Microsoft Patch Alert: Despite weird timing, September’s Windows and Office patches look good

If you look beyond the inexplicable ‘Patch Monday’ dump and some forgettable vorpal blades aimed at the Meltdown/Spectre Jabberwocky, this month’s Windows and Office patches are the best-behaved in months.

This month's Windows and Office security patches: Bugs and solutions
Thinkstock/Microsoft

As we near the end of patching’s “C Week” (which is to say, the week that contains the third Tuesday of the month), there are no show-stopping bugs in the Windows and Office patches and just a few gotchas. As long as you avoid Microsoft’s patches for Intel’s Meltdown/Spectre bugs, you should be in good shape.

Why a Patch Monday?

On Sept. 17, Microsoft released two very-out-of-band cumulative updates for Windows 10:

  • KB 4464218 brings Win10 1803 up to build 17134.286
  • KB 4464217 brings Win10 1709 up to build 16299.666

Both of the cumulative updates fix a bug that was introduced in the July 24 cumulative updates. The bug causes Microsoft’s Intune to stutter because it looks in the wrong place for user profiles. The second cumulative update also fixes an obscure VPN bug.

I have no idea why Microsoft released those patches on a Monday. They certainly could’ve waited until Tuesday – the “C Week” Tuesday traditionally being used to fix bugs introduced on Patch Tuesday. Somebody clearly jumped the gun, and folks who patch for a living aren’t really happy about having their chains jerked.

We never did get a cumulative update for Win10 1703. Maybe it wasn’t affected by the July 24 bug. Maybe it’s just too long in the tooth, with support for 1703 due to expire next month.

We also got a way-out-of-band cumulative update for Windows 7 Internet Explorer, KB 4463376, on a “B Week” Friday afternoon.

Second Win10 cumulative updates

If September follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates during “D Week” – next Tuesday, Sept. 25. At the same time, we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.

More firmware updates

We’re getting more and more firmware updates for Microsoft Surface devices. In the past month, there’ve been firmware/driver patches for the Surface Pro 3, Surface Pro 4, Surface Pro 2017, Surface Book, and even the Surface Studio. It’s an across-the-board makeover (or massive fix) that hasn’t been extended to the Surface Laptop, Book 2, or Go. Yet.

Meanwhile, I’m still hearing complaints about the Surface Pro 4 update.

More Intel microcode fixes

While there has yet to be any credible Meltdown or Spectre threat (Spectre v 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 2, 3, 3a, 4 or 5), Microsoft continues to release microcode updates for Intel processors on machines running Win10 version 1709 and 1803. Sometimes the installers try to install the Intel updates on AMD processors, but what the hay.

I go back to Helen Bradley’s statement last month:

Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way, way more time worrying about this than we should.  I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc., etc. way more than someone will use these side channel attacks to gain information from me.  Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack.  Also keep in mind that we won’t really have a full fix for this issue for several years.  Intel and AMD will need to redesign the chips to ultimately get fixed.

If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.

If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here.

The bottom line

July patching was an unmitigated disaster. August fared substantially better. Now, although the month isn’t yet over, September seems to be doing well – if you ignore the Patch Monday gaffe and throw up your hands over Meltdown and Spectre.

In spite of several Chicken Little warnings this month, there haven’t been any widespread attacks that warrant rushing out and installing any of the September patches just yet.

Susan Bradley’s Master PatchList looks relatively serene.

There’s something to look forward to. In October we get an “E Week” – there are five Tuesdays in October. It’ll be the first “E Week” since Microsoft adopted the “A Week” “B Week” bafflegab. What wonders await?

Thx to @sb and @PKCano

Patching problems? Join us on the AskWoody Lounge.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 Page 1
Page 1 of 14
IT buyer's guide to business projectors
  
Shop Tech Products at Amazon