Microsoft delays February patches until March

Microsoft has decided to delay the February patches until March – even though there is a possible critical vulnerability not addressed.

While not officially disclosed, some believe it is the “build” mechanism for the patching that is an issue and not a patch itself.

[Updated 2017/02/21:] Word went out that Microsoft would release the Flash Player update but as of “press” time, it hasn’t. The Malicious Software Removal Tool has been released though.

For those who want to at least be slightly more secure, Microsoft did release an interim update late January for v1607 which you can find it here [manual download and install]. There were no updates for the other editions of Windows 10 or older versions of Windows.



Microsoft’s updates for February delayed a bit

Microsoft has delayed releasing the February patches due to a last minute issue found:

“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.

After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.”

Well a new month of Microsoft update issues

After a month without any [major] Patch Tuesday issues, we have one this month. MS16-072 [kb3163622 ] which is a security update for Group Policy may cause changed settings through the GPO are no longer retained, shortcuts to applications on user’s desktops are missing, left previously hidden drives and devices accessible, and drive mappings not to work. The issue is due to how customers have implemented Group Policy permissions.

Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

To correct the situation use the Group Policy Management Console add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). A well if you are using security filtering, add the Domain Computers group with read permission.

As well, if you have installed update rollup kb3156418 on Windows Server 2012 R2, the DFSRS.exe process may consume a high percentage CPU processing power (could approach 100%). This could cause the DFSR service to become unresponsive to the point at which the service cannot be stopped and you would be required to restart the server. The temporary workaround is to remove the update. Microsoft is aware of the issue.

[Updated 2016/06/22:] Now there is an issue with MS16-075 and MS16-076. They are related to Windows Netlogon and SMB Server. When you try to access a domain DFS namespace on a computer that is configured to require mutual authentication (by using the UNC Hardened Access feature), you receive an Access Denied error message. You need to make a registry change as described in KB3161561 as a workaround. Microsoft is investigating.

[Updated: 2016/06/29:] Added to the update woes this month, although it may not affect too many people, is the June 2016 rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 [KB3161606] that will affect for Hyper-V instances for Windows. The issue is related to the new HyperV-Integration-Service (KB3158626). The issue is related to the file wnetvsc.inf.


Notice something missing in Patch Tuesday?

If you go through the Microsoft bulletins for Patch Tuesday [April 12th] you will notice that a bulletin is missing.
In this caser it is MS16-043.
I guess this means that there was a showstopper and at least one of the bulletin’s patches has an issue.
Well, at least it was detected before it was released.
This is why for my own computers [and virtual machines] unless there is something critical, I will wait a few days [to hopefully make sure there are no recalls] before applying the patches.

[Updated 2016/04/13:] There could be an issue with MS16-039 where you may get the message “The Windows installer service could not be accessed.” If this happens, you should make sure KB3072630 is install [it should be as it is MS15-074].


A second patch Tuesday from now on

As of April, expect an additional “Patch Tuesday”.

The first Tuesday of the month will now be reserved for Office updates – those that aren’t a security issue. If you noticed as of Office 2010 and continuing with office 2013 and Office 2016, Microsoft releases a slew of non-security Office updates. Sometimes maybe a dozen of them.

The second Tuesday continues to be the original “Patch Tuesday”. And occasionally, for the remainder of the Month, Microsoft may release some non-security updates for Windows, Surface, etc.

Emergency out of band patch from Microsoft today

Microsoft is to release a critical out-of-band patch today [Monday, July 20] at 1pm EST/10am PST.

As usual, no word on what the patch fixes until it is released.

An out-of band patch is released when an issue is actively being exploited and Microsoft believes it can’t wait for the next “Patch Tuesday” – 3 weeks away.


Problems in April’s Patch Tuesday

So far April’s patches aren’t causing too much harm. [But it is still early!] Here is a run-down.

KB2889923 update for Lync 2013 (Skype for Business) will do a number on users who are running Outlook 2010. While not a common combination it will cause some problems in larger companies. In April, a small batch of updates including this one will convert your Lync 2013 client to Skype for Business. There are already a batch of smaller issues for Skype for Business.

KB2990214 clobbers servers running Windows Server 2008 R2 with SQL Server Reporting Services (SSRS). The SSRS service fails to start after this update.

KB3013769, which is the December 2014 rollup for Windows 8.1 and Windows Server 2012 R2 has been re-release but optionally. The bug lies with [primarily] Windows 8.1 systems with Kaspersky security software installed. Some customers reported not being able to install the rollup, while others kept receiving error messages of SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (kl1.sys). The latest update was only available via the Windows Catalog at this time.

KB2990214 has been re-re-released to fix the future option of upgrading from Windows 7 to Windows 10. Of note the knowledge base says it won’t allow Windows Server 2008 R2 to upgrade to Windows Server 2016 when released. The latest update was only available via the Windows Catalog at this time.

When and if there are updates and further issues, they’ll be mentioned here or check the KB.

Oh ya. As of this month, if using Office 2013 and/or Exchange Server 2013, note that you will need service pack 1. Since Microsoft doesn’t seem to be releasing service packs anymore, dying editions won’t by much of an issue.

[Update: 2015/04/17:] Surprisingly no other issues reported. One little minor thing. When you install KB3035583, you will note that it says it improves Windows Update notifications. But what it also does is when Windows 10 is officially released, a pop-up box [or annoying box] will pop-up informing you that Windows 10 is available for you to upgrade. lets hope there is an option to turn off on delay reduce the number of pop-ups in a day.

[Update: 2015/04/30:] If you perform a clean installation of Windows 7 or Server 2008 R2 and then upgrade to IE11 from IE8 at the same time of installing MS15-032 for IE8 with the 150+ other updates, you will receive error code 80092004 when trying to use Windows Update. Temporary workaround is to install all updates except MS15-032 and IE11 and then MS15-032 for IE11 once IE11 is installed. Microsoft knows of the issue. In addition the update for Windows Server 2003 has been replaced.