If you thought Microsoft's patching rate would slow down a bit after the torrid pace of the past three months, you're wrong. Looking only at the number of security bulletins issued this month -- eight -- you might think June's been a walk in the park. But if you look at what's being patched and what's missing, the numbers and headaches begin to pile up.
Let's start with the missing patch, MS15-058. Microsoft doesn't skip Security Bulletin numbers very often, but when it does it can be confusing. For reasons only known in Redmond, this month we didn't get an MS15-058. I haven't seen any information about the patch, so we'll have to sit back and wait.
Then there's the obligatory giant Internet Explorer patch, MS15-056/KB 3058515, which tackles a couple dozen independently identified security holes in IE6, IE7, IE8, IE9, IE10, and IE11. If you're still using IE, it's worth noting that Microsoft has pushed out boatloads of IE patches every month over the past year except January. IE patching has turned from a comedy to a tragedy. Microsoft Edge, the browser in Windows 10, can't come a moment too soon.
The other seven vulnerabilities being patched run quite a gamut, although it's worth noting that the SANS Internet Storm Center only lists one, MS15-060, as having a known exploit -- and it's rated as important, not critical. SANS notes that the bulletin for MS15-062 includes a line of code that appears to be a proof-of-concept exploit.
Microsoft re-released many old, nonsecurity patches this month, including KB 2952664 and KB2976978 -- the Windows10 nagware patches that were re-re-re-re-released five days ago.
Reader CA wrote to me and said:
Our old friend KB2952664 is back. It gets listed as "Important" in Win Update even though the associated KB article lists it as "Optional". As you know, it's obviously not a security update.
I installed it on one of my machines and then checked the Task Scheduler (Microsoft -> Windows -> Application Experience). I had previously changed these two tasks to "Disabled":
1) Microsoft Compatibility Appraiser
If you recall, these telemetry (spyware) tasks were added by a previous release of KB2952664. The current update changes both of these back to a status of "Ready".
These kinds of actions are not very trust-inspiring, are they?
Ain't that the truth.
Then there's KB 2977759, which was re-re-re-released earlier this month.
In addition, KB 3019270, KB 3029432, KB 3029603, KB 3034348, KB 3037313, KB 3040272, KB 3041857, KB 3045634, KB 3045746, KB 3054464, KB 3054476, KB 3055323, and KB 3055999 were all re-released from last month.
Then there's KB 3068708, which I think is a reissue of the much maligned KB 3022345.
Same old, same old -- only different.