Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook

If you thought this month’s Windows/Office/.NET patching debacle couldn’t get any worse, hold my beer.

Patch meltdown: Windows fixes, sloppy .NET, Word and Outlook warnings
Thinkstock

On the heels of the Jan. 17 release of 14 Windows and .NET patches, we now have a huge crop of new patches, revised older patches, warnings about bugs, and a bewildered ecosystem of Microsoft customers who can’t figure out what in the blue blazes is going on.

Let’s step through the, uh, offerings on Jan. 18.

Windows 10 patches

Win10 Fall Creators Update version 1709 — Cumulative update KB 4073291 brings the Meltdown/Spectre patches to 32-bit machines. What, you thought 32-bit machines already had Meltdown/Spectre patches? Silly mortal. Microsoft’s Security Advisory ADV180002 has the dirty details in the fine print, point 7:

Q: I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?

A: Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

It appears as if this is the first 32-bit version of Windows that has a patch for the Meltdown vulnerability. Surprise.

Like most of the patches I talked about yesterday, this one is available only through the Update Catalog — it won’t be pushed onto your machine.

Win10 Fall (“November”) Update version 1511 (Enterprise/Education only) — The cumulative update KB 4075200 continues in the illustrious tradition of the 1703 and 1607 updates I discussed yesterday. It’s the second cumulative update for 1511 so far this month. This patch “addresses [an] issue where some customers with AMD devices get into an unbootable state.” Like all of the Meltdown/Spectre patches, you need to use antivirus software that sets the correct registry key before KB 4075200 will install. KB 4075200 isn’t being pushed out Windows Update; it’s available only by manually downloading it from the Update Catalog.

Win10 RTM (“Initial version”) version 1507 (Enterprise LTSC) — Cumulative update KB 4075199. Same story as 1511 above.

Win8.1 — Microsoft officially acknowledged what we’ve suspected — that it released two versions of its Win8.1 Security-only update, KB 4056898: one on Jan. 3 and the other on Jan. 5. Except the warning's buried in Security Advisory ADV180002:

On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1/3/2018 should reinstall the update.

I warned you about the switcheroo back on Jan. 10. Now we have official acknowledgment, but still no description of the “known issue.” The KB article still doesn’t acknowledge, or describe, the swicheroo.

Some Windows Meltdown/Spectre patches on AMD resume

According to Catalin Cimpanu at Bleepingcomputer, Microsoft has started pushing five of the patches that it pulled because they bricked AMD machines. Details are sketchy at this point, but Cimpanu says Microsoft has started pushing all of these patches onto AMD machines:

But, per Cimpanu, these patches are still being withheld from AMD machines:

As best I can tell, there have been no changes made to any of the five patches that are now going out to AMD machines. It’s not at all clear — and Microsoft certainly hasn’t said anything — why these patches are going out now, and how they fixed the manifest problems with the earlier version.

Of course, we haven’t received any answer to last week’s question: Microsoft reinstates Meltdown/Spectre patches for some AMD processors — but which ones?

Trust us. We’re from Microsoft, and we’re here to help.

Semantec Endpoint Protection conflict

I found out more about the "Unbootable state for AMD devices" patches that I discussed yesterday. We still don’t have any official answers to the chicken-and-egg nature of a patch specifically issued for machines that have already been bricked by an earlier patch. It still isn’t clear if, after unbricking your machine and installing the new patch, you need to re-install the old patch.

But one bit of enlightenment appeared yesterday on, not any Microsoft site, but on the Symantec Endpoint Protection site. Of course. It seems Symantec Endpoint Protection has been suffering from a tray icon bug brought on by Microsoft’s Jan. 3 patches. Symantec issued a hotfix to clear the problem, but that’s been pulled… because Microsoft fixed the bug.

According to Symantec, the tray icon bug — introduced by Microsoft on Jan. 3 — has been fixed in:

  • Win10 1709 — KB 4073290 — the “Unbootable state for AMD devices” patch
  • Win10 1703 — KB4057144 — the second Cumulative Update this month
  • Win10 1607/Server 2016 — KB4057142 — the second Cumulative Update this month
  • Win8.1/Server 2012 R2 – KB4057401 — the preview for next month’s Monthly Rollup
  • Server 2012 — KB 4057402 — the preview for next month’s Monthly Rollup

More .NET funnies

But the barely documented fun 'n games don’t end there.

Yesterday, Microsoft changed its documentation for these .NET patches:

The files ndp47-kb4074880-x64[…].exe and ndp47-kb4074880-x86[…].exe currently in the catalog for KB4055532 (January 2018 .NET Framework monthly rollup for Windows 7) have a digital signature of January 11, 2018, which is newer than the original release date. Also, despite the fact that I installed the January 2018 .NET Framework monthly rollup for Windows 7 on Monday (I have .NET Framework 4.7), it is being offered again in Windows Update (it’s ticked).

  • Win7 .NET 4.6, 4.6.1, 4.6.2, 4.7 and 4.7.1 — KB 4074880 now says it replaces KB 4055002 to take care of the font problems in the earlier rollup. But note that if you install KB 4074880 to fix 4.7.1, you still need to install the earlier update, KB 4054856.
  • Server 2008 SP2 .NET 4.6 — KB 4055002 now says it applies only to Server 2008 SP2.

Deep in the Revisions list of CVE-2018-0764, there’s an explanation:

To address a regression issue after installing security update 4055002, Microsoft has released security update 4074880 for Microsoft .NET 4.6/4.6.1/4.6.2/4.7/4.7.1 installed on supported editions of Windows 7 and Windows Server 2008 R2. Customers who have already installed KB4055002 should install KB4074880 to be protected from this vulnerability.

If you’re keeping a January patch scorecard, it’s official. Your collection of scorecards now need an index.

The steaming pile deepens

This month’s patches aren’t all about Meltdown and Spectre. Even our good old friend Word has joined the now well-worn “oops we did it again” chorus line. Remember earlier this month when Microsoft fixed the Office Online Server security hole CVE-2018-0792? Yeah, me neither, but on Jan. 9, Microsoft rolled out patch KB 4011021.

Except, well, it didn’t install on some machines. No explanation why. Instead, we get this posted nine days later:

To address a known issue with installing security update 4011021, Microsoft is announcing the availability of security update 4011022 as a replacement. Customers who experienced problems installing 4011021 should install 4011022.

And just to put icing on your buggy patching cake, there’s a reported bug in the KB 4011626 update for Outlook 2016. Microsoft has acknowledged at least part of the problem:

After you install this security update, attachments are removed when you forward plain text emails. To work around this issue, save the attachments locally, reattach, and then send the email.  

But of course there’s no fix. I see continuing discussions on the Microsoft TechNet forum and on Reddit.

Advice

With (hundreds of?) thousands of PCs bricked by bad patches this month and (hundreds of?) millions of Windows customers bewildered by the avalanche of patches — we’ve seen bucketloads of patches on Jan. 3, 4, 8, 9, 11, 12, 17 and now Jan. 18 — you have to wonder when it will all straighten out. Best I can tell you is to turn off Automatic Update, and wait for some semblance of sanity to return.

Thanks to GW, @MrBrian, @abbodi86, @PKCano and many others.

Join us on the AskWoody Lounge.

Download the 2018 Best Places to Work in IT special report
  
Shop Tech Products at Amazon