{"id":12921,"date":"2018-07-26T14:30:02","date_gmt":"2018-07-26T22:30:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/07\/26\/news-6688\/"},"modified":"2018-07-26T14:30:02","modified_gmt":"2018-07-26T22:30:02","slug":"news-6688","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/07\/26\/news-6688\/","title":{"rendered":"Microsoft Patch Alert: Still reeling from one of the worst patching months ever"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 26 Jul 2018 14:31:00 -0700<\/strong><\/p>\n

If you ever wondered why people \u2014 and organizations \u2014 are taking longer and longer to willfully install patches, take a look at what happened this month. After a disastrous start, Windows 10 patches seem to be OK, but .NET and Server patches still stink.<\/p>\n

For most of the year, we\u2019ve seen two big cumulative updates every month for each of the supported Win10 versions. This month, so far, we\u2019ve had three. Microsoft\u2019s claim that it will install the Win7 and Win8.1 Monthly Rollups defies logic. The .NET patches are in such bad shape that the .NET devs have thrown in the towel. And here we sit not knowing exactly which way is up.<\/p>\n

On Patch Tuesday, July 10, as usual, Microsoft rolled out cumulative updates for all of the supported versions of Windows 10. Almost immediately we heard screams of pain<\/a> as four big bugs, later officially acknowledged, hit the fan. Six days later, Microsoft released a second set of cumulative updates<\/a>, again for all versions of Win10. Those updates were specifically designed to fix the bugs introduced by the original updates. The build numbers in the Knowledge Base articles didn\u2019t match the build numbers that people actually installed but, well, that\u2019s Microsoft.<\/p>\n

A week after that, on July 24, Microsoft released a third set of cumulative updates<\/a>, again for all versions of Win10. At least, I think they were released on July 24. The dates in the Update Catalog and on the files themselves don\u2019t line up. But we definitely have three cumulative updates for every version, so far this month. Beefy bug fixes.<\/p>\n

It\u2019s still too early to tell whether the third round of patches is viable. We\u2019ve only had them for two days.<\/p>\n

As usual, Win7\/Server 2008 R2 and Win8.1\/Server 2012 R2 both received a single Monthly Rollup (along with a Security-only patch) on July 10. Both contained three of the four bugs introduced in the Win10 Patch Tuesday security patches, including the Stop 0xD1 bug. Microsoft released manual download-only<\/a> fixes for the bugs for Win7 and 8.1 on July 16.<\/p>\n

Then, on July 18, Microsoft released Monthly Rollup Previews for both Win7\/Server 2008 R2 and Win8.1\/Server 2012 R2, which apparently contain the manual download-only fixes. Like all good Monthly Rollup Previews, they\u2019re released as Optional patches, so you have to specifically check them in order to get them \u2014 a procedure I never recommend.<\/p>\n

Except, golly gee, on July 24, Microsoft announced<\/a>:<\/p>\n

The Windows Update classification for the following update packages has been changed from Optional to Recommended: KB 4338821 (Preview Monthly Rollup for Win7\/Server 2008 R2), KB 4338816 (Preview Monthly Rollup for Server 2012), KB 4338831 (Preview Monthly Rollup for Win 8.1\/Server 2012 R2). These packages will be installed automatically if the operating system is configured to receive automatic updates.<\/p>\n

It\u2019s a setting that, as best I know, is completely unprecedented in the history of Monthly Rollup Previews. Hard to imagine a Preview \u2014 by definition, a fix that isn\u2019t ready for prime time \u2014 that\u2019s pushed onto all machines. As of today, I haven\u2019t seen those Previews pushed onto Win7 or 8.1 machines with automatic update enabled. It appears as if the announcement only applies to Servers \u2014 but that\u2019s just conjecture at this point.<\/p>\n

A poster named Francis says<\/a>:<\/p>\n

Since only the server preview rollups are updated in the catalog, I think Microsoft is not telling us the whole truth. Probably only the server preview rollups will be installed automatically if the operating system is configured to receive automatic updates AND the option to receive recommended updates is set in the Windows Update client settings<\/p>\n

That corresponds to what I\u2019ve seen. (If you aren\u2019t confused, you haven\u2019t been following along.)<\/p>\n

The .NET patches released on Patch Tuesday were bad. They were so bad that Microsoft itself has disavowed any knowledge of their actions. On July 20 \u2014 10 days late and $10 short \u2014 \u2018Softie Rich Lander posted on the official .NET blog<\/a>:<\/p>\n

The July 2018 Security and Quality Rollup updates for .NET Framework was released earlier this month. We have received multiple customer reports of applications that fail to start or don\u2019t run correctly after installing the July 2018 update\u2026 We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month\u2019s updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.<\/p>\n

Since that time, we\u2019ve seen some fancy footwork to stop the disease from spreading. It now appears as if the patches are either not available or, if available through Windows Update, aren\u2019t checked for automatic installation. The official apology hasn\u2019t been updated with any word of a fix.<\/p>\n

Microsoft pulled the bad Office 2016 non-security patch KB 4018385 on July 12, nine days after its release on the first Tuesday of the month. As I explained at the time<\/a>:<\/p>\n

What we\u2019re seeing is a non-security patch for a bug in three-month-old security patch that crashed Office \u2026 and the new non-security patch also crashes Office. That’s progress.<\/p>\n

No word on a fix.<\/p>\n

If you have a Surface Pro 4 or a Surface Laptop, Microsoft has released dozens of firmware\/driver fixes<\/a> for your machine. Some of the \u201cnew\u201d drivers are a year or more old. I hold out some hope that the fixes will cure some of the outstanding problems we\u2019ve seen with the Surface Pro 4, especially with flakey keyboards and super slow write speeds<\/a>.<\/p>\n

On July 24, we saw another bunch of Intel microcode fixes, specifically targeting the Spectre v2 vulnerability. There are separate patches for Win10 version 1803<\/a> and 1709<\/a>\u2014 and no new updates, so far at least, for earlier versions. Microsoft\u2019s summary post for the microcode KBs<\/a> contains links.<\/p>\n

Just about every aspect of patching this month revealed significant screw-ups. If your machine is set to automatically install new updates as soon as they\u2019re released, you were likely stung at least once. Add to that the stunning lack of transparency and obvious documentation inconsistencies, and you have one of the worst patching months in recent memory. Let\u2019s hope it doesn\u2019t get worse.<\/p>\n

I continue to recommend that you keep 1803 off your Win10 machines. The volume (and quality!) of patches doesn\u2019t bode well. Of course, the other Win10 versions weren\u2019t much better this month. Susan Bradley\u2019s Master PatchList<\/a> has details for individual patches.<\/p>\n

Thx to @sb, @abbodi86 and @PKCano<\/em><\/p>\n

Problems with patches? Yeah, join the club. Visit us on the\u00a0AskWoody Lounge<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 26 Jul 2018 14:31:00 -0700<\/strong><\/p>\n

\n
\n

If you ever wondered why people \u2014 and organizations \u2014 are taking longer and longer to willfully install patches, take a look at what happened this month. After a disastrous start, Windows 10 patches seem to be OK, but .NET and Server patches still stink.<\/p>\n

For most of the year, we\u2019ve seen two big cumulative updates every month for each of the supported Win10 versions. This month, so far, we\u2019ve had three. Microsoft\u2019s claim that it will install the Win7 and Win8.1 Monthly Rollups defies logic. The .NET patches are in such bad shape that the .NET devs have thrown in the towel. And here we sit not knowing exactly which way is up.<\/p>\n

Three Win10 cumulative updates for each version in July<\/strong><\/h2>\n

On Patch Tuesday, July 10, as usual, Microsoft rolled out cumulative updates for all of the supported versions of Windows 10. Almost immediately we heard screams of pain<\/a> as four big bugs, later officially acknowledged, hit the fan. Six days later, Microsoft released a second set of cumulative updates<\/a>, again for all versions of Win10. Those updates were specifically designed to fix the bugs introduced by the original updates. The build numbers in the Knowledge Base articles didn\u2019t match the build numbers that people actually installed but, well, that\u2019s Microsoft.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,10909,13764,714,10525],"class_list":["post-12921","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-microsoft-office","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12921"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12921\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12921"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}