Microsoft Patch Alert: Major bugs introduced in May fixed, plenty of problems remain

This month's Windows and Office security patches: Bugs and solutions

Once more we have a monthly Windows/Office patch scorecard that needs a guidebook. Or two. And we just got a handful of buried warnings about problems in old patches, plus a brand new way to fry your network interface card.

Thus continues the tradition of two cumulative updates per month for all of the supported Windows 10 versions – that’s eight cumulative updates in total – in addition to bobs and weaves and a very long list of acknowledged bugs introduced by recent security patches in Windows 7.

Conflicts with Remote Desktop

The strange behavior of the CredSSP update – where the Patch Tuesday fixes for all versions of Windows seemed to break Remote Desktop Protocol with a strange error message: “This could be due to CredSSP encryption oracle remediation” has been resolved.

Patch Lady Susan Bradley notes (about all versions of Windows and Remote access):

Be aware — if you are seeing RDP issues post patch Tuesday, the underlying issue is that there is a mismatch between patch levels. The updates for the RDP/credssp came out in March and slowly Microsoft has been adjusting the mandate of the update. In May, the full “you must have a patch on both ends” kicked in. So if you haven’t updated your servers, but your workstations got patched you’ll see the CredSSP error message.

While there is a registry key to allow patched systems to connect to unpatched systems, it’s much wiser to patch your servers. Note that if you held off patching your servers because of the networking side effects/bugs, those were patched in the April.

That’s how you solve a CredSSP encryption oracle remediation problem. Obviously. Ahem.

Win10 version 1803 approaches ‘usable’ status

The unpaid beta testers for Windows 10 April 2018 Update (better known as version 1803) earned their salaries this month, with triple overtime. The embarrassing bug in the original 1803 (released April 30) bricked any computer with an Intel SSD6 drive– including some of Microsoft’s own Surface Pro 2017 computers.

A similar, but different, bug dogged PCs with Toshiba SSDs. The bug persisted in the first cumulative update for Win10 1803, but was finally put to sleep last week with the second cumulative update, which finally made 1803 installable on most common PCs.

Installable, mind you. Not stable. For example, there are many reports of 1803 driving batteries nuts. I’ve seen discussions of the Surface Studio mouse and keyboard lock-ups after installing 1803, but no solutions – and there may be a similar problem with earlier versions of Win10. The Reddit 1803 megathread is up to 1,800 comments– not all of which are glowing reports of happiness in 1803 land.

The greatest malfeasance, in my opinion, is Microsoft’s continuing push to install Win10 1803 on machines that are set to specifically avoid it. Win10 1709 Home users get hit the worst. AskWoody reader IG puts it this way:

I have found that (at least in my situation with my Lenovo and HP laptops) the best way to avoid the latest feature update for Windows 10 Home, is to not only set your connection to metered, but to also install the Windows update tool, (wushowhide). Despite being on a metered connection, the 1803 upgrade eventually showed up ‘available to download’ this week. Along with the 1803 update a 1709 update also showed up but required a ‘retry.’ Using the update tool I hid the 1803 upgrade, and the next time Windows automatically checked for updates, it was no longer available to download. I was also able to retry and install the current 1709 update without any issues.

I continue to strongly recommend that you not hobnob with the cannon fodder and wait for Microsoft to show some restraint. Or at least some fixes. My original recommendations for blocking 1803 still work, but you have to use all of them, altogether, all the time.

Multiple patches for all versions of Windows 10

If you’re using Windows 10, you saw big multiple patches in April:

  • Version 1709– the Fall Creators Update — the initial Patch Tuesday patch, KB 4103727, had the usual round of complaints about failure to install, random bluescreens and the like. The second cumulative update, KB 4103714, seems to be stable.
  • Version 1703— the Creators Update — got its first cumulative update, KB 4103731, on Patch Tuesday, and a second huge cumulative update, KB 4103722a week later.
  • Version 1607— the Anniversary Update (only for Win10 1607 Enterprise and Education) also got two cumulative updates.

Version 1703 remains stable (although there’s a whole lotta patchin’ goin’ on) and 1709 has finally found some maturity. About a month too late.

The ongoing Windows 7/Server 2008 R2 saga

Windows 7 continues to be singled out for back-breaking patch-induced bugs. Microsoft officially acknowledges both of these bugsin the latest Win7/Server 2008 R2 patch, KB 4103718:

  • A stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2). A long-standing problem, still with no solution.
  • There is an issue with Windows and a third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.That announcement appeared out of the blue on May 26. There’s no indication which “third-party software” is at fault – or who should avoid the patch – but such are the vagaries of Windows patching. There’s an in-depth discussion going on the AskWoody Lounge.

As it turns out, the missing oem<number>.inf issue dates back to the March patches. According to an anonymous poster:

It’s not only KB4103718 (May 8, 2018—KB4103718 (Monthly Rollup)) that has been updated last Friday with the missing oem<number>.inf issue. The problem seems to date back to the March 2018 Security-Only and Monthly Rollup updates.

All of the following knowledge base articles were updated with similar warnings on May 25:

  • KB4088875: March 13, 2018—KB4088875 (Monthly Rollup)
  • KB4088878: March 13, 2018—KB4088878 (Security-only update)
  • KB4088881: March 23, 2018—KB4088881 (Preview of Monthly Rollup)
  • KB4093118: April 10, 2018—KB4093118 (Monthly Rollup)
  • KB4093113: April 17, 2018—KB4093113 (Preview of Monthly Rollup)
  • KB4103718: May 8, 2018—KB4103718 (Monthly Rollup)
  • KB4103713: May 17, 2018—KB4103713 (Preview of Monthly Rollup)

We’re stuck between a rock and a hard place. Microsoft won’t say which vendor(s) and/or which network card(s) are getting cracked by the patch. There’s speculation that the bad card is from Intel, but we really don’t know. Your only real recourse is to create a full backup prior to applying this month’s patches, or to accept the possibility that you’ll have to manually re-install them. Susan Bradley has detailed instructions.

That same anonymous poster goes on to advise:

Also, there is a new, never heard before issue with the Win7 March 2018 Security-only update (KB4088878):

Symptom: A 32-bit (x86) computer won’t boot or keeps restarting after applying this security update.

Workaround: Before applying this security update and subsequent security updates, uninstall the following external drivers until they are fixed by the vendor that owns them:

  • HASP Kernel Device Driver (a.k.a. Haspnt.sys)
  • Hard Lock Key Drivers (a.k.a. hardlock.sys)

It’s not at all clear if that warning is only for 32-bit computers.

If you want to see something scary, take a look at the current version of the “Known issues” list for the Win7 Security-only patch, KB 4088878. I count nine acknowledged bugs introduced in that one Security-only patch.

Windows 8.1 / Server 2012 R2 continues to look good. By any objective measure, 8.1 is Microsoft’s most stable version of Windows. By a long shot.

Office patches keep rolling along

I don’t know of any pressing problems with this month’s Office patches. Susan Bradley’s Master Patchwatch List gives them a clean bill of health, and @PKCano’s list of non-security patches looks clean, too, although there are a number of acknowledged problems listed on the official Fixes pages.