A week ago, Microsoft released six patches that brought many machines to their knees. As I explained last Friday, when the dust cleared, it was apparent that all six of these April patches:
- Win7 and Server 2008 R2 Monthly Rollup (KB 4493472) and Security-only (KB 4493448) patches
- Win8.1 and Server 2012 R2 Monthly Rollup (KB 4493446) and Security-only (KB 4493467) patches
- Server 2012 Monthly Rollup (KB 4493451) and Security-only (KB 4493450 ) patches
would trigger blue screens on reboot on most systems running Sophos antivirus products, and many systems running AV products from Avast and Avira.
We now have updates from two of the three AV companies:
- Sophos has a lengthy explanation of how to recover from the crash. In addition, they’ve pushed an update that will “prevent the issue occurring on any computers where the Windows update is installed but the computer has not been rebooted. … Sophos will automatically remove the exclusions at a later date. This article will be updated to advise when this takes place.”
- Avast also talks about the problem and its solution. “Avast is currently releasing micro-updates to fix this issue via emergency updater” and, when the micro-update is installed, “Your machine should now operate normally.”
Microsoft says that it’s still blocking the six bad actors from installing on computers with Sophos Endpoint installed. There’s no similar advice for Avast.
Oddly, the advisory page for Avira now comes up with a “page not found.” Yet Microsoft continues to contend, “Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing this update.”
You may recall that Avira, alone among the three, also claimed that installing this month’s first cumulative update for Win10 version 1809, KB 4493509, slowed machines down to the point they’re unusable. No official word on that claim at this point.
Speaking of slowdowns, a small Polish AV company called ArcaBit has seen the error of its ways. Microsoft has modified its KB articles for the Win7 and 8.1 Monthly Rollups, and for the Win10 1809 first April cumulative update to say:
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing this update. ArcaBit has released an update to address this issue.
Although the linked ArcaBit article has been pulled. Oddly (there’s that word again), there’s no analogous warning for the Win7 or 8.1 Security-only patches, or for the Server patches.
Where does that leave us, a week later?
- The AV manufacturers are swallowing the bullet on this one. Microsoft hasn’t changed its patches one iota.
- There's no consensus on what's causing the widely-reported slowdowns observed on patched Win10 machines.
- Microsoft’s reputation for clobbering machines with bad patches — so bad it couldn’t possibly get any worse — just got worse.
I’m still astounded by the indifference. Any way you slice it, whoever made the decision to release this month’s six Win7, 8.1, and Server patches either:
- Didn’t know that they would clobber millions of machines, or
- Didn’t care
I have a hard time deciding which is worse.
I continue to recommend that you hold off on the April patches.
We’re following the situation intently on AskWoody.