Windows and Office patching have had a horrible three months.
In February, we saw no patches except a decidedly late-to-the-party IE Flash fix, released a week after Adobe spilled the beans. March brought a metric mess of patches, to compensate for February’s shortcomings.
April, though, is proving to be the cruellest month, with botched version detection for blocked updates, MSRT bugs, a problem with the Microsoft Baseline Security Analyzer, sync failures for Update Servers, more problems with a faltering Win10 1607 cumulative update, odd multiple reboots, and confusion over the .Net patches.
That’s just what we’ve seen in the first 48 hours. Heaven only knows what other evil lurks.
One overarching problem — the disappearance of old-fashioned Security Bulletins, replaced by endless lists in the Security Update Guide database — has made a tangled mess of everything. Gregg Keizer at Computerworld posted an insightful analysis yesterday in which he quotes one experienced admin as saying that coping with the change “was like trying to relearn how to walk, run, and ride a bike, all at the same time.”
The SANS Internet Storm Center, my go-to source for patch insight, has thrown up its hands, listing all 210 “critical” updates in one massive blob. In addition to the 210 “critical” there’s another 434 that aren’t so critical, coming to a grand total of 644 patches this month.
One more patch, the manual-download-only Word 2016 hotfix KB 3085439 with various formatting fixes, arrived on Wednesday, a day late and a dollar short. Microsoft doesn’t specifically say so, but it looks like this patch fixes the errors introduced by last month’s MS17-014 Word 2016 security update. That makes 645 patches, but the day is yet young.
Tracking all these patches
The most digestible list of April patches that I’ve seen comes from Martin Brinkmann at ghacks.net, whose list pulls from the inscrutable database. Brinkmann also provides a free downloadable Excel file that lists all of the patches in a form you may find more usable. Symantec has a list that’s been aggregated by CVE number, claiming that MS has released fixes for 44 vulnerabilities, 13 of which are critical. Others disagree on the count.
Here’s the tip of the buggy iceberg: The four Win7 and 8.1 patches all “accidentally” identify certain AMD Carrizo-based computers as being 7th generation, and thus subject to Microsoft’s summary blocking of Windows Update. The bad patches are KB 4015549 (Win7 Monthly Rollup), KB 4015546 (Win7 Security-Only patch), KB 4015550 (Win8.1 Monthly Rollup), and KB 4015547 (Win8.1 Security-Only patch).
Microsoft hasn’t provided us with a list of processors that are subject to the summary Windows Update lockout, nor has it provided a tool to see if a specific machine will get locked out after installing one of those updates. As such, it’s hard to recommend that people install any of those updates on machines made in the past two years.
We do have bit of good news, though. AskWoody Lounger MrBrian has been poking around the lockout and made several significant discoveries. To recap:
- When the April 2017 Monthly Rollup or Security-only update was installed, you can’t install Windows updates either through Windows Update or .msu files.
- After the April 2017 Monthly Rollup or Security-only update was uninstalled, Windows updates can be installed through either Windows Update or .msu files.
- To manually install updates on Windows Update-blocked computers, uninstall all the blocking updates, then install the updates you need (such as Office or .Net updates), then cap it off with the latest Monthly Rollup.
There’s a step-by-step workaround attributed to Lounger radosuaf that appears to unlock blocked computers. If you’ve been hit by the Unsupported hardware notice below, try radosuaf’s approach first.
MBSA (Microsoft Baseline Security Advisor) uses the Windows Update engine, so if your machine was knocked out because it’s too new, MBSA will fail as well, per MVP abbodi86. I have an additional report from Lounger pmacS33 that KB 4015546 (the Win7 Security-only patch) may break MSBA.
The latest MSRT (Malicious Software Removal Tool) is having a bad month, too. Günter Born, posting on his Born’s Tech and Windows World blog, lists several problems with this month’s MSRT, including access violations during install error 0xc0000005, blocking other updates, and collisions with other AV software.
Admins are upset because the Windows Update Servers fail to synchronize with Microsoft’s servers. There’s a fix, but it has deleterious side effects. With many admins now seeing Windows 7 machines reboot multiple times after the current crop of fixes, it may be time to take off early for the weekend.
There’s a report that both the March and April Monthly Rollups appear at the same time on at least one machine — a logical paradox in the making. There’s also a great deal of confusion over the latest .Net updates, with Security-only and Monthly Rollups (confusingly called a “Security and Quality Rollup”) both distributed through Windows Update and both available through the Microsoft Update Catalog.
There are certainly other problems that haven’t yet floated to the top. They will.
Those of you running Vista can breathe a sigh of relief. This is the last time you’ll have to slog through a Patch Tuesday mess. Vista’s no longer getting any security patches as of this month’s bunch — although presumably patches of the patches may be pushed.
At this point I’m recommending that people avoid installing any of this month’s patches until the situation clears up a bit.
There’s one exception, though. The Word zero-day vulnerability that I talked about over the weekend is being actively used to infect machines. Lots and lots of machines, according to Dan Goodin at Ars Technica. If you’re concerned about that zero-day — and you should be, if you open documents attached to email messages — you should apply one or all of these patches, depending on which version of Office you use:
There’s a more detailed explanation of the vulnerability CVE-2017-0199 here, involving patches for both Windows and Office. Thanks to MrBrian.
Even if you do install those patches, be aware that there are two additional acknowledged zero-days currently exploited in the wild. As Goodin says in his article Critical Word 0-day is only 1 of 3 Microsoft bugs under attack, we aren’t out of the zero-day woods just yet.
Bitten yet? Join the discussion on the AskWoody Lounge.