Microsoft fixes Windows 7 'Group B' security-only patching method

Great news: TechNet blog eschews fixing Win7/8.1 security-only bugs with monthly rollup patches

Microsoft fixes Windows 7 'Group B' security-only patching method
William Warby (CC BY 2.0)

In what may be the most important news for ongoing Windows 7 customers since the patchocalypse, Microsoft field engineer Scott Breen has both analyzed the key problem with "Group B" security-only patching in Windows 7, and has promised a solution.

Don't be put off by the title -- Update to Supersedence Behaviour for Security Only and Security Monthly Quality Rollup Updates.  The underlying message is crucial for Win7 and 8.1 users who aren't connected to a corporate update manager.

The crux of the matter lies in the way Win7 (and 8.1) users update their machines, starting last October. I divide the patching universe into two hemispheres:

  • Group A is willing to take all of Microsoft's new telemetry systems, along with potentially useful nonsecurity updates. It installs the Monthly rollup (in Microsoft parlance the "Security Monthly Quality Rollup" patch).
  • Group B doesn't want any more snooping than absolutely necessary and doesn't care about improvements like daylight saving time zone changes. But it does want to keep applying security patches. It installs Security-only patches (Microsoft-speak "Security Only Quality Update").

The key problem arises when Microsoft introduces a bug in a Security-only patch and then fixes that bug in a Monthly Rollup patch. By forcing Security-only updaters to install a non-security rollup, Microsoft effectively bars customers from only installing security patches.

supersedence

Breen illustrates the problem with this graphic. A bug in an October Security-only patch was fixed in a November monthly rollup. (I believe he's referring to the MS16-087 print spooler bug.)

Says Breen:

This resulted in customers using WSUS or Configuration Manager 2007 being unable to deploy security only updates using the built in software update mechanisms without additional workarounds.

It also threw the Win7 (and 8.1, Server 2008 R2, Server 2012, and Server 2012 R2) patching community into a black hole. Although few people realized it, the integrity of the security-only patching method was at stake. Many knowledgeable Win7 patchers simply threw in the towel: If Microsoft was going to force them to install the non-security (read: telemetry) patches, they didn't want any of it. They didn't sign up for Windows 7 snooping, so they stopped patching entirely.

supersedence december

I'm very happy to report that Microsoft has acknowledged the error of its ways. Starting this month, Breen says, bugs in Monthly Rollup patches will be fixed in Monthly Rollup patches, and bugs in Security-only patches will be fixed by changing the metadata in those patches.

Those of you who deal with WSUS or SCCM can read his article and see how that key change will ripple into the WSUS listing. For those of you who just worry about patching Windows 7 (or 8.1, Server, etc.), you can stick to your guns. If there's a bug in a Security-only patch, it'll get fixed in a Security-only patch -- possibly the same Security-only patch will be re-issued, perhaps a subsequent patch will just roll over the bad one.

It's a great day for Windows 7 and 8.1 customers.

Copyright © 2016 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon