back to article Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers. In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead …

  1. Mike Moyle

    "Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up."

    Don't hold back, Shaun -- tell us how you REALLY feel!

    1. Tom 64

      Adobe Flash

      7 remote execution flaws?!? 7?!

      Glad I ditched that crap years ago in my regular browsers. For some reason however, I can't seem to remove the flash player version that came bundled with Windows 10...

      1. Anonymous Coward
        Anonymous Coward

        Re: Adobe Flash

        I was especially impressed with the 47 flaws in Adobe Reader/Acrobat. That looks like more than were found over all the MS products. How screwed up do you have to be to consistently have that many bugs in a glorified word processor?

      2. phuzz Silver badge

        Re: Adobe Flash

        IIRC the Flash built into windows is only for Edge, so if you don't use Edge, or Chrome, which has it's own version, you should be ok.

        So basically use either Firefox or IE on Windows if you don't like Flash.

        1. Sandtitz Silver badge

          Re: Adobe Flash @phuzz

          "IIRC the Flash built into windows is only for Edge"

          No, the built-in Flash is for both IE and Edge. Flash can be disabled from both browsers' settings, or via a Group Policy.

          With the new Win10 "Creators Update" (stupid name) Flash in Edge is enabled by default only on MS white listed websites, but Edge still asks your permission to launch the plugin.

        2. joed

          Re: Adobe Flash

          Not just Edge. Also good ole IE. On Win 8 (no Edge), even with IE "uninstalled", the scourge remains and has to be kept up to date.

      3. joed

        Re: Adobe Flash

        The infinite wisdom of MS that's bundled Flash since Win8. Just as pointless as all the crApps they force feed onto captive audience (hostages?) on Windows platform. More and more shi.ware with every release. Because progress.

    2. Anonymous Coward
      Anonymous Coward

      Don't hold back, Shaun -- tell us how you REALLY feel!

      Well, I would agree with him, given that on Macs they hide the update mechanism away from where you would normally find software so you have to dig for it to gain control. Instead of in the same subdirectory as it's Office suite they sneak it somewhere into ~/Library/ (can't be asked to dig for it right now), oh, and by default you're logged into to their Onedrive, and no, AFAIK nobody asked (because I don't want it) - I guess that makes it easier to steal data.

      Add to that Outlook visits other places to regal those of what your password settings are before it ever logs in to the server that you defined (and only of you're lucky, any error and that mechanism fails) and no, there's no added value from having it.

      Anyway, test over and this machine needs a re-image. Thank God.

      Edit: the downgrade also includes this gem: "Support for MAU self-updates, where MAU can update itself without requiring admin credentials". Yes, because it's so painful if someone notices what it does, isn't it? A wipe it is.

    3. Anonymous Coward
      Anonymous Coward

      The elephant in the room is NOT wearing a Stetson.

      The fact is simply that The Show Must Go On, i.e. The Security Circus Continues, i.e $$$$$

      With cumulative updates you now get fixes and new bugs in one stinking package, which very inelegantly ensures the above..

      The people responsible for this mess is those who, given less motivation, would have spent their lives somewhere in The Jewel of The Empire, walking behind an elephant with a shovel and a bucket. A strong motivator, certainly, but not a replacement for Actual Talent!

      Now their CEO is one of them as well, which is unlikely to be helpful.!

      Time to embrace Pen and Paper again, communication by Owl.

  2. inmypjs Silver badge

    Microsoft's new affirmation

    "Every day, in every way, I'm getting suckier and suckier"

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft's new affirmation

      don't forget

      Security by obscurity.

      By making the list of {cough-cough} fixed harder to obtain are they hoping that people will give up looking so that they can foist even more spyware on the unsuspecting user?

      W10 sucks already and they are really doing nothing to make it well again.

      It is probably a folorn hope that MS execs in their nice 'C' level corner offices ever experience the frustrations that those of us out in the real world suffer/endure on a daily basis.

      As for patching Slitherlight? Really? This needs one patch, delete it. Like Flash its time has gone but for slitherlight, its time never came in the first place.

      1. This post has been deleted by its author

  3. Mark 85

    Windows Games

    It does make me wonder what they're hiding in this scheme. After many folks blocked the Win10 downloads because they could see it coming down the pipe via updates. So... will Win10 or maybe some "extra" telemetry be hidden somewhere as an "update" or patch to any OS lower than Win10?

    Call me suspicious just don't call me late for dinner or beer o'clock.

  4. Winkypop Silver badge

    Trust me

    I'm from Redmond...

  5. T. F. M. Reader

    Proper procedure?

    OK, this begs a genuine question. You are an IT guy at some company that is a lot more serious than a mom-and-pop candy shop. You have a lot of laptops, and a significant number of servers. You need to deal with MSFT, and you also have software from other vendors running here and there. All of these issue updates from time to time, MSFT may be somewhat more organized than others as far as update schedules go.

    Would you go over the list of patches (maybe de-obfuscated by El Reg or someone else) and test these patches individually in some sort of staging area to verify that they don't break anything AMD-based, ATI-based, Hyper-V-based, an odd installed DLL, or a non-default configuration setting that you pushed everywhere for unrelated reasons? Will you test and apply the critical stuff first and deal with less important updates later (but still test them)? Or, presented with such a mess, just apply the whole update on staging machines, check for any black smoke, and roll it out to every box in the organization as one big lump? Especially if the software/updates may affect the system boot, user logins, operation, security, etc.?

    Inquiring minds want to know. One reason for the curiosity is that we provide software and updates, and we want to make our customers' admins' lives as easy as possible. Not only by having no (all right, as few as possible) bugs in the first place but also by integrating into the customers' procedures smoothly even when there are no bugs. My experience and inclinations do not necessarily tell me what others do.

    What say you, commentards?

    1. Rich 11

      Re: Proper procedure?

      I roll the patches out to a representative sample of test servers first, after a day or so of waiting to see if there are any adverse reports from around the world. If the test servers reboot (whether needed or not) and the required functions work as expected, the updates go out on live.

      The completeness of this approach is not by any measure perfect, but it's a trade-off between safety, security, business requirements and all the other demands on my time. In the last 15 years I've only lost one test server, and that was to a specific application fix which wasn't part of the Patch Tuesday bundle. But maybe I've just been incredibly lucky...

      1. Anonymous Coward
        Anonymous Coward

        Re: Proper procedure?

        Similar approach here; reading the monthly equivelant of this story and its comments, waiting a day or two then chucking them out to the general desktop/laptop populace, a day or two more then installing on the on-premise servers has been my method for a decade or so too. I vaguely recall something a bit squiffy happening to a server back in the mists of time, but very little besides that. I think I had to remove an update to Excel after it caused some formatting issues once.

        I'm not running a massive organisation here, but not a mom n pop shop either. With a million other things to do, the approach to everything has to be fairly pragmatic; I just don't have the time or cash to build and run a full test suite.

    2. Anonymous Coward
      Anonymous Coward

      Re: Proper procedure?

      You are an IT guy at some company that is a lot more serious than a mom-and-pop candy shop. You have a lot of laptops, and a significant number of servers. You need to deal with MSFT, and you also have software from other vendors running here and there. All of these issue updates from time to time, MSFT may be somewhat more organized than others as far as update schedules go.

      Well, the short answer is that you spend a significant amount of extra resources assuring that a patch is not going to down half of your estate if you roll it out, so you (a) do a test install on lab test machines in the hope that they remain representative of what your enterprise does, (b) run an install on a small group and only after that doesn't show immediate problems do you (c ) roll it out over the estate, still with your fingers crossed that you haven't missed anything and that some weird combination of factors does as yet creates problems.

      We've been doing this nonsense for well over 2 decades now - nothing changes (well, OK< the excuses do). Anyone care to calculate just how much that has costed, and do add the security problems to it and license management risk because that too creates extra overheads, cost and risk?

      Calling this a "solution" is just insulting.

    3. Sparkypatrick

      Re: Proper procedure?

      One thing to note about installing patches individually rather than as part of the Windows Update bundle, is that Microsoft don't test them that way. Obviously, they also don't test them against every possible permutation of hardware and software, which is why you need to test the patches yourself.

      1. nijam Silver badge

        Re: Proper procedure?

        > ... Microsoft don't test them that way

        They should, though.

        1. Ken Hagan Gold badge

          Re: Proper procedure?

          "They should [test them that way], though"

          I beg to differ. I can't see the sense in asking for a patch regime that is literally untestable!

          Two to the power N is a very large multiplier on your test matrix, even for fairly small N. If MS actually allowed users to install some patches but not others, and the same again next month, and the month after, the explosion gets to unfeasibly large N probably in the first month and certainly quite soon thereafter, no matter how large your test farm.

          I suspect that's why MS no longer allow you to do that. I suspect also that patches affecting the same component are always cumulative. (I don't think the roll-up bundles are, but they may be "chained" so that you have to install all previous ones before any new one. If not, they probably will be soon.) Under this regime, N months of patches gives you at most N possible configurations and each month there is only 1 new one that they have to test because they did all the others in previous months.

          "1" scales to large N in a way that 2**N doesn't.

          I would also note that most Linux distros work this way by default and even if most (all?) offer ways of pinning packages to a particular version, they don't promise that an arbitrary combination of pins actually works.

      2. joed

        Re: Proper procedure?

        Didn't MS let go the test team? So much for testing. Customers (home edition users) are guinea pigs now (alpha testers). Businesses do beta testing.

        By all accounts MS move is meant to push everyone into the cloud as nobody will be able to maintain in house operation in the volatile environment they unleashed.

        1. Peter2 Silver badge

          Re: Proper procedure?

          What most people do is have two groups for releasing patches, the Canary group (named after the canary that miners took down mine shafts as the canary snuffing it was a good indicator of toxic gasses) and the production group for everybody else.

          The Canary group should consist of loud users who will report issues promptly, but in the worst case who's loss won't cause serious damage to the business.

    4. nijam Silver badge

      Re: Proper procedure?

      > ... You need to deal with MSFT

      No you don't. Really.

    5. Anonymous Coward
      Anonymous Coward

      Re: Proper procedure?

      where i used to work.

      we did 2 strategies.

      1) wait till Friday morning to go through and check the available patches that way if MS major Fuc*ed up it was in the trade press by friday.

      2) use wsus or Patchlink depending on update and roll it out to a "test" subset of machines. if they are all working by Monday lunchtime the rest of the machines are automatically patched.

      The only Update that did not follow these rules and the one that took out three quarters of the company was Antivirus which helpfully detected a system file as a Virus and quarantined it. :-( had to manually go to each machine individually and boot off a CD, replace the antivirus definitions file and the system file, reboot to local Admin, do a few tweaks, log back out and boot on the domain. one LONG Night and 3 offices later :-( the only saving grace was that the 24/7 department were on a different update schedule so they kept running.

  6. John Smith 19 Gold badge

    "ordinary folk are probably happy with installing these changes as soon as possible, "

    Which was how a lot of people ended up with MS "GenuineAdvantage" snooper on their machines checking their licensing keys.

  7. Potemkine Silver badge

    Flash? Ahaaaaaaaahh !

    Flash delenda est!

  8. Adair Silver badge

    And people...

    actually pay for this shit!?

  9. SotarrTheWizard

    Microsoft has cutting-edge customer support. . .

    . . . .that they learned from United Airlines. . ..

    1. a_yank_lurker

      Re: Microsoft has cutting-edge customer support. . .

      The Unfriendly Skies has atrocious customer service but my experience with the Slurp is are always looking to pinch for a couple of pennies on even flimsier excuses than the Unfriendly Skies. Not much worse but worse.

  10. EnviableOne

    650 updates is easier than 5-10 buletins?

    I thought last months double Patch Tuesday was bad,

    I poped along to the SUG and I'm supposed to classify and analyse like 650 update because its more authoratative.

    when will MS realise, most people dont have the time to go through all these, or the funds to get the tools to do it for you.

    even if i try to filer all the stuff we dont have and remove the low criticality there is still close to 400 lines to look through

    looks like I might accelerate the Kubuntu desktop with libre office migration

  11. John Brown (no body) Silver badge

    Microsoft Offensive Security Research Team

    What do they do? Add insults to the injuries already inflicted?

  12. Jamie Jones Silver badge

    Nope.. Still hate the stock images

    Dear El Reg, please stop treating us like morons with all the stupid stock photos you post.

  13. Ken Hagan Gold badge

    "If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release,"

    I look forward to downloading that upcoming release to fix my computer that can't download updates anymore.

    1. Updraft102

      Why, it almost sounds like arbitrarily blocking updates on certain PCs was a bad idea in the first place.

    2. Jim Mitchell

      "AMD Carrizo DDR4" is very specific. Carrizo systems with DDR3 are OK? You wonder just what is so special about that hardware configuration.

      1. joed

        I bet it can still be serviced offline. OTOH, all my systems have been on no updates treatment for almost a year now. As long as I don't use MS products (on top of Windows) I should be fine. Mission accomplished MS.

    3. Adair Silver badge

      "If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates."

      Hey, it's a feature not a bug! You're onto a winner there mate, AMD clearly have their customers' interests at heart.

  14. Peter in Seattle

    Help a brother out, here. Did Microsoft just package a bunch of critical security updates in quality and security rollups but not in security-only rollups? I use WSUS Offline Update with the security-updates-only option to update my Windows 7 system, and I'm too old and tired to try to figure out from the article whether my approach will have me covered.

  15. PeteA

    Time to buy an AMD Carrizo?

    Sounds like it might be time to consider a hardware refresh if AMD have found a way to permanently disable automatic updates (assuming that they can still be installed locally).

  16. Pirate Dave Silver badge

    "Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. "

    I think "happy" might be a bit too-strongly worded. "Blissfully unaware until an update fucks things up" is probably more accurate.

  17. demented

    This month's security patch is blocking PC's with 6th and 7 generation intel CPU's even though Microshaft had agreed earlier this year to extend support for 6th gen sky lake CPU' running on W7 and Win 8.1 ,Those who instal these patches will have their os blocked from receiving or installing further patches

    Yet another pysh by them to get everyone to use their bloated spyware that they call win10

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like