In its first month of "more nimble" updates for Windows 8.1, Microsoft delivered a whole lotta same old, same old -- with a few new twists. Yesterday's Black Tuesday rollout featured nine security bulletins covering 37 separately identified security holes, including a Internet Explorer patch rollup the size of Brobdingnag featuring the first-ever Exploitability 0 security rating (apparently Exploitability 0 means zero day); the final realization of Windows 8.1 Update 2; and firmware patches for a few Surface tablets, but not others.
While Microsoft promised last week that it would start blocking old ActiveX controls -- including old versions of Java in Windows 7 SP1 running IE8 and later -- the threat didn't come to pass. Now Microsoft says the blockade won't start until next Black Tuesday's patches. According to the updated version of the IEblog warning:
As of September 9, 2014, this [old ActiveX blocking] feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls: J2SE 1.4, everything below (but not including) update 43; J2SE 5.0, everything below (but not including) update 71; Java SE 6, everything below (but not including) update 81; Java SE 7, everything below (but not including) update 65; Java SE 8, everything below (but not including) update 11.
Admins, of course, can disable the blocking through Group Policy settings -- gutless, but necessary in some cases. I wonder if somebody ran the numbers and figured out how many tech support folks will be needed to handle the irate phone calls. Wait times will measure in hours, no doubt.
Windows 8.1 Update 2 has fizzled into obscurity. Now called (by some) the "August update," it's turned into a single patch, KB 2975719. And yes, for those of you who doubted my prognostication last week, the ruble is now recognized as an official currency symbol. Be still my beating heart. The other updates I talked about last week are there, along with almost six dozen other small fixes, identified by individual KB numbers. Oddly, the "old ActiveX blocking" mentioned above is referenced by name in KB 2975719, but there's no indication in the KB article that it was scuttled.
One other KB 2975719 improvement merits mention: A new update and recovery feature "introduces new information in the Windows Update Settings, and gives you more information on how up to date your systems are by displaying the most recent check for updates and the last date updates were installed." Tellingly, the feature says nothing about version numbers or rollbacks.
On my machines, KB 2975719 appears unchecked as an Optional (not "Important") update. Talk about mercifully toothless. As I've noted for months, you must have Windows 8.1 Update 1 (KB 2919355) installed before this new update will be offered. I doubt that many of you will be clamoring for Update 1 just to get Update 2.
The Surface RT, Surface Pro, and Surface Pro 3 all have firmware updates this month. For the Surface RT and the original Pro, the updates are tiny; the Pro 3 updates are more extensive, but still firmly in the "meh" category. If you're counting, that makes four firmware patches for the Pro 3 in the past two months.
It's still early on, but at this point the only widespread problem I've seen with this month's patches is a weird Taskbar artifact that appears unbidden on the Metro Start screen. Brad Sams at Neowin has a thorough explanation and a rolling screenshot of the issue. Yes, I know that pressing Windows key + T while on the Metro Start screen brings up the (desktop) Taskbar, but this is different -- the Taskbar sticks around when it should disappear. Based on a very few observations, this doesn't seem to be a universal bug. There's a Microsoft Answers forum thread on the subject. If you see a Taskbar on your Metro Start screen after installing this month's Black Tuesday patches and it doesn't disappear when it should, head over to the Answers forum and chime in. Chances are good that KB 2975719 is acting up for some people.
This story, "Black Tuesday: Microsoft offers massive IE patch rollup but no ActiveX blocks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Correction: This story as originally posted misstated the number of vulnerabilities in this month's update. The article has been amended.