By Woody Leonhard,
There’s never a dull moment for folks who try to keep Windows and Office patched.
Windows 10 version 2004 continues to make slow inroads among the “Go ahead and kick me” crowd, in spite of its (now documented) lack of update deferral settings, while those of us who are still trying to keep Win10 versions 1909, 1903 and 1809 afloat have our hands full.
June saw two truly innovative patching methods: A fix for a Windows bug delivered as an update to Office Click-to-Run and a fix for a different Windows bug delivered through the Microsoft Store.
If you can’t fix things the normal way, I guess there’s always the back door.
All of the Win10 cumulative updates in June broke some printers, some of the time. The damage fell into two heaps:
Microsoft fixed the second set of bugs with a manual-download-only out-of-band patch, known as KB 4567512. If you installed one of this month’s cumulative updates and your networked printers suddenly stopped, you have to know (by osmosis?) that the problem lies with the update, and either roll back the update, upgrade your print driver to one that supports a more recent version of PCL 6, or manually download and install this patch.
Although the official documentation mentions the conflict only obliquely, the June Windows cumulative updates were apparently responsible for the June 2 and 9 versions of Microsoft 365 (nee Office 365) Click-to-Run refusing to open.
After updating to Version 2005 Build 12827.20268 or higher and starting Outlook you may see the following error prompt: “Something is wrong with one of your data files and Outlook needs to close.” The Outlook Team is investigating this issue with the Windows Team. We are not sure yet if the primary fix will come from Outlook or Windows. When we have more information on fix details we will add them here.
Microsoft fixed the bug in Windows by releasing an update to Office (er, Microsoft) 365, on June 25:
This issue is fixed in Monthly Channel Version 2005 Build 12827.20470 and higher. To install the fixed build from Outlook select File, Office Account, Update Options, Update Now.
That isn’t the only novel Windows bug fix this month.
On June 30, Microsoft posted details about two vulnerabilities known as CVE-2020-1425 and CVE-2020-1457. Both are Remote Code Execution security holes (translation: very bad), but they haven’t been exploited yet (translation: they aren’t zero-days).
“The specific flaw exists within the parsing of HEIC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.”
HEIC is a video compression routine developed by the MPEG group, initially made popular in iOS and macOS.
Here’s what’s crazy about the fix. Microsoft is distributing it through the Microsoft Store – not through Windows Update, not through the Microsoft Update Catalog.
Any machines that block access to the Store, for whatever reason, aren’t going to get the fix. Paul Rathbone, posting on the patchmanagement.org mailing list, offers a number of germane observations:
“Microsoft Windows Codecs Library” – is that a component that is built into Windows10/2019 or something that would have been installed as part of an app from the Microsoft Store in the first place? I’m guessing it’s built into Windows as Server Core is impacted too (why would Server Core need Codecs ????? I thought that was a reduced non-GUI version to lessen the surface area that could be attacked and so reduce patching requirements!)
“If I manage patching behind a WSUS/SCCM server and block outbound internet access from my servers, so they can’t reach the MS Store, do I need to patch those servers and if so how? Will the fixes be included in next month’s cumulative updates? Will the fixes be published in the Update Catalog?
“Is this a sign of things to come – multiple sources of patches from Microsoft which all have to be managed – how can I tell that a machine is patched up to date without vuln scanning everything every month? Am I expected to allow servers access to the MS Store? If access to the MS Store has been blocked by Group Policy how do I patch? Do I need to patch?
“Even if my machine can reach the store and has updated itself, how can I check / monitor that across all my clients/servers? I can’t find any details of files affected, version numbers etc.”
So in June, we had:
It’s all a bid for patching diversity, right?
“In some set of circumstances, as yet undiagnosed, the Win10 Cumulative Update installer hits a ‘race condition’ on reboot, with the user coming back up in a temporary profile. That sounds like a lot of buzz words, and it is, but the net result is that the user runs the update, reboots, and returns to a clean desktop, without their desktop customizations, while files in their customary folders (such as Documents) have disappeared.
“It’s disconcerting, even if you’re savvy enough to realize you’ve been pushed into a temporary profile. The desktop customizations are still there, as are the files, but they behave as if they belong to a different user.”
I still see complaints about the temporary profile bug constantly, in every recent version of Windows, including Windows 10 version 2004.
Microsoft’s having lots of fun with the Win10 version 2004 rollout, which is still in its infancy. From a data-eating bug in a specific oddball type of Storage Spaces to a just-unveiled axing of the advanced deferral settings, to a laundry list of bugs and gotchas (e.g., repeated erroneous security warnings as documented by Mayank Parmar at Windows Latest), Win10 version 2004 clearly isn’t ready for all but the most masochistic Windows testers.
It’s getting better. Earlier this week, Microsoft finally removed blocks that prevented Surface devices from receiving the Win10 version 2004 upgrade. Imagine. Microsoft now says that its latest version of Windows is finally able to run on its latest hardware.
Microsoft has acknowledged a bug in the May (and June) Win10 cumulative updates:
“The Local Security Authority Subsystem Service file (lsass.exe) might fail on some devices with the error message, “A critical system process, C:WINDOWSsystem32lsass.exe, failed with status code c0000008. The machine must now be restarted.” We are working on a resolution and estimate a solution will be available in July.”
There are other various and sundry bugs. And, yes, your Windows 7 machine will get a pushed copy of the new Chrome-based Edge browser, whether you’ve paid for updates or not.
@PKCano has an update to the AKB2000016 Guide for Windows Update Settings for Windows 10 that covers the latest info about Windows Update advanced settings.
Patch Lady Susan Bradley has posted two new satisfaction surveys, one for Consumer patching and one for Business patching. Feel free to participate in either or both, depending on your predilections and station in life.
See any other problems? Hit us on AskWoody.com.
Copyright © 2020 IDG Communications, Inc.