KB 2553154, 2726958 clobber Excel ActiveX; KB 3011970 Silverlight, KB 3004394 Root Cert pulled

KB 3008923 crashes IE, KB 3002339 still hanging on install, KB 2986475 still pulled -- but there's a small silver lining

frustrated man at a desk

Overnight, Microsoft pulled two high-profile screwed-up patches: KB 3011970 and KB 3004394. Another patch, KB 2553154, is killing some Excel 2010 and 2013 macros, saying the ActiveX control "has stopped working in Excel." Admins are reporting that KB 3008923 has broken modal dialogs in IE. And the hang on installing KB 3002339 described yesterday is still kicking.

It helps if you have a scorecard. Let's take them in numeric order.

KB 2553154 for Office 2010 and KB 2726958 for Office 2013 -- both part of security bulletin MS14-082 -- are supposed to "resolve a vulnerability that could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office."

Poster Mike Pederson reported on Wednesday, in Stackoverflow:

I have some Excel worksheets that use ActiveX checkboxes to control certain activity. They worked recently, but today started to give errors. I was alerted to this by a colleague, but it was still working on my computer. I checked his version of Excel against mine and his was newer. I noticed there were new Windows updates, so I did the update. After I applied pending updates, it now no longer works on my computer. I cannot check the ActiveX checkboxes any longer, and, as a part of trying to debug, it appears I cannot even add an ActiveX control to any worksheet, even a new worksheet, any more. I get an error dialog that says, "Cannot insert object." (I can still add form controls, just not ActiveX.)

I'm seeing reports of this problem with both Excel 2010 and Excel 2013. It isn't clear at this point if the same problem applies to other Office 2010 or 2013 programs, such as Word. It's also not clear if the same problem affects Office 2007, which is included in the security bulletin.

Rory, on his Excel Matters blog, has a fix that appears to work -- you have to manually delete a specific EXD file. Either that, or uninstall the patch.

For you macro developers, I feel the pain. RonR had a spot-on comment on Stackoverflow:

Microsoft needs to release a fix. As a developer of Excel applications we can't go to all our clients computers and delete files off them. We are getting blamed for something Microsoft caused.

KB 2986475, the Exchange Server 2010 SP3 update rollup 8, was pulled yesterday, as reported. If you started rolling out the update, you need to roll it back (at least, if you want to connect to Outlook). I've seen no further official word as to the cause or the cure.

KB 3002339 -- a patch of a .Net Framework 4.5.3 patch -- is still hanging on installation for some people. If the patch takes more than, oh, 30 minutes to install, kill the installer, then manually download it, as noted yesterday.

KB 3004394 caused no end of problems -- bogus UAC prompts, Diagnostic Tool error 8000706f7, Catalyst driver installation fail, Windows Defender error 2147023113 -- as reported yesterday. It now appears as if this Windows Root Certificate patch has been pulled. As usual, there's no notification in the KB article and no official announcement that I can see. If you have it installed, I have no idea if you should uninstall it or not.

KB 3008923, the MS14-080 Internet Explorer rollup, is crashing Internet Explorer, although which versions of IE is unclear. Bryanangler2 reports on Microsoft Connect:

We have an enterprise app that heavily uses modal dialogs. This morning we were greeted with a flood of support requests that after a Windows update last night, dialogs no longer work. We isolated the issue that window.dialogArguments on secondary window no longer works.

At this point, I've seen reports of the problem with IE9 and IE11, but one report says it affects IE11 only, and not IE9 or IE10. As usual, there's no acknowledgment of the problem in the KB article (although the KB article does say there may be an installation error 8024001d with Windows 10 Technical Preview). No clue as to a workaround.

Finally, KB 3011970 -- the Silverlight patch -- crashed so spectacularly that Time Warner Cable issued an alert, with instructions to manually uninstall the patch:

Late Tuesday afternoon, Microsoft released an update to their Silverlight Player (used for video playback on TWCTV.com) for Windows. The update contained a bug which caused the digital rights management (DRM) system to fail. This impacted multiple Silverlight applications from various providers, not just TWC TV. We believe Microsoft has pulled the bad update, but many users will have already received the update. (Note: this is unrelated to the recent Macintosh Chrome browser compatibility issue. Chrome on the Mac remains unsupported due to Google’s decision to pull support for the plug-in, and our engineers are working this issue).

 Any customers who have installed the update on their Windows 7 machine will receive the message, “An error has occurred.”

The patch has been pulled, so the lemmings, er, customers with Windows Automatic Update turned on won't be bothered by it again. Of course, the KB article says nothing about the problem.

The silver lining in all of this? At least the patch-pulling mechanism works. Imagine how life would be if Microsoft couldn't pull the patches.

Move fast and break things.

Copyright © 2014 IDG Communications, Inc.