By far the most important reason for this month\u2019s relative patching calm: Microsoft decided to wait and get the Windows 10 (version 1809) patch right instead of throwing offal against a wall and seeing what sticks.<\/p>\n
![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security3-100734732-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Woody Leonhard| Date: Thu, 29 Nov 2018 08:30:00 -0800<\/strong><\/p>\n By far the most important reason for this month\u2019s relative patching calm: Microsoft decided to wait and get the Windows 10 (version 1809) patch right instead of throwing offal against a wall and seeing what sticks.<\/p>\n What remains is a hodge-podge of Windows patches, some mis-identified .NET patches, a new Servicing Stack Update slowly taking form, a bunch of Office fixes \u2013 including two buggy patches<\/a> that have been pulled and one that\u2019s been fixed \u2013 the usual array of Flash excuses and Preview patches.<\/p>\n In a day that will live in patching infamy, Microsoft released Windows 10 version 1809 on Oct. 2, then pulled it on Oct. 5, responding to cries of anguish and deleted data. Win10 1809 was officially re-released on Nov. 13<\/a>, but very few people took the bait, and it appears as if Microsoft isn\u2019t pushing 1809 onto any machines. Although I remain skeptical of their sampling method, AdDuplex reports<\/a> that version 1809 now runs on 2.8% of all Win10 machines.<\/p>\n The most important patching news this month \u2013 indeed, I would argue, the most important patching news this year \u2013 is that Microsoft has finally (re-) discovered the Windows Insider Release Preview Ring. Some folks would have you believe that the Insider Release Preview Ring was designed for testing new versions of Windows. But that isn\u2019t the way it was designed<\/a>.<\/p>\n Here\u2019s what Microsoft\u2019s official Insider Program overview documentation<\/a> says:<\/p>\n Release Preview Ring<\/p>\n If you want to be on the current public release of Windows 10 but still get early access to updates, applications, and drivers without taking the risk of moving to the Development Branch, the Release Preview Ring is your best option. The Release Preview Ring is only visible when your Windows build version is the same as the current Production Branch. The easiest way to go between the Development Branch to the current Production Branch is to reinstall Windows using the Media Creation Tool, see instructions at Download Windows 10<\/a>.<\/p>\n Now we\u2019re seeing builds of the Windows 10 September-October-November-soon-to-be-December 2018 Update going through a proper test cycle<\/a>. Not surprisingly, Microsoft has uncovered (and apparently fixed) tons of bugs in 1809, including the notorious filename<\/a> extension<\/a> bug<\/a>\u00a0and mapped drive bug<\/a>. While Microsoft once said that its fixes would arrive in late November, the official status page<\/a> now says they\u2019ll arrive in early December.<\/p>\n At the same time, other companies have had time to get their products ready for 1809. Apple has a new version of iCloud<\/a> that works with 1809. Trend Micro says it has new versions of its products<\/a> either in place, or coming soon, to fix its incompatibilities. That said, upgrade blocks are still in place for AMD Radeon HD2000 and HD4000 graphics cards, with no resolution yet identified; for F5 VPN clients<\/a>; and for certain new Intel display drivers<\/a>.<\/p>\n Short version: It would be, ahem, quite foolish to install 1809 until Microsoft has figured out and released its latest cumulative update. Yes, that means the Win10 September 2018 Update won\u2019t arrive in moderately usable form until December. So be it.<\/p>\n Win10 1809 is being patched in a reasonable, steady way \u2013 with beta test versions of the cumulative updates appearing in the Insider Release Preview Ring, where they can be pounded appropriately.<\/p>\n Alas, we aren\u2019t so lucky with the other versions of Win10, where untested non-security bug fixes continue to appear as monthly second-round cumulative updates. We had a bunch of those this month:<\/p>\n Yes, that means Microsoft is currently supporting seven different versions of Windows \u2013 Windows 7, 8.1, Win10 1607, 1703, 1709, 1803, 1809 \u2013 plus Server versions, Xbox, Mobile (sorta), Embedded, IoT, Holographic, and heaven knows what all.<\/p>\n It now appears as if Microsoft is installing the second monthly Cumulative Updates for seekers<\/a> \u2013 those who click Check for Updates. Ouch. I thought Microsoft had backed off that particular form of insanity.<\/p>\n There are also new Intel microcode updates, explained in KB 4465065<\/a> (thx @ep, @ch100), as well as a new beta test version of the Win10 1809 Servicing Stack Update, which will likely appear at the same time as the Win10 September-October-November-December 2018 Update.<\/p>\n As things stand now, I haven\u2019t heard any loud screams of pain stemming from the Win10 Cumulative Updates, second monthly Cumulative Updates, or the Win7 or 8.1 Monthly Rollups.<\/p>\n The .NET patches this month have provided an ongoing source of amusement. First, we were treated to an apparent typo in the description of the Win7 Monthly Rollup for .NET 3.5.1\u2026 4.7.2 (see this thread<\/a> by FanJ in the Wilders Security Forums \u2013 thx @cesmart4125). Now we have three .NET patches for Win7\/8.1 in Windows Update (thx @abbodi86<\/a>):<\/p>\n I\u2019m not showing any significant problems with any of those \u2013 and no indication what\u2019s been changed (if anything) with the 2018-09 patches.<\/p>\n As I explained on Nov. 19<\/a>, this month\u2019s big bunch of Office patches included two non-security patches, KB 4461522<\/a> and KB 2863821<\/a>, that trigger Entry Point errors in various Office 2010 products. Microsoft\u2019s current advice is to uninstall the patches. They aren\u2019t being distributed and haven\u2019t been fixed.<\/p>\n A Patch Tuesday security update marvel, KB 4461529<\/a>, crashes 64-bit Outlook 2010 on startup. Not many people use the 64-bit version of Office 2010 because it\u2019s so buggy. Think of this as exhibit 314159. Microsoft \u201cfixed\u201d the bug a couple of days ago by releasing a second patch, KB 4461585<\/a>, whose sole purpose appears to be fixing the crashes caused by the original.<\/p>\n The bottom line<\/strong><\/p>\n The past five months have shown, repeatedly, that you\u2019d have to be crazy \u2013 or ignorant of the past\u2013 to continue applying Windows patches as soon as they\u2019re released. July patching was an unmitigated disaster<\/a>. After some initial mis-steps, August fared substantially better<\/a>. September saw a bunch of \u201cv2\u201d patches that got yanked suddenly, but it all worked out in the end<\/a>. If you waited long enough. October fell all over itself<\/a> delivering bad news. November\u2019s better, primarily because Microsoft put the brakes on Win10 1809 and decided to actually test things before releasing them. Novel concept, that.<\/p>\n If you\u2019re in charge of protecting state secrets, the pressure\u2019s on to get the patches installed come hell or high water. Susan Bradley\u2019s Master PatchList<\/a> remains relatively calm, if you take into consideration the problems explored in this article.<\/p>\n As best I can tell, the biggest threat still lies in a resurgence in Equation Editor exploits<\/a>.\u00a0That particular Office bug was fixed (and re-fixed) almost a year ago<\/a>. \u00a0<\/p>\n November\u2019s almost over and, with the return of sanity in Win10 1809 patching, it may just be a turning point. Things really couldn\u2019t get much worse.<\/p>\n Patching pains? Join us on the AskWoody Lounge<\/a>.<\/em><\/p>\n