Patch Tuesday

Extra Windows 10 CU for This Month Rolling Out Now (KB4015438)

Microsoft is rolling out a second cumulative update for Windows 10 today –  just a week after the first. This one is intended to fix some bugs and issues that were introduced by the first one. KB4015438 is available now through Windows Update and here’s what it fixes: Addressed a known issue with KB4013429 that caused Windows DVD Player (and 3rd party apps that use Microsoft MPEG-2 handling libraries) to crash. Addressed a known issue with KB4013429, that some customers using Windows Server 2016 and Windows 10 1607 Client with Switch Embedded Teaming (SET) enabled might experience a deadlock or when changing the physical adapter’s link speed property. This issue is most commonly seen as a DPC_WATCHDOG_VIOLATION or when verifier is enabled a VRF_STACKPTR_ERROR is seen in the Mem...

Windows 10 March CU KB4013429 Breaks Data Display for Dynamics CRM 2011

UPDATE March 23, 2017: A fix is now available: Microsoft Releases Fix for Form Display Issue for CRM 2011 on IE11 If you’re a Microsoft customer using the combination of Windows 10 and Dynamics CRM 2011, you’ll want to be aware of that this month’s cumulative update for Windows 10 causes display issues for forms and data display in Microsoft’s customer relationship server. A community support thread is located here: Win10 March cumulative update KB 4013429 breaks display of forms in MS Dynamics CRM 2011 The workaround currently is to uninstall the CU. Additionally, some users are also reporting that Windows 7 and Windows 8.1 PCs have the same issue. For Windows 7 uninstalling KB4012212 solves the issue, for Windows 8.1 its KB4012216. Microsoft has yet to acknowledge...

Microsoft Delays Ending Security Bulletin Demise

In a blog post announcing the security updates for March 2017, Microsoft also distributed the following terse blurb: Security bulletins were also published this month to give customers extra time to ensure they are ready to transition their processes. Missing from the statement is a new deadline date.  Does this mean the company has moved it by a month since it skipped delivering security updates to customers in February – or is the date still undetermined? We’re reaching out to Microsoft for clarification. Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Patch Tuesday for March 2017 is Coming But Its Guesswork

Famously now, Microsoft skipped patching its Windows platform in February 2017 for an uncited reason and stated that it would restart the updating engines for March’s Patch Tuesday. Patch Tuesday is now just a day away and Microsoft has  a lot of catching up to do. Will the company provide security fixes for the myriad of zero-day flaws that have cropped up since the last security update? Will customers see fixes for vulnerabilities that have been left unfixed since late 2016? Can customers count on Microsoft to patch wide-open security holes that 3rd parties have take upon themselves to provide their own patches for Microsoft’s own customers? Missing a single month has had wide-ranging repercussions. For those tasked with keeping corporate assets safe it may have seemed like a...

ACROS Security Takes Up Slack Left by Absent Microsoft with Zero Day Patch

Its best to be very wary of any non-vendor patches for specific vendor flaws. But, this is just another effect of what Microsoft has caused due to skipping an entire month of security patches in February 2017 while zero-day flaws in its operating systems continue to be reported. If skipping patching platform security isn’t bad enough, the company has failed to communicate in any meaningful way about why it skipped a month. ACROS Security has developed a patch for the recently communicated flaw in gdi32.dll and talks about it in the following blog: 0patching a 0-day: Windows gdi32.dll memory disclosure (CVE-2017-0038) According to the ACROS site… ACROS, located in Slovenia, is a family owned, self-funded company. An equal-opportunity employer with extremely low staff turnover, i...

While Customers Wait for March, Microsoft Software Flaws Continue to Mount

As Microsoft continues to lackadaisically count down the days until its March Patch Tuesday, yet another zero-day bug has been publicly unveiled. This new bug, also announced by Google’s security research team, affects both Internet Explorer 11 and Microsoft Edge: Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement This makes the second bug revealed in just a few weeks time.  Microsoft customers were already waiting for a third bug to be completely fixed since late 2016 – which Microsoft failed to acknowledge with a fix in January. Microsoft then skipped February’s Patch Tuesday altogether, stating it would resume security patching in March. The company hasn’t been forthcoming about why it skipped providing security patches for its plat...

February’s Flash Security Update on the Wires from Microsoft

Microsoft decided to at least deliver one security patch this month, this one for a critical Adobe Flash vulnerability. The update is available now over Windows Update. Associated KB article: MS17-005: Security update for Adobe Flash Player: February 21, 2017 This security update resolves vulnerabilities in Adobe Flash Player if Flash Player is installed on any supported edition of Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. Microsoft has promised to resume normal Patch Tuesday operations in March. Customers are hoping the March updates will plug a couple zero-day holes. One was partially fixed last year, and the other has yet to receive an update thought its been known for 9...

Microsoft Set to Release Flash Security Update on Tuesday

Microsoft may have skipped February for patching its own systems, but the company will use Tuesday, February 21, 2017 to at least release an update to secure the Adobe Flash components in its Internet Explorer and Microsoft Edge web browsers. Years ago, Adobe piggy-backed on Microsoft own Patch Tuesday to help ease the burden of IT administrations when patching. But, with Microsoft skipping February 2017 for no publicly communicated reason, that has left Flash modern web browsers with exposed vulnerabilities. Instead of waiting until March as it has planned to do with its other security updates, Microsoft has notified paid support customers by email today that they should expect the Flash updates to deliver on Tuesday. Looking for an awesome, no-nonsense technical conference for IT Pros, D...

As Microsoft Skips Patching, Zero-days Pile Up

A severe SMB flaw is still in the wild after Microsoft has failed to patch it and has also skipped February’s Patch Tuesday for reasons the company will not communicate. Now, according to a policy for a 90-day stay between notifying the offending company and making a flaw public, Google’s security research team has outed yet another vulnerability in Microsoft Windows platform. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. It’s being reported that Microsoft fixed portions of this recently reported flaw, but stopped short of fixing the entire vulnerability. Details on this latest flaw here: Windows gdi32.dll heap-based out-of-bounds reads / memory...

Microsoft Skips February’s Patch Tuesday Altogether

Just a couple days after announcing it was going to delay its regularly scheduled security patch day, Microsoft has updated the original announcement to now say… UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017. Rumors swirl. Some have suggested that the reason is due to infrastructure problems. Others, say its because of Microsoft’s upcoming Windows 10 Creators Update and that the March schedule coincides better with the big release. Still others are concerned that Microsoft’s big shift into differential updates is causing some last minute problems. Its interesting, to say the least. Microsoft has rarely (if ever) been one to delay patches even when a patch or two cause customer pains, but its new patching policy built ...

Microsoft’s Strict Patching Policy Puts Customers at Risk of Zero-day SMB Exploit

A couple weekends ago, news of a SMB exploit in Windows 8.1, Windows 10, and Windows Server editions was discovered and reported in hopes that Microsoft would deliver an update to plug the hole. Further investigation reveals that Microsoft has known about the issue, but failed to deliver a fix in its Cumulative Update releases for the past 3 months. The company is rumored to deliver the update this month, but the exploit has already gone live in the wild. The problem is serious enough to warrant an alert from US-CERT: Microsoft Windows SMB Tree Connect Response denial of service vulnerability Why Microsoft has failed to deliver a fix has not been communicated by the company. However, many blame it on Microsoft’s latest attempt at rewriting its patching policies due to how it needs to...

Microsoft Gives “All Clear” Message on Monthly Preview Rollups for Pre-Windows 10 OS’s

Customers have been complaining to Microsoft for some time that the Windows maker just isn’t supplying enough information about its updates and what the updates contain. Call it what you will, but here’s a little levity for you in Microsoft’s updating process. The company today provided information on its Update History pages for both Windows 8.1 and Windows Server 2012 R2 and Windows 7 SP1 and Windows Server 2008 R2 SP1 to say that customers shouldn’t be expecting anything new today. Or, as Microsoft put it… (click to view larger)   Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!