|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
Newsletter Archives
-
Microsoft: New non-security updates prevent attack on Win10 Servers running IIS — but there are no instructions
Now you know why I’m skeptical of the “optional non-security” description about the second monthly Win10 cumulative updates.
Ends up that the patches are not “optional” (click Check for updates and see what happens) and, at least this month, for Servers running IIS, they’re not “non-security.”
Case in point: Microsoft Security Advisory ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames, released yesterday. From the Advisory:
Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.
The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.
To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.
The solution? Install this month’s second set of cumulative updates — the ones released earlier this week, KB 4487006, KB 4487011, KB 4487021, KB 4487029 — and then follow these instructions:
Customers should review Knowledge Base Article 4491420 and take appropriate action.
Except, well, golly, there is no KB 4491420.
UPDATE: Microsoft published the instructions, Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection.
-
Microsoft pushes odd third-Tuesday cumulative updates for Win10 1803, 1709, 1703 and 1607 – but not for 1809
I think this is good news.
Yesterday Microsoft published cumulative updates for the older versions of Windows 10, but didn’t release one for the latest, version 1809. I take that as a good sign — perhaps Microsoft is letting its 1809 patches bake a little longer.
Moral of the story: Don’t click Check for Updates!
Details in Computerworld Woody on Windows.
UPDATE
We also have:
KB 4487016 – Preview of the Win8.1 March Monthly Rollup
KB 4486565– Preview of the Win7 March Monthly Rollup
The Microsoft Update Catalog also shows that several of this month’s Win10 Cumulative Updates were re-issued. Not sure what’s up with that, but it usually means there was a change in the metadata — which means it changes the installation logic.
ANOTHER UPDATE
Now at least one of the Knowledge Base articles is being changed to say that yesterday’s non-security updates do NOT fix the acknowledged bug:
- After installing this update, some users cannot pin a web link on the Start menu or the taskbar.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Notice on termination of services of LG Mobile Phone Software Updates
by 8 hours, 22 minutes ago
-
Update your Apple Devices Wormable Zero-Click Remote Code Execution in AirPlay..
by 4 hours, 24 minutes ago
-
Amazon denies it had plans to be clear about consumer tariff costs
by 10 hours, 48 minutes ago
-
Return of the brain dead FF sidebar
by 1 hour, 25 minutes ago
-
windows settings managed by your organization
by 5 hours, 30 minutes ago
-
Securing Laptop for Trustee Administrattor
by 5 hours, 42 minutes ago
-
The local account tax
by 1 hour, 33 minutes ago
-
Recall is back with KB5055627(OS Build 26100.3915) Preview
by 17 hours, 24 minutes ago
-
Digital TV Antenna Recommendation
by 9 hours, 56 minutes ago
-
Server 2019 Domain Controllers broken by updates
by 1 day, 5 hours ago
-
Google won’t remove 3rd party cookies in Chrome as promised
by 1 day, 6 hours ago
-
Microsoft Manager Says macOS Is Better Than Windows 11
by 1 day, 10 hours ago
-
Outlook (NEW) Getting really Pushy
by 12 hours, 34 minutes ago
-
Steps to take before updating to 24H2
by 3 hours, 23 minutes ago
-
Which Web browser is the most secure for 2025?
by 17 hours ago
-
Replacing Skype
by 5 hours, 33 minutes ago
-
FileOptimizer — Over 90 tools working together to squish your files
by 1 day, 4 hours ago
-
Excel Macro — ask for filename to be saved
by 1 hour, 30 minutes ago
-
Trying to backup Win 10 computer to iCloud
by 5 hours, 19 minutes ago
-
Windows 11 Insider Preview build 26200.5570 released to DEV
by 3 days, 10 hours ago
-
Windows 11 Insider Preview build 26120.3941 (24H2) released to BETA
by 3 days, 11 hours ago
-
Windows 11 Insider Preview Build 22635.5305 (23H2) released to BETA
by 3 days, 11 hours ago
-
No April cumulative update for Win 11 23H2?
by 1 day, 23 hours ago
-
AugLoop.All (TEST Augmentation Loop MSIT)
by 3 days, 12 hours ago
-
Boot Sequence for Dell Optiplex 7070 Tower
by 4 days, 3 hours ago
-
OTT Upgrade Windows 11 to 24H2 on Unsupported Hardware
by 4 days, 7 hours ago
-
Inetpub can be tricked
by 2 days, 14 hours ago
-
How merge Outlook 2016 .pst file w/into newly created Outlook 2024 install .pst?
by 3 days ago
-
FBI 2024 Internet Crime Report
by 4 days, 10 hours ago
-
Perplexity CEO says its browser will track everything users do online
by 1 day, 19 hours ago
Remembering Woody
