Sorting through the Patch Thursday and Friday offerings

My head is still spinning. Over the past two days (in addition to learning that Windows honcho Terry Myerson is leaving, and the Windows team is being scattered to the winds) we’ve had an enormous number of poorly documented, overlapping, and completely inscrutable patches.

Let me see if I can bring some sanity to the mess.

A destructive fix for Total Meltdown

KB 4100480 kicked off the two days from patching purgatory with a Windows 7/Server 2008R2 kernel update for CVE-2018-1038, the “Total Meltdown” bug Microsoft introduced in Win7 back in January and kept re-installing ever since, most recently with the March Patch Tuesday Monthly Rollup KB 4088875 and Security-only patch KB 4088878. Susan Bradley immediately jumped into the fray with an initial warning Thursday afternoon. Microsoft’s documentation was so bad we had no idea what was being fixed, which bugs were being passed along — and whether this fix introduced even more bugs in the original Meltdown/Spectre January patch.

Just a reminder that there are NO known exploits of Meltdown or Spectre in the wild.

Ulf Frisk, the guy who discovered this gaping security hole (where a program can read or write data essentially everywhere on Intel PCs running 64-bit Win7/Server 2008R2), said on Wednesday that this month’s Monthly Rollup fixes the hole. The next day he said that, oops, this month’s Monthly Rollup doesn’t fix the hole and Microsoft revealed that, uh, this month’s Monthly Rollup actually introduces the hole.

How bad is the hole? Kevin Beaumont (@GossiTheDog) says:

https://twitter.com/GossiTheDog/status/979488659689889797

An anonymous poster says:

Ah, yeah… we’ve produced at least 11 botched up hotfixes in a row which made a gaping security hole out of a theoretical exploit, the most recent of them not even one week old yet, but 12th time’s the charm… absolutely trust us.

Many folks were wondering how this patch stacks up with all of the (many!) other problems we’ve seen with this month’s Win7 Monthly Rollup and Security-only patches. The Folks Who Know Such Things now say that this patch does, indeed, introduce all of those problems — the SMB server memory leak that brings down servers, random re-assignment of static IP addresses, and three separately triggered bluescreens.

A fix for patches that don’t have problems

Also on Thursday afternoon, Microsoft dropped a handful of patches that fix other bad bugs in previous patches. Susan Bradley has a short list that includes KB 4096309 for Win10 1607/Server 2016 that “Addresses an issue that can cause operational degradation or a loss of environment because of connectivity issues in certain environment configurations after installing KB4088889 (released March 22, 2018) orKB4088787 (released March 13, 2018).” As Susan notes, both of the referenced fixes are still listed in the KB articles as “Microsoft is not currently aware of any issues with this update.”

Bluescreen stoppers

Then there are the patches that fix bluescreens generated by earlier botched patches:

• KB 4099467 – Stop error 0xAB when you log off a Windows 7 SP1 or Windows Server 2008 R2 SP1 session. That’s a bug introduced in this month’s Win7/Server2008R2 patches.
• KB 4099468 – Stop error 0xAB when you log off a Windows Server 2012 session. That bug was introduced in this month’s Server 2012 patches
• KB 4096310 -Stop error 0xAB when you log off a Windows Server 2008 session. Ditto ditto ditto.

Save your IP if you’re prescient

And then there’s KB 4099950, Network Interface Card settings can be replaced, or static IP address settings can be lost, released Friday, chronicled by MrBrian. Ends up this is just a package for the (modified) VBScript that, when run prior to installing this month’s patches for Win7, avoids the static IP busting nature of the patch. I talk about the VBScript program in my Computerworld Patch Alert article.

Abbodi86 describes it:

So it’s the easy automated version of the VBscript. It checks if KB2550978 hotfix is installed (or any superseder). [Note: KB 2550978 is a many-year-old hotfix, last updated more than a year ago.] The hotfix actually describe the mess with NIC and March updates in very informative way

I wonder why Microsoft didn’t roll out that important fix years ago through Windows Update

The important note is that you have to run KB 4099950 before you install this month’s Win7/Server 2008R2 patches.

MrBrian goes on to note that the KB article for 4099950 contains this gem:

Important:  This update must be installed prior to installing KB408875 or KB408878

Which is hogwash, of course. Microsoft’s missing an “8” or two.

What else?

So what did I miss?