Over the weekend Microsoft unleashed a flurry of Windows updates to fix the 'gov.uk' bug

This month’s Patch Tuesday brought howls of pain to many Internet Explorer and Edge users who tried to get to certain websites that end with gov.uk. On Saturday and Sunday, Microsoft released new patches for all versions of Windows, seemingly fixing the problem. Who tests this stuff (™)?

patch on top of Windows logo

Last Tuesday Microsoft released patches — Monthly Rollups, Security-only, or Cumulative Updates — for every version of Windows. Every single one of those patches included a bug that changed the way Internet Explorer and Edge handle secure connections for the top-level domain gov.uk.

Here’s how Microsoft describes it:

After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

In practice, many gov.uk sites continued to work — they’re the ones that have HTTPS set up properly. Many smaller U.K. government organizations had a baling-wire-and-chewing-gum approach to site security that had always worked before, but suddenly turned belly up.  As @magic puts it on AskWoody:

“gov.uk” is the main site for the UK government. It’s used for online applications for car tax, passports, driving licenses. That sort of very important stuff which requires a secure connection, and has been HTTPS for years.

Then you get a level down to local government, where there’s 400+ local councils. They have placename.gov.uk domains, which this just broke as we got no warning that HSTS was being enforced. I’m an infrastructure tech for for a local council with 250,000 residents. A bunch of internal systems (that don’t require HTTPS) stopped working after I got the patches to test on Wednesday morning.

For us it prevents access to the publicly accessible democracy data and the planning system among others. Both of these are maintained by external systems providers so it’s not a five minute job to add a certificate. The main website is fine for us, other councils don’t even have HTTPS enabled on those. I got a tweet before from someone advising that reading.gov.uk and doncaster.gov.uk are inaccessible.

Here’s how bad it was: If you patched Win10 1903 (which isn’t out yet), 1809, 1803, 1709, 1703, 1607, 1507, Win 8.1, Win 7, Server 1809, Server 2019, Server 1803, Server 1709, Server 2016, Server 2012 R2, Server 2012, or Server 2008 R2 on Tuesday and you used IE or Edge to access, say, the doncaster.gov.uk site, you hit a browser security error.

Who is testing this stuff? And why didn't it take more than five days to fix?

The Microsoft True Believers singing the praises of Edge-over-Chrome hit a sour note. Their shiny new browser hiccuped. Again. Not because Edge is necessarily bad, but because Microsoft can’t seem to get its patching act together. Again.

Meanwhile, those running Firefox, Chrome or any of a dozen other browsers had no problems at all.

On Saturday, Microsoft released KB 4505050, a “Cumulative update for Internet Explorer: May 18, 2019” that applies to

Internet Explorer 11 on Windows Server 2012 R2; Internet Explorer 11 on Windows Server 2012; Internet Explorer 11 on Windows Server 2008 R2 SP1; Internet Explorer 11 on Windows 8.1 Update; Internet Explorer 11 on Windows 7 SP1; Internet Explorer 11 on Windows Embedded 8 Standard

Its sole purpose is given as

Addresses an issue that may prevent access to some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) when using Internet Explorer 11 or Microsoft Edge.

Imagine how much fun we'll have if Microsoft releases Edge on Windows 7 and people actually use it.

On Sunday afternoon there was a rousing chorus of Win10 Cumulative Updates. Specifically:

  • KB 4505057 for Win10 1903 (which is still in beta testing)
  • KB 4505056 for Win10 1809
  • KB 4505064 for Win10 1803
  • KB 4505062 for Win10 1709
  • KB 4505055 for Win10 1703
  • KB 4505052 for Win10 1607
  • KB 4505051 for Win10 1507

And now, nearly six days later, all of the gov.uk sites appear to be working correctly.

Until next Patch Tuesday, anyway.

Join us for remonstrations on the AskWoody Lounge.

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon