Microsoft releases KB 3213643, 2956078, 4011078, 4011052 to fix June Outlook security bugs

Topic

New Reply

Post coming in Computerworld.
[See the full post at: Microsoft releases KB 3213643, 2956078, 4011078, 4011052 to fix June Outlook security bugs]

4 users thanked author for this post.

SueW, MrBrian, EstherD, ch100

Reply | Quote

Replies

Yup. KB2956078 wasn’t there yesterday when I updated one of my two Win7 laptops. But it was there early this afternoon when I went to do the other one.

When I checked initially, the documentation page for KB2956078 was 404. But an hour or so later, it appeared as if by magic. You’d think MS could get its act together and release the docs simultaneously with the release of the patch files in WU. Nah.

Decided to install both KB3203467 and KB2956078 on both machines. So far, no problems. But then we don’t use Outlook, so I would expect (hope?) not to see any issues elsewhere in the system.

So why install any Outlook patches? Because the miscreants and ne’er-do-wells are much more clever than the MS engineers, and I don’t want to risk them finding a way to leverage Outlook bugs in ways that MS engineers failed to anticipate. Hence, I patch. Religiously. Ditto for Internet Explorer, which we also do not use.

Patching Group A*. Because I reserve the right not to install things I do not want, no matter how MS rates them, and I also install things that others in Group A might not install at all, or not as early as I do, e.g. the Outlook security patches.

Reply | Quote

KB2956078 states that it replaces KB3203467.

However, looking at WSUS/SCCM, KB3203467 has not been superseded. Do others see this behaviour? Or is it just me.

Thanks, DM.

Reply | Quote

Can’t speak to WSUS, but it sure didn’t look that way in WU earlier this afternoon, despite what it says on the KB2956078 documentation page.

Both patches were listed in the WU “Important section”, with KB3203467 unchecked and KB2956078 checked. And both patches were apparently installed when I asked WU to install the two of them together in a single batch. (Which is to say that WU did not give me the “1 patches installed; 1 patches unneeded” message that typically appears if one patch really is superseded by another one in the same install batch.)

However, now that I check more carefully, I find a VERY curious anomaly.

Both KB3203467 and KB2956078 are listed as successfully installed on the WU “Review your update history” page, with KB3203467 listed first and KB2956078 listed second.

BUT on the “Programs and Features” -> “View installed updates” page, KB2956078 appears TWICE, while KB3203467 does not appear at all!

So let me be the first (but probably not the last) to say: This does NOT give me great confidence in the current MS patch control process!

1 user thanked author for this post.

HiFlyer

Reply | Quote

I installed the Outlook patch KB2956078, for Outlook 2010 (32bit) and KB3203467, the old bad patch for Outlook 2010 (32bit) using Windows Update. Both were shown as Important, but only the KB2956078 was pre-checked. Both downloaded, but KB2956078 started initializing and installing first. What was interesting was the original patch KB3203467 never initialized or installed. The green Successful screen appeared. I checked the View Update history and it showed todays patch as successful, but did not show the earlier patch. Using Control Panel, installed updates also did not show the original patch as installed, but today’s was there. A reboot and new run of WU did not show either patch, and the History and Control panel applet was the same.

A check with Belarc Advisor shows 2 missing updates. KB3203467 is one.

The other is KB 3212642. What is interesting is back in January 2017 when the Security Only Patch KB3212642 for Win7-64, a very small patch of 6.3MB was released I installed it at Defcon 3. It appears in both the history and in the Control panel applet, and it was not labeled as missing in Belarc. As we remember, there were no patches for February due to the Shadowbroker dump. However after the install of the March 2017 Security Only Patch KB4012212 Belarc began showing KB3212642 as missing. It still appears in the WU history and Control panel as installed.

I suspect todays patch does supercede the bad patch, as some others say, and it seems to support what abbodi86 said in Post #125979 back on July 21 about the Outlook 2016 patches.

Call it wishful thinking, but Outlook 2010 seems snappier.

1 user thanked author for this post.

SueW

Reply | Quote

One thing I just remembered when I looked back at my patching log notebook.

When I originally saw that Belarc was saying that the January 2017 Security Only patch KB3212642 was missing after the March install, I tried to install it again.

As the Group B patches are NOT supposed to be cumulative it should have been able to be installed. However, it said it was “not applicable.” This may be due to the urgency of the March patches possibly repatched the vulnerabilities addressed by the January patch.

I do not know and this is only conjecture on my non-expert part.

I suspect ch100 is on the right track with his post #126857 below.

Reply | Quote

Interesting… I also use Belarc, but it gives me a clean bill of health… ALL security patches installed (based on defs version 2017.7.19.2)… despite the anomaly I described earlier.

Curiouser and curiouser. And less and less confidence that MS knows what it’s doing with patch control these days. Which is really BAD, because I have NO good way to test for most of these security flaws. So TRUST is the only thing I have to go on. And that’s evaporating faster than a puddle on a hot July day.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Am I missing something here? Is it necessary to install the known “bad patch” (which is still NOT checked) along with the “fix-all” patch (which IS checked)?

We’ve been relentlessly advised to NEVER install Important updates that are not already checked but from what I’m seeing in these previous posts it appears many are manually checking the unchecked “bad patch” for installation.

I do realize it’s still a bit early to know exactly what’s going on here so I’m holding off on the latest miracle patch for a while. I’m confident somebody here will share the PROPER technique for getting this long overdue Outlook patch screw-up straightened out.

1 user thanked author for this post.

SueW

Reply | Quote

An unchecked patch in the “important updates” list usually means MS may deem it “recommended” but not “important” or “critical.” It usually implies that it not be installed.

If you have to have the fix now because it is causing problems, I would leave the old patch unchecked and install the checked one. The old patch may disappear (become unnecessary) after the fix is installed. If the fix says “not applicable” than you may have to install the other first.

At any rate, if you can live without the fix, it may be worthwhile to hold off for a couple of days to see if it creates any problems of its own .

1 user thanked author for this post.

SueW

Reply | Quote

This is more subtle than it appears to be at first sight.
I have seen patches which are unchecked when scanning from the Never check for updates setting and unchecked when scanning from Download but do not install while the log says that they are throttled due to regulation (which does not mean that they should not be installed, but that the servers are overloaded for the moment).
In a different context or order of installation, the same patches would be checked under Download but do not install or install Auto and unchecked under Never check.
A typical one is KB3021917 for Windows 7.
What is the conclusion after all those facts? My conclusion is that KB3021917 is provided for install but not in all contexts. A bug in the Microsoft WU?

Reply | Quote

i’m running office 2010 on both windows 7 and 8.1 machines. i assume, it’s too early to install any of these new patches?

Reply | Quote

If you are having severe problems because of the previous bugs, it might be a good idea to go ahead and install the patches – you can always uninstall them.
But if the bugs are not “bugging” you, it might be a good idea to wait a few days and see if there are others problems caused by the new patches..

Reply | Quote

Does anyone understand why new versions of Office 2016 Click-To-Run are never announced?

Isn’t that the version most would be using? It’s been that way for more than a year.

Reply | Quote

Before I do anything on a large scale I decided to test this on a Win7 box with Office 2010 SP2. I verified that it has KB3203467 installed, but when I check for windows updates it’s not offering me KB2956078.  Am I missing something obvious?

Reply | Quote

I am unclear as to whether the buggy June 13 security patch for Outlook needs to be installed before the current fix patches are supposed to appear in WU? I never installed the June patch because of the issues and MS has not made it clear as to what they are doing in this instance.

Reply | Quote

In Windows Update – install what is CHECKED, ignore what is unchecked.

Reply | Quote

Can anyone confirm what happens when installing KB2956078 on a pc that had until then showed KB3203467 as unchecked? Will the non-installed KB3203467 disappear?

Reply | Quote

Had a Windows 7, Office 2016 without the buggy KB3191932. Installed the new KB4011052.

and now we have the same bug on this system, outlook crashes while opening an email with attachements.

Reply | Quote

Just checked WU (Group B) out of curiosity, and Security Update for MS Office Outlook 2007 KB3213643 came up. Leaving it as it is for now.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

I have Outlook 2010, and in the June  list of patches KB3203467 appeared as an “Important” Security update but the box wasn’t checked.   In early July,  when Woody gave the go-ahead to install the June patches,  I sent a message to PKCano (AskWoody MVP)  and I asked whether I should check the box for KB3203467.   He replied by telling me to leave it unchecked.   So that’s what I did.  He also said Microsoft will probably roll out the fixes later in July. Then on July 27,  Woody’s article in PC World came out stating that Microsoft released four patches to fix the June Outlook Security bugs.  However for some reason, KB3203467 wasn’t discussed in his article.  On July 31,  when I checked for available updates,  KB3203467 was still listed as an Important Security update,  and the box was still unchecked.   But it also listed  KB2956078 as an Important Security Update for Outlook 2010.  and for this one, the box was checked.  So I went ahead and installed KB2956078,  but I continued to leave the box for KB3203467 unchecked.    Then after that,  I did another check for updates,  and now KB3203467 no longer appears as an available update. The KB3203467 eventually disappeared from the list but I had to wait until KB2956078 to be installed for that to happen.  So it looks like PKCano’s advice to me from early July  is correct (and likewise also his advice in the July 29 posting shown above).     Thanks to PKCano for the advice.

Reply | Quote

W7 32bit home. Both KB2956078 (checked) and KB3203467 (unchecked)!were offered as important. installed 2956078. After reboot 3203467 was no longer offered. So 2956078 must be superseding.

Annemarie

Reply | Quote

I’ve been holding off installing any of the June MS Office updates (running Outlook 2010).

In the past I have been offered the unchecked Outlook KB3203467, then recently the checked KB2956078.

Today I checked and without having done anything the KB3203467 was gone.

I installed all offered and checked MS Office updates (8 total).

Hope all will be well.

Reply | Quote

KB3203467 disappeared because it was replaced by the newer patch. The older patch was unchecked because MS intended that you not install it. The newer patch was checked because it was to be installed instead.
You did the right thing.

Reply | Quote

Windows Up install KB3213643 earlier this week on Windows 10 and caused problems with the IMAP interface on Outlook 2007. I experienced similar problem with June updates.

Uninstall the update and things returned to normal. Contact Microsoft  and they were unaware of any problems!

Reply | Quote

Looks like MS has updated the WSUS catalogue and fixed the supersedence information with these updates.

KB2956078 now supersedes KB3203467 in WSUS/SCCM.

1 user thanked author for this post.

MrBrian

Reply | Quote