Ready to get confused? Then strap on your hip waders and follow along in this latest installment of Microsoft patching woes.
On Tuesday, Microsoft released its crop of patches for January, including the following:
- A new MS14-080/KB 3029449, which is an Internet Explorer cumulative rollup re-release of the old MS14-080/KB 3008923, which was one of the botched hangover patches from December. Note the change in KB number. In certain circumstances (described below) you may need to install both patches.
- A "critical" patch, MS15-002/KB 3020393, for Telnet, which is a communication protocol that's 45 years old -- and rarely used on modern Windows desktops. That's the only critical patch this month; all the others are "important."
- A fix, MS15-003/KB 3021674, for the zero-day User Profile Services escalation that was publicly (and controversially) reported by Google on Sunday, Jan. 11. This isn't a critical flaw in Windows because it entails escalation of privilege -- elevating your session to Admin mode. In order to exploit the flaw, the miscreant has to be in the computer already.
- A fix for the other zero-day bug, ahcache.sys/NtApphelpCacheControl, which Google publicly disclosed on Dec. 29. That's MS15-001/KB 3023266.
Here's what we didn't get on Tuesday:
- A fix for the badly botched MS14-082/KB 3017349 Office patch, which clobbers Excel ActiveX in Office 2007, 2010, and 2013, as I reported on Dec. 11. There's even a newly reported problem, where default naming of controls gets all screwed up. The three component patches -- KB 2726958 for Office 2013, KB 2553154 for Office 2010, and KB 2596927 for Office 2007 -- are still being offered via Automatic Update. If you create or distribute Office macros, Microsoft continues to screw up your programs, rolling the poison pill out the Automatic Update chute.
It's still way too early to tell if there are additional problems with this month's patches. I fully expect the Windows Kernel Mode driver patch, MS15-008/KB 3019215 will figure prominently in due course, simply because Kernel Mode driver patches always seem to cause trouble.
Here's what's happening with the re-released (but differently numbered) MS14-080 patch. Tighten your grip on those hip waders. This gets messy.
The original MS14-080/KB 3008923 IE rollup had all sorts of bugs. Microsoft issued a patch, KB 3025390, to fix the problems but it, in turn, caused even more problems (see the comments to my InfoWorld article). In addition, Microsoft discovered that the original KB 3008923 didn't fix a VBScript security hole, known as CVE-2014-6363. So this month, Microsoft issued an update to MS14-080 called KB 3029449 that specifically addresses the VBScript hole.
As the KB 302449 article puts it:
This package contains the VBScript 5.8 updates that are intended for Internet Explorer 10 in a Windows 8 or Windows Server 2012 environment. Install this update and the December cumulative security update for Internet Explorer.
MS14-080 now includes these bafflegab instructions:
To address issues with Security Update 3008923, Microsoft re-released MS14-080 to comprehensively address CVE-2014-6363. In addition to installing update 3008923, customers running Internet Explorer 10 on Windows 8, Windows Server 2012, or Window RT should also install update 3029449, which has been added with this rerelease. Customers who have already successfully installed the 3008923 update, which has not changed since its original release, do not need to reinstall it. See Microsoft Knowledge Base Article 3008923 for more information.
It isn't at all clear if the new version of MS14-080 includes fixes for the problems introduced by the old MS14-080 and/or the problems introduced by KB 3025390, which was supposed to solve those original MS14-080 problems.
The IE patch rollups have had so many problems this past year, it's no wonder Microsoft wants to toss IE into a formaldehyde jar and start anew with Spartan.