Excel security patch MS17-014 for Excel 2010, KB 3178690, triggering crashes

Topic

New Reply

Apparently this has been fixed. At least MS says it’s been fixed. See See https://www.askwoody.com/2017/fix-released-for-the-botched-excel-2010-security-patch-kb-3178690/

[See the full post at: Excel security patch MS17-014 for Excel 2010, KB 3178690, triggering crashes]

4 users thanked author for this post.

SueW, Elly, Geo, NetDef

Reply | Quote

Replies

KB 3178690 still shows, but is no longer checked on my Windows Update.

1 user thanked author for this post.

woody

Reply | Quote

So if MS acknowledge that the patch may cause Excel to be unusable, why issue the patch in the first place?

 

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Could be they just don’t know what causes it yet, or whether it’s a problem with the patch at all, and they’re just managing the risk.

-Noel

Reply | Quote

And they need us, the unpaid beta testers, to test this in our production machines.

Reply | Quote

MS regularly releases buggy patches (Woody’s Defcon system). Many suspect the primary culprit is poor internal (or nonexistent) testing procedures at MS with users getting alpha/beta test grade releases too often for a patch. Thus the widespread reports of problems.

This long history of problematic patches is way many are leery of the new patching system in W10 as well as its semi-rolling/rolling release model. Buggy patches mean the old system and methods provided users with workarounds that were a pain but viable. The new system has a much higher risk of hosing a system. Also, MS seems to misunderstand why one uses a rolling/semi-rolling release distro in Linux. It is not to get new features as much as to keep entire system up to date and at the latest release including the installed non-OS software. New features are added but the side effect not the goal. Rolling release distros are not considered suitable for the average user because they require more attention to detail and knowledge to maintain.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I noticed that KB3178690 was Important, but not checked this morning (7:30 PST). I wondered what was going on, but not enough to override the Defcon guidelines…

Reply | Quote

Important but not checked. That’s a very unusual combination!

Reply | Quote

Important but not checked. That’s a very unusual combination!

Office Updates have been temporarily released as such in the recent months, except for Windows 10, where this is likely not possible, due to the Windows 10 implementation of WU/MU.
Not Office Security updates though, so this one is “special”. We may see either a re-release or a rapid release hotfix in Catalog only. But I don’t think Office 2010 is seen as priority for Microsoft now, so users impacted are better advised not to install or uninstall now and not wait for Microsoft. Most users are not impacted and as such should just wait and do nothing, regardless of the patch being installed or not.

For Windows 7 there are 2 patches which have had this behaviour, at least for a while and this is likely to never change:
KB971033 – Important unchecked
KB3021917 – Recommended unchecked/Important unchecked if Recommended is merged into Important via WU settings

3 users thanked author for this post.

walker, woody, Elly

Reply | Quote

Please read Susan Bradley’s reply here.

https://answers.microsoft.com/en-us/windows/forum/all/why-are-some-windows-7-important-updates-unchecked/8ac2f5fb-7e9b-4de5-b137-0737d1f4cc04

Why are some Windows 7 important updates unchecked by default?

Answer
Susan Bradley – volunteer here not a MS employee
Susan Bradley – volunteer here not a MS employee replied on

MVP Insider Launch expert – Windows 10

From:

http://marc.info/?l=patchmanagement&m=132536109306522&w=2

“Although we don’t generally use the word ‘throttling’ externally, that’s exactly what this is. An unchecked update in the WUapp (Windows Update Control Panel applet) is an indication of an update that’s being throttled (publicly called, “gradually releasing update x over a period of time”). This only affects the consumer scenarios: automatic update (AU) and Windows/Microsoft Update (WU/MU). And usually only the tech savvy folks would see it since they would need to open WUapp, see the update and notice it’s unchecked). Enterprise scenarios (WSUS, SMS, SCCM, SBS, SCE, MBSA) and the MU Catalog are not affected since there’s no concept of throttling (local admins like you have this control).

Updates are generally throttled when they are (a) major releases that need to be gradually deployed (like a major version upgrade for Internet Explorer), (b) when there are potential quality issues found in the first day or two of release (so we can slow the deployment while we gather data to assess the scope of an issue), or – as in this case – (c) we don’t want to hit every Windows consumer PC on the planet at an inopportune time (like during the holidays) – but still give tech-savvy admins the ability to release the update (through WSUS/SMS/SCCM or by checking the box in WUapp).

A throttled update can be seen in the LOGs as the “regulation server” not permitting the download of the update. Of course, if you interactively check the checkbox in WUapp, you will circumvent the regulation server (throttling) and receive the update anyway. ”

doug neal
Microsoft Update (MU)

Reply | Quote

Interesting. I would guess that this patch was issued, and now it’s in the process of being pulled. We may not see an update until next month….

But this does demonstrate the superiority of individual patches. Imagine if all the Office patches were bundled the way Win7 and Win10 are now…

Reply | Quote

I would say that (b) applies here:

(b) when there are potential quality issues found in the first day or two of release (so we can slow the deployment while we gather data to assess the scope of an issue)

They may or may not expire the update, depending on the outcome of the assessment and as always, costs involved.
We will find out soon if the update will be expired.

Reply | Quote

This is most likely what we’re seeing here. There are three Important security updates: Office 2010 (KB3178688) and Word 2010 (KB3178687), but only Excel’s KB3178690 is unchecked.

No, I’ll skip being an unpaid beta tester for MS.

 

Reply | Quote

(b) when there are potential quality issues found in the first day or two of release (so we can slow the deployment while we gather data to assess the scope of an issue)

AKA, the now usual forced Microsoft public and unpaid beta testing.

Reply | Quote

Lest we not forget – WE are MS’s software beta testers. Thank you so much for these valuable warnings Woody!

Have you seen the price of Tums? It's enough to give you heartburn.

Reply | Quote

I’ve got the patch on several PCs but haven’t yet seen the problem. Are there any steps that can consistently produce a crash?

Reply | Quote

Had occasion today to run MicUp on a Win7/Ent machine, and KB3178690 is still being offered, but it is unchecked by default where the other Office 2010 updates are checked by default. So even though MS know this is a bad update, instead of pulling it, they have left it available but diminished its importance. I find that baffling.

GaryK

Reply | Quote

It’s Wednesday 22nd here in Europe … still no fix?

Reply | Quote

The answer to defective updates was provided by Lord Acton, “Power tends to corrupt, and absolute power corrupts absolutely.” Within “Windows-Land” MicroRipoff is absolute power and its decision makers long ago lost interest in protecting Windows users. This patch is merely another example of indifference to customer safety. Question is, is MR to blame, or is customer silence to blame?

Reply | Quote

anonymous wrote:

The answer to defective updates was provided by Lord Acton, “Power tends to corrupt, and absolute power corrupts absolutely.” Within “Windows-Land” MicroRipoff is absolute power and its decision makers long ago lost interest in protecting Windows users. This patch is merely another example of indifference to customer safety. Question is, is MR to blame, or is customer silence to blame?

Thanks to Woody, there’s a bit less customer silence.

GaryK

Reply | Quote

Update is now ticked and kb article still lists the issue(s) as in existence?!

Can only wonder what is going on in the heads of Microsoft employees these days…
I guess this is the outcome of laying off all the original engineers who after years of hard work, actually knew what they were doing.
Now it seems MS has hired many a young new graduate with zero experience and none of the original talent have been kept on to mentor and guide the new starts.

All that wisdom gone to waste :o(

 

Reply | Quote

@Anonymous
Yesterday evening it was still unchecked in my Windows Update?

Reply | Quote

By the way: the KB-article had a revisiondate of March 24th, but I cannot detect the revision.

https://support.microsoft.com/en-us/help/3178690/ms17-014-description-of-the-security-update-for-excel-2010-march-14-20

 

Reply | Quote

Fix released today, but I haven’t tested yet.

https://support.microsoft.com/en-us/help/3191855

 

 

3 users thanked author for this post.

Volume Z, woody, Bill C.

Reply | Quote

See https://www.askwoody.com/2017/fix-released-for-the-botched-excel-2010-security-patch-kb-3178690/

Thanks!

1 user thanked author for this post.

GregH_

Reply | Quote