I haven't seen any explanation for last month's burp -- Microsoft isn't saying why or how it missed a month of patches. But they came rolling back with a vengeance yesterday, plugging the best-known major security holes (the SMB bug and two zero-days reported by Google's Project Zero), answering many open questions, and posing a few new ones.
Among the surprises: After promising, in November, that it would discontinue the antiquated Security Bulletin system, we got a heap of new security bulletins, along with new Software Update Summary entries (the searchable database of KB numbers, with 64 new entries) and a new Security Update Guide (detailed list of KB numbers broken out by product and platform, with 230 new entries).
Topping it all off, Nathan Mercer at Microsoft published details of another documentation effort called Unified Windows update history for Windows 8.1 and Windows 7. That project will convert the current skeleton update listings for Win7 and 8.1 (see screenshot for the latest Win7 page) and add information about the individual KB patches.
Assuming Security Bulletins will be discontinued at some point, the new Update History pages will give a more focused method to check the latest fixes. Those of us who follow these matters closely used to wail about the dearth of information. Now we're drowning in it -- a welcome change.
Here's a breakdown of the patches on offer and what we know about them in the real world. Please realize from the outset that I don't recommend you install them yet. It's much, much too early to tell if any of the patches have unintended consequences.
As usual for Patch Tuesday, we have three new patches for Windows 10, one each for 1507 (the original release), 1511 (the November update), and 1607 (the Anniversary Update). Here are the numbers:
Win10 1607 KB 4013429 brings version 1607 up to build 14393.953. Microsoft lists many dozens of fixes in this patch, including updates to IE and Edge, the SMB fix, and all of the pertinent security fixes.
The Update & Security applet now contains an admonition that the Win10 Creators Update is on its way (see the screenshot below). The advanced warning isn't as bad as the Get Windows 10 campaign urging you to "Reserve your free upgrade," but those who remember the GWX campaign may be twice shy about being one of the first to get Creators Update.
I'm tracking two reported problems with KB 4013429:
- Numerous posters on Reddit say installing the patch takes a long time. Per Apollo503, "i7/SSD laptop sitting next to me at ‘Getting Windows ready - Don't turn off your computer' for 13 minutes and still going." The usual advice applies: Wait for it.
- There's an apparent conflict with Microsoft Dynamics CRM 2011. Installing the patch breaks some -- but not all -- CRM apps. Detailed description from an anonymous poster on AskWoody.com.
If you have a problem with KB 4013429, please post it on the Reddit thread devoted to this update. Microsoft is actively monitoring the thread, and your report may help improve cumulative updates for all of us.
Ed Bott on ZDnet has a description of a new feature called Delta Updates that are only available through the Microsoft Update Catalog. If you search the catalog for KB4013429 you see three entries for Delta Updates. Microsoft announced the arrival of Delta Updates (also called Express Updates) in a video from Win10 update guru Michael Niehaus that appeared in January.
Microsoft is posting only the deltas to reduce download size. Those who patch Windows through a standard Windows Update connection only have to download what's changed -- the difference between their currently installed build of Win10 and the one delivered. Windows Update handles the pruning.
For those who download the cumulative updates as a whole and apply them to multiple machines, the size of the cumulative updates has grown unwieldy. The latest cumulative updates for 1607 and 1511 now run over 1GB. These new Delta Updates run about one-third the size of the full Cumulative Updates -- but they cover only one step up in patching levels.
Oddly, differential updating, Express Updates, and Delta Updates aren't covered in the latest Microsoft Overview of Windows as a Service.
Win10 1607 users also saw these patches:
- KB 4013418, the latest Servicing Stack update. Think of it as Windows Update updating itself. In the Windows Update list it only appears as "Update for Windows 10 Version 1607."
- KB 4014329 which is the separate security update for Flash, MS17-023. Remember that Windows 8.1 and 10 both have the Flash Player built into Internet Explorer and Edge. This patch fixes them both.
As always, I recommend that you wait a week or two before installing any of them.
Win10 1511 KB 4013198 brings version 1511 up to build 10586.839. There's another very long list of patches, exactly like Win10 1607 Cumulative Update. This one is also accompanied by KB 4013418, the latest Servicing Stack update, and KB 4014329 for Flash.
Win10 1507 KB 4012606 runs the original Win10 to build 10240.17319. Microsoft claims it will discontinue 1507 in May, though it flinched a couple of times. Many more patches, mirroring 1511. Those of you who are using 1507 in any situation other than the Long Term Servicing Branch LTSB 2015 should abandon ship.
Windows 7 and 8.1
Not to be outdone by the massiveness of Windows 10 updates, Win7 and 8.1 patches fell like snow in New York.
The Security Bulletin list has 18 entries, nine deemed critical, with 136 uniquely identified exploits (CVEs). The SANS Internet Security Center says there are known exploits for three of the security holes, MS17-006 (the inevitable cumulative update for Internet Explorer), MS17-010 (an SMB vulnerability) and MS17-013 (Graphics components, which covers the Project Zero exploits). SANS ISC goes on to say that "six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited."
Those who are installing Security-Only patches (the folks I call "Group B") need to be aware of the fact that Internet Explorer patches arrive separately from the download-only Security-Only patches. I'll have full download and installation details later this month, when the patches have had time to stew a bit.
Our old snooping friends KB 2952664 (Win7) and KB 2976978 (Win8.1) are back, as anticipated. An anonymous poster on the AskWoody Lounge says they're identical to the versions posted last week. This time they're "Recommended," so if you have "Give me recommended updates the same way I receive important updates" selected in Windows Update, the patches will be checked and thus installed the next time you run Windows Update -- which I don't recommend, of course.
As usual, Windows 7 users need to update Flash player separately (IE in Win8.1 is updated by Microsoft).
There's a compact list of patches and links on Günter Born's Borncity blog.
If you're still on Vista, which goes off extended support next month, you should note two oddities:
- MS17-006, which in the case of Vista is for the Messaging API only, contains this little gotcha: "If you are running Windows Vista or Windows Server 2008, install this security update (3218362) in addition to security update 4012204, in order to be fully protective from this vulnerability."
- Lounger EP reports that "New ‘magic' win32k.sys updates for Windows Vista SP2 to speed up Windows Update scans on Vista: KB 4012497. Replaces KB 3204723 & previous win32k.sys fixes."
Office patches for this month are listed on KB 4013886. I count:
- 16 patches for Office 2016, four of which are security patches
- Nine patches for Office 2013, with four security patches
- Five patches for Office 2010, all security
- 10 patches for Office 2007, six security including two for the Office Compatibility Pack
The nonsecurity patches were released last week, but they're repeated here for completeness.
The Office TechNet post says there are new versions of Office Click-to-Run:
- Office 2013 Click-To-Run is available: 15.0.4911.1002
- Office 2010 Click-To-Run is available: 14.0.7179.5002
In addition, the main Office 365 version 1702 current channel is now up to build 7870.2024.
Discussion continues on the AskWoody Lounge.