. None. Unless you\u2019re offered a clearly identified security patch, you don\u2019t want it, checked or not.<\/span><\/p>\n

Remember the Win10 \u201cdelta\u201d updates? The ones that <\/span>bricked many machines<\/span><\/a> last October? \u00a0Now comes word that the experiment didn\u2019t work. Or, at least, there\u2019s a better alternative. Mike Benson, on the official <\/span>Windows IT Pro blog<\/span><\/a>, says:<\/span><\/p>\n

We plan to stop shipping delta updates. Beginning February 12, 2019 Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller in size, and simplifying the cumulative options available will reduce complexity for IT administrators.<\/span><\/p>\n

@PKCano reports:<\/span><\/p>\n

Updating my 1703 VM today (CU KB4338826, IE11 Flash, MSRT and C++) when I \u00a0got a popup saying \u201cYour Windows Update is not working properly. You need the Update Facilitation Service. Click OK below.\u201d <\/span><\/p>\n

Oh, no you don\u2019t<\/strong>! I clicked on the \u201cX\u201d and closed the box \u2013 it was not then listed in the downloaded updates.<\/span><\/p>\n

There are several Servicing Stack Updates this month. If you are going to install the Win10 updates manually, make sure you <\/span>install the Servicing Stack Update <\/span><\/a>first:<\/span><\/p>\n

There\u2019s no new SSU for Win10 version 1703. At least, not yet.<\/span><\/p>\n

Obviously, it\u2019s much too early to install the July patches \u2014 unless you want to join the ranks of the unpaid beta testers.<\/span><\/p>\n

Thx to @PKCano, @BillC, @abbodi86, @NibbledToDeathByDucks and many more<\/span><\/p>\n

Abandon hope all ye who enter the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 12 Jul 2018 06:18:00 -0700<\/strong><\/p>\n

\n
\n

You know it\u2019s going to be an Alice in Wonderland month when some sites report that Microsoft plugged 54 vulnerabilities on Patch Tuesday, while others report 53. Fact is, patching has become so brutal \u2014 and so banal \u2014 that there\u2019s no consensus on counting, much less on what\u2019s good and bad.<\/span><\/p>\n

Suffice to say that, once again this month, there was a huge number of security patches (129 individual patches, according to the <\/span>Microsoft Update Catalog<\/span><\/a>), with no pressing security fixes unless you\u2019re using the Edge browser or Internet Explorer. Microsoft changed Win10 version 1803 to \u201cSemi-Annual Channel,\u201d but the term now means less than it ever has before. If that\u2019s possible.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-12778","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12778"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12778\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12778"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}