Patch Tuesday fallout: Bad docs, but so far no major problems

In spite of an enormous number of erroneous “known issues” warnings, this month’s crop of Windows and Office patches seems to fix most of the bugs in last month’s patches. It’s still too early to tell for sure, but we may be looking at a decent round of patches.

Patch Tuesday, Windows patches, Office patches, Windows security
Thinkstock/Microsoft

Microsoft may have fixed July’s horrible, no good, very bad patches. Although the initial documentation for this month’s patches included warnings about many of the bugs that persisted from July, it ends up that the docs were wrong, and most of the known problems seem to be fixed.

As of early Reboot Wednesday morning, the patches seem to be behaving themselves. Of course, it frequently takes days or even weeks for bugs to appear, so you’d be well advised to avoid jumping into the unpaid battle zone for now.

The patches by the numbers

On August 2018 Patch Tuesday, the 14th, Microsoft released 60 security patches, 19 of which are categorized as “Critical” and 39 “Important.” Thirteen of the “Critical” exploits are with Internet Explorer and/or Edge (6 “Critical” for IE, 10 for Edge).

SANS Internet Storm Center says two of the holes have active exploits. One of the zero-days is “Important” (which means it isn’t). The other, CVE-2018-8373, affects only Internet Explorer. Says Dr Johannes Ulrich at SANS:

This is yet another scripting engine memory corruption issue. There have been plenty like it, so exploit writers likely have already a game plan how to write yet another exploit for this problem.

Moral of the story: Don’t use Internet Explorer.

Every version of Windows got patched. Every version of .NET. Every version of IE. Every version of Office. You get the picture.

There were three new Security Advisories, including ADV180018, which covers the L1TF “Foreshadow” vulnerability in Intel processors. Foreshadow, as you likely know, follows in the footsteps of Meltdown and Spectre as yet another well-publicized data-leaking insecurity, complete with its own website and downloadable logo. Like Meltdown and Spectre before it, Foreshadow hasn’t been exploited in any meaningful sense of the term.

Bad patch documentation

When Microsoft first released the August Patch Tuesday patches, the Windows and .NET patches, in particular, had warnings about bugs that were introduced in July. The Knowledge Base articles for Win10 1703, 1709, and 1803 all warned about the “COM component fails to load” bug. We discovered that the warning was erroneous, and the KB articles have been changed to remove the warnings.

Similarly, there was a great deal of confusion about the Security Updates Portal continuing to list those bugs. It, too, was changed on Tuesday night to reflect the new reality. The changes were made without notification.

As of this moment, we have four acknowledged bugs in the current patches that fall into two categories:

  • Installing Exchange patches requires admin rights
  • The Win7 patch may trigger an oem<number>.inf report clobbering the network interface controller.

As Susan Bradley explains about the latter, it’s pretty obscure:

In ALL of my Windows 7 testing I have had zero issues and my understanding this network interface problem is limited to VMware (virtual machine) installs.  Thus I don’t anticipate that we will see this on normal machines.

There’s also an open question as to whether the SQL Server vulnerability CVE-2018-8273 applies to SQL Server 2014. Microsoft Security Response has yet to, uh, respond.

Color me cautiously optimistic — a hue I haven’t worn in many a moon. As long as you don’t use IE or Edge, avoid Flash, and keep your brain connected to your clicking finger, you should be OK while we wait to see if there are any nasty surprises.

Join RMS Titanic’s orchestra in the AskWoody Lounge. I'll be playing the bass clarinet.

Related:
How AI will change enterprise mobility
  
Shop Tech Products at Amazon