Where are the fixes to the botched June Office security patches?

Topic

New Reply

After a series of pushed-then-pulled buggy fixes to the admittedly buggy patches, we’re still waiting for updated versions. Article coming in Computer
[See the full post at: Where are the fixes to the botched June Office security patches?]

1 user thanked author for this post.

HiFlyer

Reply | Quote

Replies

Its absolutely unbelievable that these patches aren’t released yet.. Causing such issues..

Reply | Quote

I don’t find it hard to believe.

It’s easy to hack a small patch in. And sometimes a little change is all that’s needed – for example a buffer length check is added. That may even be a majority of the patch cases.

However, in the case of a software design flaw allowing someone to compromise the system, it’s WAY harder to re-design just enough of the system internals so that the original problem is actually resolved, without destabilizing it, ruining performance, or just spending way too much time and money at the work.

In software engineering circles, it’s known as “going down the rabbit hole”.

Thinking about extremes, at some point you could imagine an engineer having to re-design a great deal of the system – then lo and behold you’d have a whole new version of the OS, redesigned from the inside out. Such things can surely get out of hand.

In these kinds of cases the only good solution is either to design it better to start with (i.e., so there’s no vulnerability in the first place), or to bring very experienced, very smart people in who know the system well to redesign just enough so that the vulnerability is eliminated, but without breaking a bunch of other things or making the system much less efficient.

Trouble is, the original designers may be gone. Heck, Windows is old enough that they may even be dead of old age. They may not have documented it well, and the people tasked with working on the patch might not know enough to fix it. Without a test organization, we know who gets to find the botched patches.

There may actually be things they will NEVER be able to fix.

-Noel

4 users thanked author for this post.

SueW, ryegrass, ch100, HiFlyer

Reply | Quote

computerworld.com has an insecure connection

Reply | Quote

Yep. I mistakenly posted an “https” link, when it should’ve been “http.”

2 users thanked author for this post.

HiFlyer, satrow

Reply | Quote

This would appear to be another example of how the degradation of the QA testing at MS is hurting users and MS. Time and again, we see update patches pushed out by MS with issues that would likely have been caught with more rigorous QA testing pre-release. The idea of coopting users as uncompensated beta testers will never be a substitute for real in-house testing.

4 users thanked author for this post.

fk5353, HiFlyer, SueW, Elly

Reply | Quote

Oh, I dk: what consequences has MS suffered to date for it? None. OTOH, it sure did save them money.

Reply | Quote

To date, not much. But it is at best a short term play to save some money. The longer MS does not have proper testing the more likely they release a real nightmare of a patch. When this patch hits it will be not only in the tech press but in the regular media and all over Facebook. The howling will be loud and fingers will be pointing. As Woody noted on the recent Atom dust up, this will be a foreseeable consequence of poor testing.

As a programmer I respect my testing colleagues because they have save my hindquarters many times from a dumb mistake I made and never caught. And yes, I test my code.

3 users thanked author for this post.

Noel Carboni, SueW, HiFlyer

Reply | Quote

I do find it ironic that there’s an article about the delay in fixing botched patches but I can’t read it because of the delay in the site sorting out its certification :)!

Thanks for the article Woody, I look forward to reading it shortly!

Reply | Quote

HA!

It’s all my fault. Sorry about that….

3 users thanked author for this post.

HiFlyer, Jan K., Seff

Reply | Quote

No problem Woody, thanks for fixing the link.

I’ve read the article. The only one of the updates that I was offered in June is KB3203467 which I didn’t install as it became unchecked and was known to be buggy. It’s still being offered today but remains unchecked.

1 user thanked author for this post.

woody

Reply | Quote

At work we received that email from Microsoft Premier last Monday concerning security patches for Outlook to be released on Tuesday. Then Wednesday, a new email came telling us that they postponed the updates for at least one week. At least they didn’t released them and use us as guinea pigs.

Excerpt from the email:

This alert is notification that we have postponed the release of new security updates for Outlook that address known functional issues, previously scheduled for July 18, 2017.

Answers to anticipated questions

Q: When can we expect the Outlook updates to be released?
A: The release is postponed for at least one week. When we have a new target date for the release, we will send a notification in a new alert.

Q: Why was the update release postponed?
A: Quality of updates is a top priority. We identified an issue that requires additional code changes and testing before release.

Q: Where can I find more information about the status of functional issues affecting Outlook from the June release?
A: When more information is available, it will be added to the Office Support Article Outlook known issues in the June 2017 security updates.

Q: How can I be notified whenever Microsoft releases new security updates or revisions to existing security updates?
A: You can receive automatic notifications whenever Microsoft releases new or revised security updates by subscribing to  Microsoft Technical Security Notifications.

3 users thanked author for this post.

ch100, HiFlyer, woody

Reply | Quote

“Q: Why was the update release postponed?
A: Quality of updates is a top priority. We identified an issue that requires additional code changes and testing before release.”

 

Perhaps it would have been more accurate to say –

A. Because this release was just as broken as its predecessors.

In any event, I haven’t stopped laughing yet.

2 users thanked author for this post.

HiFlyer, windows7wasthebest

Reply | Quote

Had another user complain about Outlook blocking attachments this morning.
Installed KB4011042, no issues since. (New or old.)
I don’t get it – but I’m glad I saved KB4011042 when it was released to deploy as necessary.

2 users thanked author for this post.

HiFlyer, SueW

Reply | Quote

“Quality of updates is a top priority”    #125909

What a sick joke.  M$ should be embarrassed even using “Quality” as part of the monthy rollups.

2 users thanked author for this post.

windows7wasthebest, samak

Reply | Quote

These new interim patches aren’t cumulative. In other words, in order to get Outlook 2016 patched, for example, you had to install the June 13 patch, then install the June 30 patch.

This is not accurate

the “pulled” patches were enough on their own and completely replace current bad June patches

3 users thanked author for this post.

Noel Carboni, HiFlyer, ch100

Reply | Quote

abbodi86 wrote:

These new interim patches aren’t cumulative. In other words, in order to get Outlook 2016 patched, for example, you had to install the June 13 patch, then install the June 30 patch.
This is not accurate
the “pulled” patches were enough on their own and completely replace current bad June patches

@abbodi86    Which post# are you quoting please?

1 user thanked author for this post.

ch100

Reply | Quote

The ComputerWorld article.

4 users thanked author for this post.

Noel Carboni, abbodi86, HiFlyer, ch100

Reply | Quote

While I understand the meaning of @abbodi86’s reply and probably you too, it would be useful to clarify for everyone.

1 user thanked author for this post.

HiFlyer

Reply | Quote