Problems with yesterday’s Win10 1709 patch, KB 4090913, starting to appear

I’m seeing some reports of problems with yesterday’s Patch Monday single-purpose cumulative update for Win10 1709.

Computerworld Woody on Windows.

UPDATE: We have a report of the “reboot to black” bug in the Win7 Feb. Monthly Rollup KB 4074598.

Patch Lady – Servicing Stack Updates

Patch Lady Susan here:  This will be a post whereby I don’t answer a question, but rather bring up many more questions. Firstly here are some OLD background posts on what is going on with the component based servicing process which is the underlying engine that does the installing and updating on a Windows machine since the Vista era.

First read part one on Windows servicing from the Joscon blog.

Then read part two on Windows servicing from the Joscon blog.

And here another one to read as background material.

Read all of those first.  It gives you a bit of background in how vastly Windows has changed in updating since the Windows XP era.

For all of the times I track issues with patching, there is one truth in how we deploy now — assuming a healthy machine and a large enough hard drive, one can go from newly installed to fully patched in a much much shorter time frame than we ever could in Windows 7 era.  With a minimum of rebooting I can get a machine fully operational  – and even better – installed from scratch in less than an hour if the machine is peppy and has a ssd hard drive.

Now that you have that background (and probably a bit of headache reading all that) I’ve noticed something recently with Windows 10 releases.  We are getting a servicing stack update about each time we get a patch for the platform.  Take today’s release to fix the USB issue in the form of KB4091913.  Concurrently with that release was a servicing stack update in the form of KB4091914.

The increasing use of servicing stack updates just leads me to have more questions and not a lot of good answers.  Historically such updates were rare, not every release.  They are usually not uninstall-able, and help windows update do a better job.

My concern is that once upon a time Microsoft mandated that every update could be uninstalled to allow you to roll back from any issue.  There have been some historical scattered reports of issues that occur after a servicing stack update has been installed. Conversely there have been times – especially on Windows 7 – where a servicing stack update has done wonders to speed up the install of updates.

I’ll see if I can dig into why we’re getting these more often. In the meantime, keep an eye out for this and I’ll let you know if I see any side effects.

Microsoft claims it’s solved the USB problem with Win10 1709 cumulative update KB 4090913

Welcome to Patch Monday!

A few hours after I posted my diatribe in Computerworld, taking Microsoft to task for not fixing Win10 Fall Creators Update, version 1709, wouldn’tcha know it, but Microsoft released yet another cumulative update for 1709 that claims to fix one (not all) of the admitted problems with Win10 FCU.

KB 4090913 brings Win10 version 1709 up to build 16299.251.

According to the KB article its sole raison d’être is fixing the USB bug introduced in the last cumulative update.

Addresses an issue in which some USB devices and onboard devices, such as a built-in laptop camera, keyboard, or mouse, stop working. This may occur when the Windows Update servicing stack incorrectly skips installing the newer version of some critical drivers in the cumulative update and uninstalls the currently active drivers during maintenance.

That’s all she wrote. The other bugs are still there:

• Windows Update History reports that KB4054517 failed to install because of error 0x80070643.
• After installing this update, some devices may fail to start, and return INACCESSIBLE_BOOT_DEVICE.
• Because of an AD FS server issue that causes the WID AD FS database to become unusable after a restart, the AD FS service may fail to start. / There is no way to undo the database corruption. To return your AD FS server to a functional state, you must restore it from a backup.

There’s also an out-of-out-of-band Servicing Stack update, KB 4090914.

I suggest you hold off until we find out if this patch actually fixes the problem, or if some other ogre jumps out and bites.

Drumroll, maestro! Introducing our new MVPs

I’m very happy to announce the coronation of six new MVPs.

@AlexEiffel

@Ascaris

@Elly

@PaulT

@RCPrimak

@RetiredGeek

Each has demonstrated both remarkable technical capabilities and — every bit as important — a willingness to help the hapless. Like me, for example.

Please join me in welcoming them to the AskWoody sanctum sanctorum, and wish them a long and happy reign!

MS-DEFCON 3: Most February 2018 patches are good to go

Unless you’re running Windows 10 Fall Creators Update (version 1709), now’s a good time to get all outstanding Microsoft patches installed.

Important details in Computerworld Woody on Windows.

KB Error: In the Computerworld article I list KB4077525 as the Security-only patch for Win7, but it’s for Server 2016. The Security-Only Feb patch for Win7 is KB4074587.

Thx, @PKCano!

If you’re using the newer Office file formats in older versions of Office, the Compatibility Pack is going away in April

As many of you know, Microsoft changed the format of Office documents in Office 2007. The old DOC documents became DOCX, XLS workbooks became XLSX, PPT Powerpoint stacks became PPTX, and various additional file formats (templates and the like) changed.

The net result was that anybody who wanted to use Office 2003 to open or edit Office 2007 or later documents was up the ol’ creek without a paddle.

That’s where the Office Compatibility Pack comes into play. There’s a complex description in KB 924074, but the upshot is that Office Compatibility Pack works like a babel fish for Office 2003 and the (free) Word, Excel and PowerPoint viewers.

Now comes word that Microsoft is discontinuing the Office Compatibility Pack in April. Specifically, the OCP download page now says:

The Office Compatibility Pack is being retired in April, 2018. At that time, it will no longer be available for download and will no longer receive security updates.

For most of you that won’t make any difference. But if you’re still running Office 2003 (which is a mighty decent version!), it’d be wise to get the OCP installed now.

Thx JNP.

Patch Lady – Microcode updates

Patch Lady here — Did you happen to catch this gem in this blog about the Microsoft microcode updates?

There is also a small but subtle difference between firmware updates for the UEFI and a microcode update. A firmware update for the UEFI must be approved by the manufacturer of the motherboard. This update may also include microcode updates. These are loaded from the UEFI firmware into the CPU when the system is started. Pure microcode updates can be rolled out by Microsoft. These microcodes are loaded into the CPU when the operating system is started. The above update is therefore a microcode update, which is reloaded every time Windows starts.

Interesting. Remember that these updates  are only on the Catalog download site and not on Windows update. The Microsoft blog hints that more of these Microcode updates are on their way.

The reason for this? Doing firmware updates from afar is fraught with risk and many IT admins don’t have processes in place to remotely patch firmware. There are ways with PDQdeploy and psexec scripts but if you haven’t built up a process, you’d much rather script out the install of a patch rather than the install of a firmware update.  On my home and office machines I’ve become much more comfortable with installing the firmware updates from the manufacturers but I still cross my fingers and hold my breath a bit waiting for the process to complete.

For those that plan to import these microcode updates into your Server 2016 WSUS, there’s a known issue whereby one can’t import updates into WSUS based on Server 2016 like one is used to in other platforms. As noted on the WSUS blog, you’ll need to edit a bit before you can import the patch.

So what should you do if you are not a network administrator?  I would still wait for two reasons:

1. It’s never wise with firmware to be the first one to install. There is no easy way to uninstall a firmware update.
2. I would watch for side effects and impact.

For anyone concerned about the impact of Spectre/Meltdown, I’m still not aware of widespread attacks. If you want to add a bit more security to your browsing remember you can put in Browser isolation in Chrome by following their instructions.  Test the impact as it may impact certain web sites, but if you suffer no major issues, I’d probably leave that setting in place.  As is noted on the Chrome blog

the extra security will help stop the site from stealing your data from another website.

And that’s a good thing!

Patch Lady – Not enough space to install 1709

Susan Patch Lady here – writing an online letter to Microsoft:

To whom it may concern at Microsoft:

I am concerned that in your zeal to make your vendors happy you are “vista-fying” Windows 10. 

Let me explain:

Recently I purchased a cheap laptop because I needed another one since I am lately using a computer connected to my TV to watch online videos.  Because I still needed a laptop to look up items, remote into computers and various other tasks, I needed a computer – not a tablet or an ipad – and I needed a Windows based computer.  I reviewed my options for a cheap small laptop and I saw one online for a low price and purchased it.  Knowing in advance it had a small SSD drive I figured that I would have fun keeping it updated and keeping the drive cleaned out.  But I’m a cheap geek, and knew I had options so I purchased it.  The computer came shipped with 1703 Windows Home and soon after I turned it on it started attempting to update.

The first thing I noticed after the system started checking into Windows update was how sluggish the machine had become. In reviewing the task manager both the CPU and the drive was pegged at 100% utilization causing the device to respond slowly.  Please ensure that when a machine is first turned on and checking in for updates that sucking up 100% CPU and disk drive isn’t the norm.  I’m seeing more and more people complain about this.  Please make sure that when either Windows update or Windows Defender is operational they aren’t taking all of the resources of the system.

Then you need to make sure that a 32 gig hard drive is really suitable to handle Windows 10 semi-annual feature releases. In my case it’s not and demanded that I have some sort of external storage available to have enough room to handle the update.

Yes, Microsoft I know that I got what I paid for, but my point is like Vista you are causing undo harm to a platform by letting vendors install it on price points and platforms it shouldn’t. When you shipped Vista, the driver ecosystem wasn’t ready and you had vendors install it on hardware that couldn’t handle the operating system. If one installed Vista on the RIGHT hardware it actually worked just fine.

I’m seeing in the consumer space of Windows 10 that multiple vendors have selections in this 32 gig space that will have issues getting any feature update installed.  After I get this laptop upgraded to 1709, there’s an HP Envy tablet that a friend of mine has that I have to help it up to 1709 as well.

I’ll be filing a bug on this, but please don’t “vista” any more vendor offerings. Any windows device should be able to handle a feature update without any external storage – at least in my opinion. And I’ll bet many of your frustrated customers think that way too.

To anyone else suffering from this issue, evaluate your options. In my case I’m ordering a MicroSD card to add a bit more space. For the Envy tablet I’ll be recommending we purchase that as well to give it breathing space to get this 1709 feature update installed.  Remember you can evaluate the files and storage on the machine and even turn off hibernation temporarily to gain a bit more space as noted in this blog post.  Microsoft does make it obvious during the upgrade to 1709 that it needs additional storage space and gives a various obvious GUI interface indicating that it needs more storage space. After the install remember you have 10 days before it automatically deletes the prior version so check your applications to make sure there are no issues.   1709 is now the most broadly released version, but if you are stuck back on 1703, I would recommend going to the Software download site and trying to install from the update now link at the top of the page and have a MicroSD card on hand should you get stuck.

Keizer: Windows 10 shows sign of enterprise upgrading

Keizer’s Computerworld take relies on the numbers reported by Net Applications:

Windows 10 actually slipped two-tenths of a percentage point in user share… during February, ending the month powering 34.1% of the world’s PC…

Using the 12-month average of Windows 7’s user share decline, Computerworld forecasts that the aging OS will still account for about 35% of all active Windows editions in January 2020

It’s clear which way the wind is blowing — but I wonder how many will abandon Win7 in 23 months?

Is it time to give up on 7-Zip?

I’ve been a 7-Zip fan for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Zip to task for failing to keep up with key security features.

On Jan. 28, I posted an article on Computerworld titled Multiple vulnerabilities in 7-Zip. Get it updated now!

I thought that Igor Pavlov’s new release, version 18.01, took care of the major security problems. I was wrong.

The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag. (Good overview of both technologies on the ISV Software Security page.)

This was part of landave’s original complaint:

I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

So how bad is it? Microsoft Security Response Center engineer (not speaking in an official capacity!) Joseph Bialek says:

What year is it @7zip ?? You guys still running on 90’s hardware??

Stefan Kanthak, whom I quoted in the Computerworld Microsoft is distributing security patches through insecure HTTP links article, says in a private message:

[7-Zip’s] INSECURE shell extension is loaded into explorer.exe, and allows an attacker to leverage its MULTIPLE shortcomings. For example Sun/Oracle made such a blunder when they deployed an outdated MSVCRT71.dll with their Java Runtime Environment, which allowed attackers to take advantage of its flaws.

I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

I’m not yet ready to throw my copy of 7-Zip in the bit bucket. But I wonder if that’s just inertia.

Keizer: Microsoft’s browsers are dying

Er, dieing. Sorry.

Gregg Keizer has a good look at the rapid decline of the IE (+ Edge) hegemony.

Even though IE showed an uptick in usage last month, per Net Applications, the prognosis for Microsoft browsers is dismal:

By the time Microsoft retires Windows 7, and for effective purposes, IE as well, Windows 10 should have reached a user share (of all Windows) of around 63.6%, assuming its climb continues on the past year’s trend line. If Edge hasn’t, well, edged up as a share of all Windows 10 by that time – and all evidence is that it will not – then Microsoft’s active browser share will be in the single digits, perhaps as low as 6%.

Hard to imagine IE + Edge at 6%, but then again Windows Phone took a hard, fast fall, too.

How frequently is Microsoft Security Essentials getting updates?

While I wasn’t watching, it looks like the frequency of MSE updates has increased.

GL just wrote to me:

Microsoft security essentials use to have one up date a day. Recently I`ve been getting 2 a day. Now today it looks like I`ll be getting morning , afternoon and evening. Whats up with that?

Have you seen any odd behavior?