Microsoft redoes SChannel patch, releases MS14-068/KB 3011780, KB 3000850

Three unexpected patches barreled out of the Automatic Update/WSUS chute, including a massive Windows 8.1 patch rollup

patch band-aid bandage broken fix

You have to ask yourself one question, "Do I feel lucky?"

This may not be the second Tuesday of the month -- the traditional Patch, er, Update Tuesday -- nor is it the fourth Tuesday of the month, Overflow Tuesday. But it is, undeniably, the third Tuesday of the month, and patches are headed our way.

First up is a much-needed update to the WinShock MS14-066/KB 2992611/SChannel/TLS security release from last Tuesday. Microsoft has revised the KB article and tossed in a new twist -- KB 3018238:

On November 18, 2014, a new secondary package was added to the release for Windows Server 2008 R2 and Windows Server 2012 to [remove four cipher suites]. This new package is update 3018238, and it will install automatically and transparently together with security update 2992611. It will appear separately in the list of installed updates.

If you already installed KB 2992611, you may need to re-install it, even if you aren't experiencing the symptoms I detailed earlier today:

If you downloaded and then installed this security update from the Microsoft Download Center for Windows Server 2008 R2 or Windows Server 2012, we recommend that you reinstall the security update from the Download Center. When you click the Download button, you will be prompted to select the check boxes for updates 2992611 and 3018238. Click to select both updates, and then click Next to continue with the updates. These packages will require two restarts in sequence during installation.

Echoing the analysis from Toby Myer that I mentioned this morning, Microsoft goes on to say:

Customers who customized their cipher suite priority list should review their list after they apply this update to make sure that the sequence meets their expectations.

If there's a more detailed explanation of what's going on, I haven't seen it, true to form for a mushroom-management patch.

It's still much too early to tell if this new KB 2992611 and its KB 3018238 sidekick will alleviate the laundry list of problems identified in the past week.

Mid-morning Nov. 18, Amazon updated its advisory to tell AWS customers that the bug only affects Amazon EC2 instances launched from Windows AMIs, and with AWS Elastic Beanstalk. There's no talk as yet of the new version of KB 2992611. Similarly, IBM has no new news about its problems with KB 2992611 as of late morning Redmond time.

The second patch, MS14-068/KB 3011780 is one of the two patches Microsoft skipped last week. This one fixes another problem with Kerberos, and it sounds pretty nasty:

[The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The patch will be offered for every modern (post-XP) version of Windows, including Windows 10 Technical Preview.

The third fix, KB 3000850, is an update rollup for Windows 8.1, RT 8.1, and 2012 R2. I count 60 different, separately identified fixes (Updated APN entry for Latvian Mobile Telephone, anybody?) in addition to "new features and improvements."

The last time we had an update rollup was in April, when Microsoft forced all Windows 8.1 users to install Windows 8.1 Update 1. ("Forced" in the sense that Microsoft withdrew support of Windows 8.1 for those who didn't install Update 1. You may recall how well that went over, when KB 2919355 refused to install on legions of machines.)

This time around, Microsoft learned its lesson. There's no dungeon, no cat o' nine tails, no screaming drill sergeant prodding you on:

This November update rollup also includes all previous updates since our last image update in April 2014. This is a convenient single step to bring Windows clients and servers up to date. Unlike our April update, the November update rollup is not required to be able to continue to receive security or other updates. However, we strongly recommend that you deploy it to Windows clients and servers to benefit from these new features and improvements as well as to prevent many known issues that have been resolved since April. This update is thoroughly tested to the same quality level as our previous service packs. However, unlike service packs, this update does not change the version number and does not deprecate or change any APIs in a manner that would require recertification.

As of noon Pacific time, the updates hadn't yet appeared on my machines, but undoubtedly they'll arrive shortly.

Copyright © 2014 IDG Communications, Inc.