Microsoft Patch Alert: Mainstream August patches look remarkably good, but watch out for the bad boys
After a round of perilously poor patches in July, this month’s been relatively benign. If you’re worried about Meltdown and Spectre, the Microsoft way may be the worst option, as Intel warns you to keep quiet about performance hits.
So far this month we’ve only seen one cumulative update for each version of Windows 10, and one set of updates (Security only, Monthly Rollup) for Win7 and 8.1. With a few notable exceptions, those patches are going in rather nicely. What a difference a month makes.
We’ve also seen a massive influx of microcode updates for the latest versions of Windows 10, running on Intel processors. Those patches, released on Aug. 20 and 21, have tied many admins up in knots, with conflicting descriptions and iffy rollout sequences.
- almost a week. It’s since been replaced by KB 4458621, which appears to solve the problem.
- The Visual Studio 2015 Update 3 patch, KB 4456688, has gone through two versions — released Aug. 14, pulled, then re-released Aug. 18 — and the re-released version still has problems. There’s a hotfix available from the KB article, but you’d be well advised to avoid it.
- Outlook guru Diane Poremsky notes on Slipstick that the version of Outlook in the July Office 365 Click-to-Run won’t allow you to start Outlook if it’s already running. “Only one version of Outlook can run at a time” — even if the “other version” is, in fact, the same version.
- The bug in the Win10 1803 upgrade that resets TLS 1.2 settings persists, but there’s an out-of-the-blue patch KB 4458116 that fixes the problem for Intuit QuickBooks Desktop.
- The Win10 1803 cumulative update has an acknowledged bug in the way the Edge browser interacts with Application Guard. Since about two of you folks use that combination, I don’t consider it a big deal. The solution, should you encounter the bug, is to uninstall the August cumulative update, manually install the July cumulative update, and then re-install the August cumulative update — thus adding a new dimension to the term “cumulative.”
- The Win7 Monthly Rollup has an old acknowledged bug about “missing file (oem<number>.inf).” Although Microsoft hasn’t bothered to give us any details, it looks like that’s mostly a problem with VMware.
The rest of the slate looks remarkably clean. Haven’t seen that in a long while.
Second Win10 cumulative updates
If August follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates next Tuesday, “dee” Tuesday, Aug. 28. At the same time we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.
More firmware updates
In the past couple of months, Microsoft has released massive firmware/driver updates for almost all of the latest Surface devices.
At this point, I’m still seeing problems with the July 26 set of fixes for the Surface Pro 4, which have been blamed for touchscreens that don’t touch, pens that don’t pen, batteries that go out to lunch, and all sorts of boorish behavior. Of course, there have been no solutions.
More Intel microcode fixes
Microsoft released oodles and gobs (that’s a technical term) of microcode fixes for Win10 1803 and 1709, passing along Intel’s fixes for the Meltdown and Spectre V1, 2, 3, and 4 security holes. People have been pulling their hair out by the roots. Susan Bradley has a great birds-eye view:
Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way way more time worrying about this than we should. I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc etc, way more than someone will use these side channel attacks to gain information from me. Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack. Also keep in mind that we won’t really have a full fix for this issue for several years. Intel and AMD will need to redesign the chips to ultimately get fixed.
If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.
If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here. No matter which approach you take, make sure that you don’t publish any before-and-after performance data, which Intel has unilaterally declared verboten. See Bruce Perens’s article Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed!
The bottom line
After all the problems last month, it’s a relief to have only a handful of glaring problems this month. I suggest you wait another day or two before installing the August patches.
The only significant breach of a recently patched security hole that I’ve found involves North Korea, Internet Explorer 11, VBScript, and China. That’s probably not a combination that’ll keep you up at night — and there’s little reason to rush into installing the August patches unless you’re in a Chinese organization that’s run afoul of the North Korean government.
I continue to recommend that you keep 1803 off your Win10 machines. No reason to go there until you’re forced. Susan Bradley’s Master PatchList has details for individual patches.
Comments
Post a Comment