More June security patch bugs: You can patch an IE flaw, CVE-2017-8529, or print inside iFrames—but not both

Credit to Author: Woody Leonhard| Date: Wed, 19 Jul 2017 12:00:00 -0700

Strap on your hip waders. This particular “scare” article should have you thinking yet again about the advisability of installing Windows updates as soon as they’re available. As you’ll see, Microsoft itself has flip-flopped on the resolution and those who subscribe to Windows Update have been taken along for the ride.

Buggy June patches to Windows, Internet Explorer and Edge left customers in the horns of a dilemma:

Microsoft’s up against a hard bug that makes this an either-or proposition: Until Microsoft figures out how to fix both problems at the same time, either you patch the security hole, or you can print inside iFrames with IE, but not both.

For most people, this isn’t a big deal—just plug the security hole and use something other than IE to print web pages. But in many corporate environments, custom IE-based programs make that approach a non-starter—and companies that have custom IE programs that rely on printing inside iFrames are really feeling the pinch. It’s interesting to see how Microsoft has dealt with the problem, and cut the cards several times in the process.

And… surprise… if you have Automatic Update turned on, you can now print from iFrames in IE, but the security hole hasn’t been plugged. Microsoft seems to prefer leaving IE intact, and let the security hole take the back seat.

There are a lot of patches involved. To see the train wreck in slow mo, look at the events chronologically:

June 13: Microsoft releases a slew of bad patches for IE—June Internet Explorer Cumulative Update 4021558, Monthly Rollups 4022719, 4022724, 4022726 (all fed through Automatic Update), and manually installed Security Updates 4022727, 4022714, 4022715, and 4022725.

June 21: Microsoft acknowledges the “can’t print from iFrame” bug in all of those patches.

June 22: Microsoft releases a second patch, KB 4032782, which fixes the “can’t print from iFrame bug” by disabling the part of the original patches that deal with CVE-2017-8529. It’s an optional update, so IE users can choose to either (1) fix the CVE-2017-8529 security hole, or (2) enable printing from iFrames. Those using Automatic Update who don’t touch anything will still have problems with printing from iFrames.

June 27: Microsoft releases another big bunch of IE-related patches. Again, the choices are (1) fix the security hole or (2) enable printing from iFrames. In this case, those using Automatic Update who don’t install the Preview Rollup patches (which are not checked by default), will still have problems with printing from iFrames — EXCEPT for folks running Win10 Creators Update, 1703. The people running Creators Update are automatically updated with KB 4022716, which enables printing from iFrames, but disables the fix for the security hole.

As of June 27, if you were installing these patches as they came out the chute, your Win10 1703 machines can print in iFrames but don’t have the security hole plugged. On the other hand, your Win10 1607 and 1511 machines have it the other way around—IE can’t print inside iFrames, but the security hole is plugged.

Complicated enough for you? Wait. It gets better.

Unfortunately, the automatically installed June 27 cumulative update for Win10 1703, KB 4022716, proved to be a disaster, with reported problems in IE, Chrome and Firefox, black screens, and a conflict with Comodo firewall. If you let Windows 10 install this cumulative update, IE and Edge would suddenly close when you visit particularly complex—but perfectly valid—websites. The same IE crash is documented for:

Here’s the warning:

After you install this update, Internet Explorer 11 may close unexpectedly when you visit some websites. When the problem occurs, you may receive an error message that resembles the following:

We were unable to return you to [previous URL] Internet Explorer has stopped trying to restore this website. It appears the website continues to have a problem.

The problem may occur if the website is complex and uses certain web API’s.

That’s how things stood until Patch Tuesday, July 11: Another bunch of patches came out the Auto Update chute that day, but this time the role seems to be reversed. You can sift through the details of the 35 patches that include IE and Edge updates — KB 4022724, 4021558, 4022715, 4022727, 4022714, 4022726, 4022725, 4022719, if I didn’t miss any—but the meat of the changes appears in this Security TechCenter post:

Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE.

If I read that correctly, Microsoft sent out a “silver bullet” in this month’s Patch Tuesday patches, which turns off the part of the bad June patches that plugs the CVE-2017-8529 security hole. That is, everybody who has Automatic Update turned on should now be able to print inside iFrames with IE, but will be exposed to the security hole.

I doubt that most customers, given the choice, would trade IE iFrame printing for  security.

It’s not at all clear why Microsoft changed horses in the middle of the botched-patch-updating stream, but it now appears as if we’re back to the pre-June update settings for the security hole and the iFrame printing issue.

Can you make heads from tails out of this? Hit me on the AskWoody Lounge.

Thanks to abbodi86, ch100, and MrBrian

http://www.computerworld.com/category/security/index.rss