Microsoft pulls botched KB 2871630, while many Office patch problems remain

Pulling the KB 2871630 patch took Microsoft more than 14 hours after the first warnings appeared, and admins are furious. What's Microsoft doing wrong?

The really bad Black Tuesday patch -- KB 2871630, the one that caused the folder list in Outlook 2013 to disappear -- was pulled early Wednesday morning, as Gregg Keizer notes in his Computerworld post. Microsoft 'fessed up to making a big mistake with the patch and, in an obscure blog post, time-stamped 11:48 a.m. Wednesday, has urged Windows users to uninstall KB 2871630 manually.

The most damning part about Microsoft's handling of yet another botched patch incident? There were verified, credible reports of the problem on Microsoft's own TechNet forum and Answers forum that weren't heeded for at least 14 hours, probably longer. That's 14 hours of bad automatic updates. We didn't get an official explanation until 24 hours or more after the bad patch hit.

While KB 2876130 is reined in for the moment, a whole slew of this month's patches are still causing problems on some machines:

  • Two Office 2007 security updates -- MS13-072 / KB2760411 and KB2760588 -- and one Excel 2007 security update -- MS13-073 / KB2760583 -- are installing over and over again. The Microsoft Answers forum thread has hundreds of posts. The KB articles now say, "You may be repeatedly offered this update even though it is already installed. Microsoft is researching this problem and will post more information in this article when the information becomes available." At this point there's no additional information.
  • The MS13-073 / KB 2810048 security patch for Excel 2003 installs over and over again. Two Answers forum threads in English -- as well as several in other languages -- have more than a hundred entries. At about 10:30 p.m. PDT Thursday night, Softpedia posted an article that says "Dustin Childs, group manager, Microsoft Trustworthy Computing [sent us a message that says] "We've received reports of some customers experiencing issues when deploying some of September's Office-related updates. We are investigating this issue and will act accordingly, to help ensure that our customers are protected." As of 11 p.m. PDT Thursday night, there is no notification in the KB article.
  • The installer for the MS13-074 / KB 2810009 security patch for Access 2013 is failing with an error code 80242009. There's a TechNet thread on the problem that's up to nearly a hundred posts. As of 11:00 p.m. Thursday, the TechNet MS13-074 article says "Known issues: None"
  • The MS13-068 / KB 2794707 Outlook 2010 security patch is throwing off an error that looks just like the problem Microsoft encountered with Outlook in the Office 2010 SP 2 update, where the Calendar Folder property is empty. I've been told that Microsoft considers the problem to be "cosmetic" and it's relegated to "won't fix" status.

Microsoft's back to its Keystone Kops approach to Black Tuesday.

There's much more to this than meets the eye. If you had Microsoft Automatic Update enabled on Tuesday, you not only received 36 security updates from 13 security bulletins. You also got a whopping 80 non-security patches, slithering right in there with the security patches. Your exact tally will vary, depending on which versions of Windows and Office you run; nobody got all 116 patches. But on Black Tuesday, 36 security patches and 80 non-security patches slid down the Auto Update chute. Kersplat.

Susan Bradley, a Microsoft MVP who helps (as a volunteer!) on the Microsoft Answers forum fired off this letter to Steve Ballmer:

Dear Mr. Ballmer:

As one of the moderators for the PatchManagement listserve I am part of a community that maintains and patches primarily Windows products. On behalf of everyone in this community, may I respectfully request that you assign someone in a management position to investigate what is going on with quality control with Patch testing lately?

This month in particular leaves me deeply disturbed that issues that should have been found before these updates were released are being found by us - your customers - after they are released and we are having to deal with the aftermath. This leads to increasing distrust of updating.

These issues in your newer products are deeply disturbing to me. The issues this month in particular leave end users and Patch Admins with no other recourse than to not patch and even disable automatic updates until we are assured that issues have been fixed.

I congratulate you on your release to manufacture of Windows 8.1 but I beg you to pause for a moment and investigate why we are seeing so many patching issues with your released products at this time.

Bottom line, sir, this is unacceptable to all of us in the patching community, and quite frankly, it should be just as unacceptable to you.

Susan Bradley

Moderator at www.patchmanagement.org

Speaking on behalf of everyone here in the patching community

I think Bradley was being too kind.

The (volunteer!) MVPs on the Answers and TechNet forum get caught in the middle: They can see these problems mushroom in real time, and they don't have a soul inside Microsoft whose duty it is to respond to their observations or concerns. Customers get angry at the admins, and the admins can't do a blasted thing about it. Microsoft doesn't listen to them any better than they listen to me.

At the very least, Microsoft should assign one employee (out of 135,000 as of early next year) to watch each of the major forums, and report back to somebody who will take action when problems crop up. The MVPs manning -- er, personing -- the forums should have a direct line to somebody inside MSRC who gives a damn. If there are any left.

There needs to be an MSRC hair trigger on pullling bad patches. Any question at all and POP, the patch gets pulled, awaiting analysis. Think of it as beta testing with tens of millions of victims, a very tiny percentage of whom are savvy enough to diagnose their problems and post them on the Microsoft-provided fora.

If MSRC recommends that customers uninstall patches, then the uninstaller should be in the Automatic Update chute immediately. Hiding uninstall recommendations in obscure corners of the Microsoft site shows just how much Microsoft cares about its customers.

Pulling a patch should be a knee-jerk reaction to any problem, real or imagined. If a Microsoft customer is crazy enough to turn on Automatic Update, then it won't matter if they miss the patch today or tomorrow, they'll get it rammed down their throats next week.

Hopefully it'll be right the second time. Or the third.

This story, "Microsoft pulls botched KB 2871630, while many Office patch problems remain," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies