When Microsoft released its gang of patches last Thursday, one patch was remarkably absent: We didn’t get a preview of next month’s Windows 7 Monthly Rollup. Windows 8.1, Server 2012 and Server 2012R2 all got previews, but not Win7 (or Server 2008R2).
I hypothesized at the time that Microsoft didn’t release a new Win7 April Monthly Rollup preview because they were still trying to fix the bugs they introduced in this month’s Monthly Rollup for Windows 7 and Server 2008 R2, KB 4088875, and the download-and-manually-install Security-only patch for March, KB 4088878.
Microsoft now acknowledges all of these bugs in March’s Win7 Patch Tuesday release:
- After you install this update, SMB servers may leak memory.
- A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.
- A Stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
- A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.
- IP address settings are lost after you apply this update.
All of those bugs were new in the March Monthly Rollup, except the memory leak, which first appeared in January. We’re getting nowhere fast.
As usual, the Preview Monthly Rollup contains only non-security patches that are expected to be re-released in next month’s Monthly Rollup. (Of course, I never recommend that you install Previews.)
With the new, delayed preview of April’s Win7 Monthly Rollup, you might expect that at least some of those bugs would be fixed. Not so. They’re all still around, per the official write-up.
Microsoft is working on a resolution and will provide an update in an upcoming release.
Sooner or later.
A patch for IE bug
In addition to the Friday night Monthly Rollup preview that doesn’t fix the major bugs, Microsoft rolled out a patch for a bug introduced in IE by its Patch Tuesday patch. Another patch of a botched patch. The article for the original Patch Tuesday patch, KB 4089187, has been modified to state:
After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.
To resolve this issue, use one of the following methods:
Whitelist the SHA1 certificate to allow Internet Explorer 11 to start.
Install Cumulative update for Internet Explorer: March 23, 2018.
If you’re a bit rusty on manually whitelisting an SHA1 certificate, you can run the patch released on Friday night, KB 4089187. Note that this is only for IE 11 running on Windows 7 (and Server 2008R2).
I think of it as Mother Microsoft’s way of telling you that you really shouldn’t be using IE. Excuse my snark.
Poster Cavalary on AskWoody notes:
[It] seems like there are no new fixes in 4096040 (the Friday night patch), and I’d say that if you can start IE with 4089187 (the Patch Tuesday patch) or don’t use it and don’t care whether you can start it, you’re fine without installing 4096040.
Günter Born on Born’s Tech and Windows World says:
The following CVEs have undergone a major revision increment (with KB 4096040):
* CVE-2018-0889 * CVE-2018-0932
* CVE-2018-0891 * CVE-2018-0935
* CVE-2018-0927 * CVE-2018-0942
* CVE-2018-0929
Of course, you’ve been following along here and know that we’re still at MS-DEFCON 2, which means you didn’t install the original buggy patches, anyway. Right?
By the by — for those of you who are manually installing the cumulative updates for Windows 10 1709, 1703, or 1607, there’s now an explicit warning in the associated KB articles:
Important When installing both the SSU (KB4088825) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU.
Which is an obtuse way of saying that if you’re going to install the Cumulative Update manually, you better get the Servicing Stack Update installed first.
MrBrian speculates that the root problem addressed in the Servicing Stack Update is the race condition on installation that Susan Bradley talked about last week.
The Servicing Stack updates for 1703 and 1607 were part of last Thursday’s blast. The Servicing Stack update for 1709, KB 4090914, was released on March 5, and the KB article was updated on March 23 — but I don’t see any record of the patch itself being re-issued.
It seems that your Patch scorecard now needs its own scorecard.
Thx, @MrBrian, @Cavalary
Join us for patch noodling — Tuesday, Thursday, Friday or otherwise — on the AskWoody Lounge.