Newsletter Archives

  • A protocol question about KB 4099950

    Two questions  keep popping up — and as far as I can tell, we don’t have any definitive answers. KB 4099950, you may recall, is supposed to be a precursor to installing the Win7 March Monthly Rollup, KB 4088875, or the Security-only patch, KB 4088878, and it’s designed to bypass the bug in those two March patches that mess up NIC settings and/or static IP addresses. KB 4099950 was tweaked on March 17, changing the installation logic, but not the patched files. It appears as if KB 4099950 is included in the latest release of month’s Monthly Rollup, KB 4093118.

    Question 1: For those who installed KB 4099950 before March 17, can you just install KB 4093118? Will the new Monthly Rollup gloss over the problems created by the old version of KB 4099950?

    Question 2: Same question for those installing the April Security-only patch KB 4093108 (and the IE 11 patch). Can you just install those patches, or do you need to uninstall the old version of KB 4099950 first?

    If the answer’s in the docs, I sure can’t find it….

  • Now we know why this month’s Win7 Monthly Rollup, KB 4093118, installs itself over and over

    Our own abbodi86 traced down the problem.

    You gotta wonder who’s putting together these kludges for Microsoft’s second-most-popular version of Windows. Half a billion users. Billions and billions of bucks. And a dumb mistake that has some Win7 users pulling their hair out.

    Computerworld Woody on Windows.

    UPDATE: Abbodi86 has a more detailed analysis — and a fascinating discussion of the different levels of metadata — here. He also has a suggested fix for Microsoft, if they’re listening.

    It looks like Microsoft needs to fix things before the May Monthly Rollup, to avoid the same endless re-installation problems.

  • Patch Lady – KB 4099950 gets a revision

    On April 17, KB4099950 was revised.  But not exactly the nicest of revisions as it demands an uninstall and reinstall:


    More information


    • This update must be installed before you install KB4088875 or KB4088878.
    • If you have previously installed KB4099950 prior to April 17, 2018 please uninstall the older version of KB4099950 and reinstall to assure you have the most recent version.

    Based on my read of this if you have already installed the April cumulative update rollup of KB4093118 you do not need to take action.

    BUT if you installed KB4099950 prior to the March updates, they are now saying to uninstall and reinstall this update.  Abbodii in the Patch management list notes that ….

    The article is a bit misleading

    KB4099950 itself has not changed at all, same version since the release

    they only added/bundled PCIClearStaleCache.exe outside the msu file, to be used by WU/WSUS, since they only handle cab files not msu

    My action plan:  I’m still a A style patcher not a B style patcher and I’m jumping over the March updates on my servers and installing the April cumulative updates on my Servers.

    If you are a B patcher (aka security only update installs only touch your machines, not the cumulative update) it’s my understanding the loss of networking never impacted the “B” security only patches.

    To me all this unfortunately reinforces that you are wise to hold back a bit in installing updates.

  • Microsoft releases major update to Win10 1703, and the usual Monthly Previews for Win7 and 8.1

    Computerworld Woody on Windows.

    KB 4093117 brings Win10 1703 up to build 15063.1058, many miscellaneous fixes, no known issues.

    KB 4093120 brings Win10 1607 to build 14393.2214, a similarly large bunch of fixes, no known issues.

    KB 4093113 is the regular Monthly Rollup Preview for Win7.

    KB 4093121 is the similar Monthly Rollup Preview for Win 8.1.

    The Update Catalog says there’s a new version of KB 4099950, the abandoned patch for fixing the NIC/static IP bug in Win7.

  • New versions of buggy March Win7 patches are out

    I have no idea what changed, but Günter Born reports (and a check of the Update Catalog confirms) that there are new versions of:

    KB 4088875 – Win7 March Monthly Rollup (dated, in the Update Catalog, as April 4)

    KB 4088878 – Win7 March Security-only patch (also April 4)

    KB 4088881 – Preview of the Win7 April Monthly Rollup (also April 4)

    KB 4090450 – Spectre V2 patch for Server 2008 (dated April 3)

    Looking at the KBNew page, I also see new versions of:

    KB 4099950 – the hotfix patch for bugs in the March Win7 patches (now dated April 4) – I talked about this fix of a fix of a … earlier this week in Computerworld.

    KB 4088879 – the Win8.1 Security-only patch (still dated March 10)

    And, as noted in several places on AskWoody, there’s a new version of the old favorite KB 2952664 — the patch that so helpfully makes it easier to upgrade Win7 to Win10 — and its Win8.1 cohort, KB 2976978.

    Born identifies new notes in the KB articles for the Win7 Monthly Rollup and the Preview Monthly Rollup that say:

    Important Please apply KB4100480 immediately after applying this update. KB4100480 resolves vulnerability in the Windows kernel for the 64-bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038 .

    You may recall that KB 4100480 is the “OMG” patch issued by MS when they figured that all of this year’s Win7 patches opened a huge “Total Meltdown” security hole in Win7.

    In addition, the description of the KB 4088875 Monthly Rollup patch and the KB 4088878 Security-only patch now advise:

    After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:


    The solution on offer is KB 4099467, which is a single-shot hotfix for Win7 designed specifically to fix this bluescreen.

    How about them apples….

    Can any of you shed light on the reasons for the changes — in particular, do they fix any of the gazillion security holes in last month’s patches? If so, care to speculate on why Microsoft just slipped this stuff out without any announcement?

    And… when will it be safe to get back in the Win7 patching water?

  • Sorting through the Patch Thursday and Friday offerings

    My head is still spinning. Over the past two days (in addition to learning that Windows honcho Terry Myerson is leaving, and the Windows team is being scattered to the winds) we’ve had an enormous number of poorly documented, overlapping, and completely inscrutable patches.

    Let me see if I can bring some sanity to the mess.

    A destructive fix for Total Meltdown

    KB 4100480 kicked off the two days from patching purgatory with a Windows 7/Server 2008R2 kernel update for CVE-2018-1038, the “Total Meltdown” bug Microsoft introduced in Win7 back in January and kept re-installing ever since, most recently with the March Patch Tuesday Monthly Rollup KB 4088875 and Security-only patch KB 4088878. Susan Bradley immediately jumped into the fray with an initial warning Thursday afternoon. Microsoft’s documentation was so bad we had no idea what was being fixed, which bugs were being passed along — and whether this fix introduced even more bugs in the original Meltdown/Spectre January patch.

    Just a reminder that there are NO known exploits of Meltdown or Spectre in the wild.

    Ulf Frisk, the guy who discovered this gaping security hole (where a program can read or write data essentially everywhere on Intel PCs running 64-bit Win7/Server 2008R2), said on Wednesday that this month’s Monthly Rollup fixes the hole. The next day he said that, oops, this month’s Monthly Rollup doesn’t fix the hole and Microsoft revealed that, uh, this month’s Monthly Rollup actually introduces the hole.

    How bad is the hole? Kevin Beaumont (@GossiTheDog) says:

    An anonymous poster says:

    Ah, yeah… we’ve produced at least 11 botched up hotfixes in a row which made a gaping security hole out of a theoretical exploit, the most recent of them not even one week old yet, but 12th time’s the charm… absolutely trust us.

    Many folks were wondering how this patch stacks up with all of the (many!) other problems we’ve seen with this month’s Win7 Monthly Rollup and Security-only patches. The Folks Who Know Such Things now say that this patch does, indeed, introduce all of those problems — the SMB server memory leak that brings down servers, random re-assignment of static IP addresses, and three separately triggered bluescreens.

    A fix for patches that don’t have problems

    Also on Thursday afternoon, Microsoft dropped a handful of patches that fix other bad bugs in previous patches. Susan Bradley has a short list that includes KB 4096309 for Win10 1607/Server 2016 that “Addresses an issue that can cause operational degradation or a loss of environment because of connectivity issues in certain environment configurations after installing KB4088889 (released March 22, 2018) orKB4088787 (released March 13, 2018).” As Susan notes, both of the referenced fixes are still listed in the KB articles as “Microsoft is not currently aware of any issues with this update.”

    Bluescreen stoppers

    Then there are the patches that fix bluescreens generated by earlier botched patches:

    • KB 4099467 – Stop error 0xAB when you log off a Windows 7 SP1 or Windows Server 2008 R2 SP1 session. That’s a bug introduced in this month’s Win7/Server2008R2 patches.
    • KB 4099468 – Stop error 0xAB when you log off a Windows Server 2012 session. That bug was introduced in this month’s Server 2012 patches
    • KB 4096310 -Stop error 0xAB when you log off a Windows Server 2008 session. Ditto ditto ditto.

    Save your IP if you’re prescient

    And then there’s KB 4099950, Network Interface Card settings can be replaced, or static IP address settings can be lost, released Friday, chronicled by MrBrian. Ends up this is just a package for the (modified) VBScript that, when run prior to installing this month’s patches for Win7, avoids the static IP busting nature of the patch. I talk about the VBScript program in my Computerworld Patch Alert article.

    Abbodi86 describes it:

    So it’s the easy automated version of the VBscript. It checks if KB2550978 hotfix is installed (or any superseder). [Note: KB 2550978 is a many-year-old hotfix, last updated more than a year ago.] The hotfix actually describe the mess with NIC and March updates in very informative way

    I wonder why Microsoft didn’t roll out that important fix years ago through Windows Update

    The important note is that you have to run KB 4099950 before you install this month’s Win7/Server 2008R2 patches.

    MrBrian goes on to note that the KB article for 4099950 contains this gem:

    Important:  This update must be installed prior to installing KB408875 or KB408878

    Which is hogwash, of course. Microsoft’s missing an “8” or two.

    What else?

    So what did I miss?