We're now in the second month of Microsoft's new avowed "Update Tuesday" patching process, and this month there were a couple of new features (yes, genuine updates!) that deserve your attention. On the security side there's one critical patch, another IE rollup; a lot of futzing with .Net Framework, which frequently gives updaters indigestion; two big blocks of miscellaneous patches; and a massive dose of more of the same.
Here's what you can look forward to when you make the leap.
MS14-052/KB 2977629 is the monster Internet Explorer rollup. This is the patch you've read about -- the one that tackles 37 separately identified security holes in IE, one of which is publicly known. It's the only patch this month to receive the critical designation. What isn't so obvious: This patch (finally!) enables the "Old Java version blockade" that was supposed to be part of last month's crop but got pulled at the last moment. There's an accurate updated description of the new behavior on the IE blog.
The mechanism built into the newly patched versions of IE8 through IE11 refers to a blacklist of "bad" ActiveX controls maintained and updated by Microsoft. (The whole exercise is quite similar to the "IE blocks bad Flash sites" fiasco about 18 months ago.) If IE tries to invoke an ActiveX control on the blacklist, you see a message that says, for example,
Java(TM) was blocked because it is out of date and needs to be updated. What's the risk? Update/Run
There's also a warning if a Web page tries to launch a blacklisted ActiveX control directly.
One exception: The block doesn't take place when you access sites in IE's Local Intranet Zone or the Trusted Sites Zone -- so you corporate types can breathe a small sigh of relief. There are Group Policy settings that can override or modify the blocking as well.
There's a gallery of bad ActiveX notices in the TechNet post about out-of-date ActiveX control blocking.
At this point, the only "bad" ActiveX controls on the blacklist are for very old versions of Java. You can see the blacklist, and discern the bad versions of Java, by looking at Microsoft's online iecvlist.
Worth noting: Firefox, Chrome, and Safari have had similar blacklists/blocklists for years -- Firefox started the trend back in 2008. The other products' blocks aren't limited to ActiveX controls (that's a unique IE "feature"), but take out all identified bad plug-ins.
There's one more worthwhile feature improvement in September's Update Tuesday crop: KB 2979501 adds several RAW camera file formats to Microsoft's Camera Codec Pack for Windows 8.
That's it for the "Update" part of the program. The rest are bug fixes.
There are three "important" security bulletins, down in the snore zone, and a whole lotta "other:"
- The patch for Security Advisory 2871997, originally issued in May, was re-issued. The original problem involves a series of holes in the way Windows handles credentials. The patch was re-issued in September, apparently to correct a timing problem with the release of credentials.
- The patch for Security Advisory 2905247 was also re-issued. First fixed in December 2013, this .Net Framework patch was re-released "to offer the security update via Microsoft Update." Harumph. Along with this patch, Microsoft re-released related .Net Framework patches KB 2894852, 2894842, 2894854, 2894854, 2894855, and 2894856, all of which apparently have programming errors requiring complete re-installation.
- A third Security Advisory patch, 2755801, was re-released to fix an additional problem found with this two-year-old patch for Adobe Flash Player running in Internet Explorer. The Security Advisory references Adobe Security Bulletin APSB 14-21, which describes a Sept. 9 patch for 12 separately identified security holes.
- Various patches for bugs in February's KB 2670838, a fix for a bug in the Server 2012 Secure Boot Advanced Installer, an update rollup for Windows 8, RT, and 2012 that fixes nine bugs, a big update rollup that fixes 22 bugs in Windows 8.1, a fix for a bug in January's KB 2857650, a fix that actually enables the "Do not connect to any Windows Update Internet locations" group policy that hasn't been working in Windows 8, a fix for a bug in the way the Win8 unattended.xml file is processed in unattended installations, and fixes for bugs in MS13-066/KB 2843638 and KB 2843639.
- Then there are changes to the metadata -- typically affecting the installation logic -- for 59 different security bulletins, dating back to 2010. In addition there are metadata changes for 37 more Windows updates.
- Finally, we get metadata changes to KB 2975719, the Windows 8.1 "Update 2" patch that caused so much headache last month. The patch was re-released just a week ago. That particular KB article is one month old, and it's up to Revision 18.0. This month it's been bumped up from an "optional" to an "important" update.
From where I sit, that's two new features and a whole lotta same old, same old piled higher and deeper. Hardly a renaissance in rapid delivery of new Windows features.
How are the patches faring this month? I haven't heard too many howls of pain yet, but already there are some people reporting problems with -- you guessed it -- the new, improved, re-re-re-issued KB 2975719, Windows 8.1 "Update 2."
This story, "Microsoft's new Update Tuesday looks a whole lot like the old Black Tuesday," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.