Friday night patch dump: KB 4088881, a flawed Win7 Monthly Rollup preview and KB 4089187, an IE fix

UPDATE: See Computerworld Woody on Windows.

Microsoft continues its any-day-of-the-month patching policy with a highly anticipated preview of the April Win7 Monthly Rollup and a rushed patch for IE on Win7 that resolves a bug introduced two weeks ago

When Microsoft released its gang of patches last Thursday, one patch was remarkably absent: We didn’t get a preview of next month’s Win7 Monthly Rollup. Win8.1, Server 2012 and Server 2012R2 all got previews, but not Win7 (or Server 2008R2).

I hypothesized at the time that Microsoft didn’t release a new Win7 April Monthly Rollup preview because they were still trying to fix the bugs they introduced in this month’s Monthly Rollup for Windows 7 and Server 2008 R2, KB 4088875, and  the download-and-manually-install Security-only patch for March, KB 4088878.

Microsoft now acknowledges all of these bugs in March’s Win7 Patch Tuesday release:

• After you install this update, SMB servers may leak memory.
• A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.
• A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
• A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.
• IP address settings are lost after you apply this update.

All of those bugs are new in March, except the memory leak, which first appeared in January.

With the new, delayed preview of April’s Win7 Monthly Rollup, you might expect that at least some of those bugs would be fixed. Not so. They’re all still around, per the official write-up.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Sooner or later.

In addition to the Friday night Monthly Rollup preview that doesn’t fix the major bugs, Microsoft rolled out a patch for a bug introduced in IE by its Patch Tuesday patch. Another patch of a patch. The article for the original Patch Tuesday patch, KB 4089187, has been modified to state:

After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.

To resolve this issue, use one of the following methods:

•    Whitelist the SHA1 certificate to allow Internet Explorer 11 to start.
•    Install Cumulative update for Internet Explorer: March 23, 2018.

If you’re a bit rusty on manually whitelisting an SHA1 certificate, you can run the patch released on Friday night, KB 4089187. Note that this is only for IE 11 running on Windows 7 (and Server 2008R2).

I think of it as Mother Microsoft’s way of telling you that you really shouldn’t be using IE. Excuse my snark.

Of course, you’ve been following along here and know that we’re still at MS-DEFCON 2, which means you didn’t install the original buggy patches, anyway. Right?

By the by… for those of you who are manually installing the cumulative updates for Win10 1703 or 1607, there’s now an explicit warning in the associated KB article:

Important When installing both the SSU (KB4088825) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU.

Which is an obtuse way of saying that, if you’re going to install the Cumulative Update manually, you better get the Servicing Stack Update installed first.

MrBrian speculates that the root problem is the race condition on installation that Susan Bradley talked about last week.

The Servicing Stack updates for 1703 and 1607 were part of the Thursday blast.

Thx, @MrBrian, @gborn