Newsletter Archives

• More problems with the March IE Security-only patches

  Posted on April 1, 2017 at 08:17 CDT by woody • Comment in the Forums

  We’re seeing numerous reports of problems with the March Internet Explorer Security-only patches. These are the patches that you have to download and install manually – what I usually refer to as “Group B.”

  @PKCano is narrowing in on the symptoms and likely causes. Here’s what we know for sure.

  Starting in March, Microsoft separated Internet Explorer Security-only patches from the main Windows Security-only patches. (Prior to March, the IE patches were included in the main Windows Security-only patches.) It’s all documented in AKB 2000003. True to form, Microsoft discovered bugs in the original March Security-only IE patch, so they issued a second patch, which we’re calling the IE Hotfix.

  For Windows 7, the patches are (from AKB 2000003):

  Mar 2017 (IE) KB 4012204 – Download 32-bit or 64-bit
  Mar 2017 (IE Hotfix) KB 4016446 – Download 32-bit or 64-bit

  For Windows 8.1, the patches are:

  Mar 2017 (IE) KB 4012204 – Download 32-bit or 64-bit
  Mar 2017 (IE Hotfix) KB 4016446 – Download 32-bit or 64-bit

  At this point we’re looking for odd behavior associated with one or both of the patches for your machine. How do you know if the odd behavior is caused by one of the patches? If you uninstall the patches, and behavior returns to normal, you’ve hit a symptom of a bad patch.

  To date, @Sportsfan has reported one (or both?) of the patches causes IE to fail the Logjam security test at Qualys SSL Labs.

  An anonymous poster has reported “kb4016446 and kb4012204 caused problems with Notepad++ – when closed, the program would hang with an odd display for several seconds before shutting down. ”

  A different anonymous poster reported that the problem with Logjam failure appeared on a Win7 machine after installing just the first patch, KB 4012204. He/she hadn’t installed KB 4016446.

  And @RCPete has results all over the board. The first time he tested, IE 11 failed the Logjam test. The second time, it passed.

  Poster @AJNorth poses an interesting question for those who are failing the Logjam test: “under Tools —> Internet Options —> Advanced —> Security, are both “Use SSL 2.0” and “Use SSL 3.0” unchecked? ”

  @djgreen didn’t pass the Logjam test, but he wonders if the problem may be with interactions with a previous patch, KB 30161518.

  If you’re in Group B – and you’re installing IE security patches manually – what do you see? Also, if you’re in Group A, and taking the Win7/8.1 Monthly Rollups as they appear, do you have any problems with the Logjam test?

  Windows Patches/Security KB 4012204, KB 4016446, Logjam

• IE security update KB 4012204 trips a Logjam security test warning

  Posted on March 31, 2017 at 16:37 CDT by woody • Comment in the Forums

  Interesting post from @Sportsfan:

  After installing the IE security update 4012204, IE 11 no longer passes the Logjam security test at Qualys SSL Labs. I also installed the Hotfix, which didn’t help.

  @Sportsfan subsequently uninstalled both the update and the Hotfix, and Logjam is now happy.

  Can anybody else repro this?

   

  Windows Patches/Security KB 4012204, Logjam

• Microsoft releases multiple fixes for CRM 2011 bugs, including Win10 emergency KB 4016635

  Posted on March 23, 2017 at 06:00 CDT by woody • Comment in the Forums

  Note that none of these patches are going out through Windows Update (at least, not yet). You have to download and install them manually.

  That makes three cumulative updates for Win10 Anniversary Update in the past eight days.

  Details at InfoWorld Woody on Windows.

  Windows Patches/Security Dynamics CRM 2011, Internet Explorer 11, KB 4012204, KB 4012215, KB 4012216, KB 4016446, KB 4016635, KB 4016636, KB 4016637

• Where is this month’s IE 11 patch?

  Posted on March 15, 2017 at 14:06 CDT by woody • Comment in the Forums

  Interesting question from CA:

  I decided to try out the “Security Update Guide” and attempt to locate this month’s IE 11 update for us Group B hold-outs. What I discovered is that the Guide is pretty much useless, if not outright wrong/deceptive.

  https://portal.msrc.microsoft.com/en-us/security-guidance

  Going down the list for IE11, there is no mention of KB4012204 for “Windows 7 x64-based Systems”. If fact, the only place I could find KB4012204 applied to IE9 and Vista/Server 2008.

  
  And, KB4012204 is not listed here:

  Windows 7 SP1 and Windows Server 2008 R2 SP1 update history
  https://support.microsoft.com/en-us/help/22801/

  If one searches for KB4012204 in the catalog, the correct updates for IE11 and Win 7 are, of course, listed:

  https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012204

  By the way, this KB is a totally confusing mess:

  MS17-006: Security update for Internet Explorer: March 14, 2017
  https://support.microsoft.com/en-us/help/4012204/

  So my question is this. If KBs are going away next month and the current guide is any indication, what will be the best methodology to locate the separate IE updates for Group B? Since IE updates are included in the Rollup for Group A, it’s not an issue for them because this appears in WU.

  UPDATE: I am aware of this:

  Microsoft Security Bulletin MS17-006 – Critical
  https://technet.microsoft.com/library/security/MS17-006

  This bulletin does list KB4012204, but seems like a round-about way to discover the stand-alone IE11 patch. My understanding is that the Security Guide is supposed to be sufficient.

  Windows Patches/Security KB 4012204