Newsletter Archives

• Where are the fixes to the botched June Office security patches?

  Posted on July 21, 2017 at 07:05 CDT by woody • Comment in the Forums

  After a series of pushed-then-pulled buggy fixes to the admittedly buggy patches, we’re still waiting for updated versions.

  Computerworld Woody on Windows. (Link has been updated.)

  Office News June 2017 Black Tuesday, KB 3191849, KB 3191898, KB 3191932, KB 3191938, KB 3203467, KB 3213654, KB 401104

• MS-DEFCON 3: Get patched, but watch out for Outlook

  Posted on July 2, 2017 at 23:05 CDT by woody • Comment in the Forums

  With the first non-security Office patches due out on Tuesday, July 4, we’re kinda backed up against a wall.

  The simple problem: Some of the patches dribbled out in June still don’t work right. For example, the June 27 patch for Outlook 2010, KB 3015545, was pulled a few days ago because it crashes 32-bit Outlook.

  The original download package for the 32-bit version was removed from the Download Center after a problem was discovered that could cause Outlook to crash when you preview messages that have attachments. If you already downloaded and installed the 32-bit update, we recommend that you remove it until a new version is available.

  A new update for 32-bit Outlook 2010 is under development and will be posted in this article when it becomes available.

  According to the official bug-tracking list at Outlook known issues in the June 2017 security updates, we also have these problems:

  There is no Outlook 2007 fix for Issue #1, the “program is not installed” and/or “unsafe attachments” error when opening an attachment. In addition, the 32-bit Outlook 2010 fix has been pulled because it, you know, crashes Outlook.

  There is no Outlook 2007 fix for Issue #2, the “untrustworthy source” bug. Same comment about 32-bit Outlook 2010.

  Issue #4 (VBScript doesn’t run on custom Outlook forms) has not been fixed for any version of Outlook.

  Issue #5 (iCloud doesn’t work with Outlook) hasn’t been fixed for Outlook 2007. For other versions of Outlook, you need to uninstall and reinstall iCloud.

  Issue #7 (iframe part of a web page doesn’t print) has been fixed by various Windows patches.

  That’s the kind of garbage we’re facing at the moment. As many of you know, I’ve never been a fan of Microsoft’s patching. This month marks (yet another) new low in patch quality. Believe me, that’s saying something.

  Over on the Win10 side of the patching puddle, in addition to the iSCSI problems I reported last week, we have a new, officially acknowledged, bug:

  After you install this update, Internet Explorer 11 may close unexpectedly when you visit some websites. When the problem occurs, you may receive an error message that resembles the following:

  We were unable to return you to [previous URL].
  Internet Explorer has stopped trying to restore this website. It appears the website continues to have a problem.
  The problem may occur if the website is complex and uses certain web API’s.

  Microsoft is researching this problem and will update this article when more information becomes available.

  The solution, of course, is to avoid Internet Explorer, but I’ve been saying that for more than a decade.

  If you’re having trouble printing iframes from inside web pages, using IE, I recommend the same solution – ditch IE. But if you insist on using IE, and want to be able to print inside iframes, you have to install one of the recent Windows patches.,

  Anyway, it’s time to strap on your hip waders and get patched. Here are my latest recommendations. Remember you have three basic choices for Win7 and 8.1:

  • Group A – installation of Monthly Rollups via a manual run of Windows Update
  • Group B – manual installation of specific Security-Only patches
  • Group W – folks who sat on the bench and didn’t patch at all.

  In this post-Shadow-Brokers era, where Microsoft is screwing up patches by the bushelfull and compounding bugs in security patches (which is to say, patches for security bugs appear in non-security patches), I figure you only have a few choices:

  Win7/8.1 Group W — R.I.P.

  With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month, Group W is just plain dangerous. It’s not an option. Sorry.

  Win7/8.1 Group B — Only for experts with a high tolerance for pain

  Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

  Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

  If you want to pursue Group B, in spite of the warnings, look at PKCano’s AKB 2000003.

  Win7/8.1 Group A – Go ahead and patch, but understand the consequences

  Microsoft is still blocking updates to Win 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old, or newer, follow the instructions in AKB 2000004 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

  If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx @MrBrian).

  For those of you interested in the nuances, @ch100 has a good synopsis here and a follow-up here.

  For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Watch out for driver updates — you’re far better off getting them from the manufacturer’s web site.

  Microsoft also has huge Monthly Rollup Preview, KB 4022720 for Win 8.1, and a smaller KB 4022168 for Win7. As usual, I don’t recommend that you install the Previews. You’ll be able to pick up the patches when they roll out for real later in July.

  After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Win7 and 8.1 machines.

  Windows 10

  It’s still too early to jump to Win10 Creators Update, version 1703. Wait for it to be designated “Current Branch for Business.” You can block the upgrade with a few simple steps, detailed in this Computerworld post.

  To get Win10 patched, run the steps in AKB 2000005: How to update Windows 10 – safely. You may want to use wushowhide to hide any driver updates. All of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .Net updates (go ahead and use the Monthly Rollup if it’s offered).

  One more Win10 oddity this month: If you’re using the Creators Update, version 1703, and run Windows Update, you’ll get the massive June 27 non-security patch, KB 4022716, bringing you to build 15063.447. There are analogous patches for the earlier versions of Win 10, but they won’t be installed during a Windows Update run. You can search for the patches for Win10 Anniversary Update (version 1607), or Win10 Fall Update (version 1511), and install them manually, if you really want to, fur I don’t see any pressing reason to do so. Wait for the other guinea pigs, eh?

  The only major bugs I see at this point are Internet Explorer-related — and for those of you afflicted I say, hey, you shouldn’t be using IE anyway. The rest of the world has switched to Chrome or Firefox. (Netmarketshare pegs desktop usage share at 60% Chrome, 17% IE, 12% Firefox and 6% Edge.) Get with the program and kick the Microsoft browser habit.

  Office updates

  There’s a post from Pim saying that, as of very early Monday morning:

  This morning Outlook 2010 June 2017 update KB3203467 was (still) offered as an important update on my Windows 7 system, but unticked. It is not retired.

  As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED.

  .NET updates

  As of late Sunday night, @ch100 advises:

  .NET Framework Preview patches released in May 2017 (latest for all versions other than 4.7) have been pulled due to conflict with the .NET Framework 4.7 installer.
  https://blogs.msdn.microsoft.com/dotnet/2017/05/17/net-framework-may-2017-preview-of-quality-rollup/

  Again, don’t check anything that’s unchecked.

  I sincerely apologize for all the if’s and’s and but’s in this month’s go-ahead. If it’s any consolation, just about everybody at Microsoft is off for a four-day weekend, so things aren’t likely to get any worse.

  Time to get patched. Tell your friends, but make sure they understand what’s happening. An for heaven’t sake, as soon as you’re patched, turn off automatic updating! I see no reason at all to believe that the July patches will be any better than the June crop.

  Windows Patches/Security June 2017 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 1: Office security patches are all screwed up and IE patches aren’t much better. Don’t patch.

  Posted on June 22, 2017 at 23:20 CDT by woody • Comment in the Forums

  Kirsty caught the initial whiff, based on a Günter Born post about problems with Outlook. PKCano raised the alarm about Office patches in general on June 19. Now, it seems Outlook is under attack by Microsoft’s own security patches — and IE still doesn’t print properly.

  The situation’s so bad, Microsoft itself has documented the problems with Outlook, after installing the June 2017 Office patches.

  There are seven separately identified, potentially show-stopping bugs in Outlook that appear after you install this month’s Office security patches: Can’t open attachments, VBScript doesn’t run, Outlook search doesn’t work, and the previously described IE failure to print mis-fires from inside Outlook.

  The workarounds? Forward the mail to yourself and then open the attachments in the forwarded email. Save the attachments to your computer and open them manually. Use something other than IE. Or, it would seem, anything but Outlook.

  Microsoft really screwed up this month’s patches — both for Office and for Windows. Unless you want to use your machine as a Windows/Office beta test environment, I strongly suggest you refrain from applying any of this month’s updates.

  Accordingly, I’m moving us to MS-DEFCON 1: Current Microsoft patches are causing havoc. Don’t patch.

  I’m seeing “secret” reports all over the web that Microsoft will be fixing some or all of its malicious patches next Tuesday, June 27. You would be well advised to wait until we see the fallout from the fixes to the fixes before installing anything.

  As MrBrian notes, Microsoft now has official acknowledgments posted for 16 known-bad June 2017 patches.

  Windows Patches/Security June 2017 Black Tuesday, MS-DEFCON 1

• A most unusual Patch Tuesday

  Posted on June 13, 2017 at 18:44 CDT by woody • Comment in the Forums

  Microsoft has released its usual Patch Tuesday flood, and it’s enormous: 358 patches addressing 96 individually identified security holes. Gregg Keizer at Computerworld just posted a thorough overview.

  Martin Brinkmann at ghacks.net has the full list. Here’s the summary:

  • Windows 7:  48 vulnerabilities of which 6 are rated critical, and 42 important
  • Windows 8.1: 52 vulnerabilities of which 8 are rated critical, and the remaining 44 important
  • Windows RT 8.1: 48 vulnerabilities of which 8 are rated critical, and 40 important
  • Windows 10 version 1703: 45 vulnerabilities of which 7 are rated critical, and 38 important.

  At the same time, Microsoft has released individual patches for Windows XP and Vista – both of which are beyond their end of support dates.

  There’s a reason why Microsoft released XP/Server 2003 updates – they didn’t bother to patch either last month, with the WinXP patch for WannaCry.

  Full details in my Woody on Windows blog, which has just moved from InfoWorld to Computerworld.

  UPDATE: Microsoft even released a patch for Win10 1507 — the original, “RTM” release, which is supposed to be out of support. See KB 4022727.

  Brad Sams, writing on Petri.com, calls the XP patch “a dangerous precedent.” I say hogwash. It’s an overdue CYA patch. Can you imagine what would happen with a working XP SMB worm?

  Peter Bright = Dr. Pizza, writing on Ars Technica says “Microsoft’s decision to patch Windows XP is a mistake.” I say he’s wrong. Microsoft didn’t have any choice – and won’t have any choice, in the future, but to patch NSA-derived security holes in all versions of Windows from XP onward.

  Dan Goodin, also on Ars Technica, now has technical details. He hits the nail on the head when he says, in conclusion:

  Company officials are showing that, as much as they don’t want to set a precedent for patching unsupported Windows versions, they vastly prefer that option to a potential replay of the WCry outbreak.

  And, I would add, a potential replay of the WannaCry outbreak long after learning the details from the NSA.

  This doesn’t smell right.

  Windows Patches/Security June 2017 Black Tuesday, KB 4022727

• Playing catch-up with Windows and Office patches

  Posted on June 12, 2017 at 16:47 CDT by woody • Comment in the Forums

  Patch Tuesday is just around the corner, and many of you are confused about which patches to install, which to avoid. Here’s a simple list:

  • If you haven’t patched your machine in many months, get it patched. Now.
  • If you haven’t applied MS17-010, do it now.

  As long as you’ve applied the March patches, or later, I don’t see any pressing reason to break the usual MS-DEFCON 2 admonition: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  We’re going to get quite a slew of new patches on Tuesday. Patience. Let’s see how they turn out.

  Windows Patches/Security June 2017 Black Tuesday

• Office non-security patches for June 2017 are here

  Posted on June 6, 2017 at 13:47 CDT by PKCano • Comment in the Forums

  No, you don’t want to install them yet. We’re still at MS-DEFCON 2

  Office 2013

  Update for Microsoft Excel 2013 (KB3191940)
  Update for Microsoft Office 2013 (KB3172501)
  Update for Microsoft Office 2013 (KB3178709)
  Update for Microsoft Office 2013 (KB3191872)
  Update for Microsoft Office 2013 (KB3191874)
  Update for Microsoft PowerPoint 2013 (KB3191935)
  Update for Microsoft Project 2013 (KB3191941)
  Update for Microsoft SharePoint Server 2013 Client Components SDK (KB3172527)

  Office 2016

  Update for Microsoft Excel 2016 (KB3191922)
  Update for Microsoft Office 2016 (KB3115281)
  Update for Microsoft Office 2016 (KB3141457)
  Update for Microsoft Office 2016 (KB3191859)
  Update for Microsoft Office 2016 (KB3191868)
  Update for Microsoft Office 2016 (KB3191920)
  Update for Microsoft Office 2016 (KB3191929)
  Update for Microsoft Office 2016 (KB3191933)
  Update for Microsoft PowerPoint 2016 (KB3191921)
  Update for Microsoft Project 2016 (KB3191934)
  Update for Microsoft Visio 2016 (KB3191918)

  Office Patches/Security June 2017 Black Tuesday