This month's Patch Tuesday patches mostly fall into the milquetoast vein: Of 16 security bulletins, only five are marked "critical" and only one has a known exploit. Windows 10 cumulative update 13, KB 3163018, brings the latest release version 1511 up to build 10586.240. This is mostly ho-hum stuff. But there are a couple of disconcerting surprises.
Microsoft slipped another handful of nonsecurity fixes into its security patch. This makes the third month in a row that the IE11 security patch got a bundled set of nonsecurity changes. When this happened in March, Microsoft was sneaking a Get Windows 10 ad generator into IE -- the generator was never turned on, as best I can tell.
This month's MS16-063/KB 3160005 "Security update for Internet Explorer: June 14, 2016," contains five fixes that may or may not be installed on your system. From the KB article:
Individual updates may not be installed, depending on your version of Windows and the version of the affected application. See the individual articles to determine your update status.
3140847 Update to improve Enterprise Mode in Internet Explorer 11
3163201 ContentEditable div loses <br> tag when you type after selected line of text in Internet Explorer 11
3168659 File downloading intermittently deletes cache file before it copies to temp file in Internet Explorer 11
3168662 Missing empty line when you paste rich text from WordPad into a contentEditable div in Internet Explorer 11
3168674 Storage event isn't triggered for localStorage updates in an iFrame in Internet Explorer 11
I find it troubling that, once again, we're seeing security holes in IE appearing in Edge. In the past, some folks dismissed that kind of overlap by saying there were vulnerabilities in the support routines that Edge and IE have in common. I can accept that -- but if Edge is going to be squeaky clean, the support routines need to get hosed down, too. The sins of the father should not be visited upon the child.
Leafing through the SANS Internet Storm Center post about this month's vulnerabilities, the IE11 cumulative update MS16-063/KB 3163649 and the Edge cumulative update MS16-068/KB 3163656 share the security hole identified as CVE 2016-3202 on the Common Vulnerability and Exposures list.
Notably, the Edge security bulletin is the only one listed by SANS as having a known exploit.
The security companies with monthly advisories (there must be a dozen of them now) all focus on MS16-071/KB 3164065, the Windows DNS Server fix. It's yet another use-after-free security hole that certainly deserves attention for those running DNS Server, although it hasn't yet been exploited.
As has become the custom, this latest round of security patches triggered a new Windows 10 cumulative update, which bundles together all of the security patches and a dozen nonsecurity patches. Fortunately, the cumulative update is well documented again this month. Windows 10 version 1511 OS Build 10586.420 (I call it Win10.1.13) includes reliability improvements for Cortana, audio in Groove Music, Maps, Miracast, and presumably File Explorer (although Microsoft's docs call it Windows Explorer).
There's already an Answers Forum discussion going for people who can't get the cumulative update, KB 3140768, to install -- it seems that the installer throws an error 0x80070020. That's turned into a regular monthly occurrence as well.
For those of you struggling with the superslow Windows 7 (and Vista) Windows Update scans, there's a new way to speed up the scans. EP, posting on AskWoody.com, says:
The Windows Update search/scan "forever" problem has once again resurfaced for Win7 SP1 as of June 14 (June Patch Tuesday). The KB3153199 Win7 updates are no longer doing the job. And once again a new win32k.sys security update (KB3161664) has been released (MS16-073), which supersedes/replaces KB3153199. Win7 SP1 users should now install KB 3161664 manually, to speed up Windows Update scans.
Microsoft still doesn't care if it takes you two or three hours to check for Windows 7 updates. I guess the company is too busy to help half of its installed user base.
As usual, it's much too early to tell if there are problems with any of the patches. As usual, I recommend that normal users not install them -- and avoid using Internet Explorer or (now) Edge.
If you spot something amiss, please post a comment here or over on AskWoody.com.