{"id":15683,"date":"2019-07-01T04:30:04","date_gmt":"2019-07-01T12:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/01\/news-9431\/"},"modified":"2019-07-01T04:30:04","modified_gmt":"2019-07-01T12:30:04","slug":"news-9431","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/01\/news-9431\/","title":{"rendered":"Microsoft Patch Alert: The Windows patching heavens buzz with silver bullets"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 01 Jul 2019 04:36:00 -0700<\/strong><\/p>\n

How many bugs could a WinPatcher patch, if a WinPatcher could patch bugs?<\/p>\n

Ends up that June\u2019s one of the buggiest patching months in recent memory \u2013 lots of pesky little critters, and the ones acknowledged by Microsoft led to even more patches later in the month.<\/p>\n

In June, we saw eight single-purpose Windows patches whose sole mission is to fix bugs introduced in earlier Windows patches. I call them silver bullets \u2013 all they do is fix earlier screw-ups. If you install security patches only, these eight have to be installed manually to fix the bugs introduced earlier. It\u2019s a congenital defect in the patching regimen \u2013 bugs introduced by security patches get fixed by non-security \u201coptional\u201d patches, while waiting for the next month\u2019s cumulative updates to roll around.<\/p>\n

Every modern version of Win10 except 1903 \u2013 which is to say, versions 1607, 1703, 1709, 1803, 1809, Server 2016 and Server 2019 \u2013 all got three cumulative updates this month. The third cumulative update for June resolves this one issue:<\/p>\n

Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of \u201cTarget failed to respond in time for a login request.\u201d<\/p>\n

In other words, it\u2019s a silver bullet \u2013 an optional patch that fixes a bug introduced in an earlier patch that you\u2019ll only get if you download and install it manually, or if you click on \u201cCheck for updates.\u201d<\/p>\n

What\u2019s strange about this bevvy of patches is the timing. Apparently, the bug arrived with the third May cumulative updates on May 21. I first saw mention of it on a Dell support forum, on June 11 and posted about it<\/a> on June 19. Microsoft hadn\u2019t acknowledged the bug at the time. (The first official \u00a0announcement I saw was on June 26, the date all four silver bullets appeared.)<\/p>\n

That\u2019s more than a little disconcerting because Microsoft should be warning us about these problems quickly on the Release Information Status page<\/a>.<\/p>\n

On June 20, Microsoft released silver bullet patches for Win7, 8.1, Server 2008 R2 SP1, 2012, 2012 R2, and Internet Explorer 11 to fix bugs introduced in the June 11 Monthly Rollups and Security-only patches.<\/p>\n

The update for 7 SP1 and Server 2008 R2 SP1 KB 4508772<\/a>, for Windows 8.1 and Server 2012 R2 KB 4508773<\/a> and for Server 2012:<\/p>\n

\u201cAddresses an issue that may display the error, \u2018MMC has detected an error in a snap-in and will unload it.\u2019 when you try to expand, view, or create Custom Views in Event Viewer. Additionally, the application may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs.\u201d<\/p>\n

Cumulative Update for Internet Explorer 11 KB 4508646<\/a><\/p>\n

\u201cAddresses an issue that causes Internet Explorer 11 to stop working when it opens or interacts with Scalable Vector Graphics (SVG) markers, including Power BI line charts with markers.\u201d<\/p>\n

The bug fixes are not included in the June Monthly Rollups or Security-only patches (June 11, 2019), but are included in the Preview Monthly Rollups released on June 20.<\/p>\n

Once again, bugs introduced by security patches are getting the latest fixes in non-security patches.<\/p>\n

The second monthly cumulative update for Win10 1903 appeared late, as usual, on June 27. KB 4501375<\/a> includes fixes for several acknowledged bugs, including the MMC error with Custom Views described in the preceding section.<\/p>\n

Many people are complaining that this particular patch was downloaded without their consent<\/a> \u2013 which is to say, without clicking \u201cCheck for updates.\u201d @abbodi86 looked into it and discovered<\/a>:<\/p>\n

Based on my tests\u2026 KB4501375 (18362.207<\/a>) behaves exactly the same way that Feature Updates behave on 1809 and 1803 \u2013 the \u201cdownload and install now\u201d behavior. In other words, KC 4501375 will be bundled and offered as [a] secondary update with any available update even if you don\u2019t \u201cCheck for updates.\u201d It\u2019s possible that the latest .NET cumulative update will trigger this behavior.<\/p>\n

That said, deferring Feature Updates (version updates) for just 1 day makes KB4501375 go away.<\/p>\n

We\u2019re still in a quandary about the behavior of Win10 1903\u2019s update deferrals.<\/p>\n

In Win10 1903 Pro, if you go into Windows Update, advanced options, you get a pane that looks like this.<\/p>\n

Windows 10\u00a01903 Pro update advanced settings.<\/p>\n

Several of you have noted that if you specify deferral options as I have here (non-zero numbers in either of the two bottom boxes), the entire \u201cChoose when updates are installed\u201d part of the advanced options dialog disappears.<\/p>\n

@abbodi86 has undertaken some experiments with the settings. Here\u2019s what he has concluded:<\/a><\/p>\n

Yep, the Feature Update deferral box disappears once i change the entries to non-zero. Maybe it\u2019s an intentional move so the user cannot change the period frequently? \ud83d\ude42<\/p>\n

Anyway, the Feature Update deferral period can be still controlled with registry setting<\/p>\n

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsUpdateUXSettings] \u201cDeferFeatureUpdatesPeriodInDays\u201d=dword:0000016d<\/p>\n

Group policy can be used<\/a> to show you the feature update deferral period. The box will show up greyed, but at least you can know the period<\/p>\n

@abbodi goes on to say that he tested changing the Quality Update deferral period the same way, with the same result \u2014 if you set it to anything other than zero, the whole section disappears. It may be related to an internal conflict<\/a> with the way Semi-Annual Channel (Targeted) was removed.<\/p>\n

Maybe, just maybe, this is the way it\u2019s supposed to work. If so, I\u2019d like to nominate this particular behavior for the \u201cHarebrained Design\u201d hall of fame. Giving a user an option, any option, then forcing them to dig into Group Policy to modify it, stinks.<\/p>\n

If you\u2019ve been struggling with the \u201cIntel\u201d microcode updates for Meltdown\/Spectre and other \u201cSide Channel vulnerabilities,\u201d you aren\u2019t alone. The latest twist appears with Karl-WE\u2019s enormous leg work, posted on GitHub<\/a>, that brings some sense to the ongoing litany of patches.<\/p>\n

In particular, Karl notes \u2013 and MS Security Response Center guru Jorge Lopez confirms \u2013 that the phrase in KB 4346085<\/a> that says:<\/p>\n

Important Install this update for the listed processors only.<\/p>\n

is, quite simply, wrong. Some of the updates apply to processors that are not listed. You\u2019re better off trusting Windows Update to pick the ones that are right for your machine. Says Lopez:<\/p>\n

\u201cThe team didn’t want to mislead anyone reading this KB in isolation to think that installing this KB\/deploying across a fleet would mean they have met the requirement for microcode for these side-channel issues – that is only true for the processors listed on the KB. We will update the line, that’s not the right way to provide that warning. So yes, you don\u2019t have to go through some complicated deployment matrix on this KB, but you still have to do so to determine what is protected or not (vuln scanning tools should help).\u00a0 The logic to apply or not a microcode update is part of the boot sequence in the OS – if the processor has a microcode revision that is older than what the OS has, the OS will update the CPU microcode as part of the boot sequence.<\/p>\n

Expect to see a correction to the KB article shortly.<\/p>\n

To end on a positive note\u2026 remember the BlueKeep vulnerability? The one that had me crying that the sky is falling<\/a> and you needed to install the May patches, like, right away? Kevin Beaumont (Twitter\u2019s @GossiTheDog) has good news<\/a>:<\/p>\n

If anybody is pondering why there\u2019s no public BlueKeep Remote Code Execution exploit, it\u2019s a mix of difficulty [There\u2019s a high bar for exploitation – in theory it is \u2018just\u2019 a use after free bug, but to be able to kernel spray you have to reverse engineer the RDP driver. There\u2019s no documentation on how to do it for this.] and a handful of people in the InfoSec world being very responsible.<\/p>\n

Yes, you still need to make sure you have the fix installed<\/a>. You should\u2019ve done it in May. When the exploit hits it\u2019ll be painful. But at least we\u2019ve been spared a bloodbath of unprecedented proportions.<\/p>\n

Join us for more thrilling Tales from the Crypt on the AskWoody Lounge<\/a>.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 01 Jul 2019 04:36:00 -0700<\/strong><\/p>\n

\n
\n

How many bugs could a WinPatcher patch, if a WinPatcher could patch bugs?<\/p>\n

Ends up that June\u2019s one of the buggiest patching months in recent memory \u2013 lots of pesky little critters, and the ones acknowledged by Microsoft led to even more patches later in the month.<\/p>\n

In June, we saw eight single-purpose Windows patches whose sole mission is to fix bugs introduced in earlier Windows patches. I call them silver bullets \u2013 all they do is fix earlier screw-ups. If you install security patches only, these eight have to be installed manually to fix the bugs introduced earlier. It\u2019s a congenital defect in the patching regimen \u2013 bugs introduced by security patches get fixed by non-security \u201coptional\u201d patches, while waiting for the next month\u2019s cumulative updates to roll around.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,10909,13764,714,10525],"class_list":["post-15683","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-microsoft-office","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15683"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15683\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15683"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}