Microsoft's latest patches bring many Windows and Office fixes and lots of confusion
Patch Tuesday has hit with a vengeance. Microsoft’s Official Security Update Guide lists 243 Windows patches, 81 of which are critical. If you click on the Details button to show individually identified security problems (typically CVE numbers), the list swells to 997 entries. Be of good cheer. You can download the whole list into an Excel spreadsheet with a click on the Download button.
Microsoft has also published its list of May patches for Office: 36 security updates and 28 nonsecurity updates.
Wait, that’s not all. In addition to the Security Update spreadsheet and the Office list, there’s also a list of new nonsecurity patches on the old Windows Update list site.
I count a Servicing Stack update (but only for Windows 8.1), two so-called Dynamic Updates for Win10 1703 (see Günter Born’s description of Dynamic Updates—they’re used during installation of an upgrade), a security update for the Scripting Engine in Windows Server 2008, and the usual Malicious Software Removal Tool.
I don’t know how to count all of those. I swear, I took off my shoes and socks, and ran out of digits. There’s an enormous potful of patches.
The short list:
Windows 10
- 1703 to build 15063.296 — short list of fixes
- 1607 to build 14393.1198 — huge list of fixes
- 1511 to build 10586.916 — medium list of fixes
- 1507 to build 10240.17394 — another medium list of fixes. This should be the last cumulative update for 1507.
Note that the patches for deprecating SHA-1 for IE11 and Edge SSL/TLS Authentication are listed separately. Looks like a Security Bulletin to my jaundiced eye.
Windows 7
Windows 8.1
In the Lounge, @PKCano and @NetDef note that the odd new terminology is proliferating, where patches for Win7 and 8.1 are now preceded by the year and month. For example, we have “2017-05 Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4019263).” That’s not to be confused with names that include dates that go the other way around, such as “May, 2017 Security Only Update for .Net Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4019108)” or names that don’t mention dates, such as “Cumulative Security Update for Internet Explorer (KB4018271).”
Some day that naming system will help—it’s much easier to sort patch lists by year and month with the yyyy-mm format. For now, though, it’s a real head-turner.
As promised, Microsoft released delta-only patches for Win10 1607 and 1703. If you are all caught up on cumulative updates through last month and want to download the smallest possible update file, take a look on the Microsoft Update Catalog. Most folks can (and should) ignore it. Thx to @abbodi86.
Microsoft has also released four Security Advisories in the past two days:
- 4022345 Identifying and correcting failure of Windows Update client to receive updates
- 4021279 Vulnerabilities in .Net Core, ASP.Net Core Could Allow Elevation of Privilege
- 4010323 Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
- 4022344 Security Update for Microsoft Malware Protection Engine
The last one is the Security Advisory I mentioned earlier this morning.
In addition, Microsoft announced last week that .Net Framework 4.7 is now available on Windows 7, Windows 8.1, and all versions of Win10. Thanks to @MrBrian.
If you’re looking for even more detail, Martin Brinkmann at gHacks.net has an extensive list and analysis. The ZeroDay Initiative has a chart organized by CVE number.
Personally, I would love to see a small chart that groups similar CVEs into, well, Security Bulletins. Microsoft recenlty published a Security Advisory that looks something like an old-fashioned Security Bulletin, to centralize the discussion of SHA-1 deprecation in IE11 and Edge. I’d pay to have another column in the Security Update Guide with a link to a collection of aggregating articles. Security Bulletins, if you will.
Note: I do not recommend that you update yet. It’s much, much too early to tell which patches are causing problems.
Help us sort this giant mess out on the AskWoody Lounge.