Microsoft's patch hangover: KB 3008923, 2553154, 2726958, 3004394, 3011970

Microsoft elves applied a few band-aids, but a slew of December Black Tuesday patches didn't get fixed over the holidays

businessman with stress headache pain frustration

December 2014 will likely go down in the annals of Windows pain as the worst patching month ever. Depending on how you count, roughly a quarter of all the patches that rolled out the Automatic Update chute on Dec. 9 have encountered problems -- some quite spectacular. Microsoft's more advanced customers (the ones who figured out why their machines weren't working right) have complained bitterly.

You might think that while the rest of us were downing copious quantities of eggnog and designer microbrew, the Microsoft elves would have been busy fixing what went wrong. While there's been progress, many of the problems have been abandoned. Others were given a quick band-aid and declared fixed. With one week to go before a new year of Black Tuesdays starts, we're looking at lots of dead and wounded.

Here's where the situation stands, as best I can tell.

The MS14-082/KB 3017349 Office patch, which "resolves one privately reported vulnerability" in Office 2007, 2010 and 2013, threw off all sorts of errors, as I reported on Dec. 11. The three component patches, KB 2726958 for Office 2013, KB 2553154 for Office 2010, and KB 2596927 for Office 2007, are still being offered via Automatic Update.

Microsoft issued KB 3025036, which describes three different errors generated by the bad patch. That KB article includes manual solutions, including two Fixits, numbers 51029 and 51031. The KB article went out on Dec. 15 and has been revised almost continuously, with the latest revision out Jan. 5. It now stands at revision 8.0. Yes, that's eight versions in 21 days. The original patches haven't been pulled or modified, and they're still going out with the same errors.

If you build custom macros for Office, and MS14-082 has broken your macros, you get to tell all of your customers that it's Microsoft's fault, and they need to manually install one or more of the four different manual fixes Microsoft has provided. Since there's no changelog for KB 3025036, there's no way of knowing what's new, so you should probably tell them again today to apply the latest fixes.

The MS14-080/KB 3008923 cumulative Internet Explorer security patch that started an avalanche of problem reports after it was released, hasn't seen any improvement since Dec. 18. That's when Microsoft issued KB 3025390, the patch-of-a-patch that solves problems with nested modal dialogs in Internet Explorer 11. While KB 3008923 mentions "limited reports of Internet Explorer 9 crashing" after installing the roll-up, there's been no further information about the crashes that I can find.

The security roll-up hasn't been pulled; it's still being distributed with the bug that screws up nested modal dialogs in IE11 and, presumably, the one that crashes IE9.

Windows root certificate update MS14-075/KB 3004394 triggered unprecedented volumes of complaints. Microsoft found that the patch really screwed up Windows 7 and Server 2008 R2 systems, and yanked it on Dec. 11 -- a remarkably fast response time. The same patch for Windows 8/8.1/RT/Server 2012 is still being offered and doesn't seem to have the same problems.

That same day Microsoft released its "silver bullet" patch, KB 3024777, which has one purpose: to kill KB 3004394 on Windows 7/Server 2008 R2 systems -- and leave few, if any, traces behind. Worth noting: KB 3024777 is now up to revision 7, last updated on Dec. 22. Again, there's no changelog, so it isn't clear what's being fixed and why.

I've read remarks from dozens of people who claim they have uninstalled KB 3004394 manually, with no ill effect. But Microsoft has warned that a manual uninstall could leave your system unstable. I haven't seen an explanation as to why manually uninstalling the patch can lead to grief, but it's best to determine if you have KB 3004394 installed; if so, download and install the silver bullet KB 3024777.

The Silverlight patch, KB 3011970 (the patch so bad that Time Warner Cable recommended you uninstall it) was pulled on Dec. 11. According to the latest version of KB 3011970, it was re-released shortly afterward:

This update was released on December 12, 2014 and offers a new build (version 5.1.31211.0) of Microsoft Silverlight for users of recalled version 5.1.31010.0… This update is included in current Silverlight installers. If you do not have Silverlight installed, the update will be offered to you on compatible systems by Microsoft Update.

This was news to me -- and apparently to some folks at Microsoft -- because KB 3011970 isn't listed anywhere in the official Microsoft Update list in KB 894199.

The Exchange Server 2010 SP3 update roll-up 8, KB 2986475, which was pulled on Dec. 10, was re-released on Dec. 12. This sleight-of-hand is also missing from the official Microsoft Update list in KB 894199.

KB 3002339, the optional Visual Studio 2012 bug fix that resolves a conflict with .Net Framework 4.5.3, hasn't been changed since December. The problem with installation hangs continues to this day. The solution: Download and install it manually.

Apparently there was an installation problem with the Internet Explorer Flash Player patch for Win8/8.1/RT/Server 2012, KB 3008925. Although the KB article doesn't mention any problems, the master Microsoft Update list says it was released on Dec. 9 and re-released on Dec. 17.

Those are my as-yet-outstanding lumps of coal for December's Black Tuesday patches. Do you have any to add to the list?

Copyright © 2015 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!