Windows Updates Thread - June 2017 - XP Patches and Broken Office 2007/2010

Discussion in 'Business & Enterprise Computing' started by PabloEscobar, Dec 11, 2014.

  1. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    For all his Cloud First/Mobile First rhetoric... since Nutella has taken over, Microsoft haven't had a good run with patches. Perhaps it should be QA First, Cloud Second/Mobile Second.

    KB3004394 is breaking shit this week.

    http://www.infoworld.com/article/28...00706f7-amd-catalyst-driver-fail-defende.html

    MS Late to the party acknowledging the issue as well, its still be advertised for download.

    edit:

    Also, Exchange 2010 SP3 Update Rollup 8 has been pulled...

    http://blogs.technet.com/b/exchange/archive/2014/12/09/exchange-releases-december-2014.aspx

    Just a minor issue - from the article.
     
    Last edited: Jun 15, 2017
  2. neoprint

    neoprint Member

    Joined:
    Jan 1, 2003
    Messages:
    416
    Location:
    Cairns
    Yep, our phones are currently going completely mental, apparently half our clients servers have turned auto updating on themselves.

    Oh the life of an MSP
     
  3. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    KB2553154 will probably mess with a few people as well, especially those that have built business workflow into Excel Macros... there is a quick-ish fix for it fortunately.

    http://stackoverflow.com/questions/27411399/microsoft-excel-activex-controls-disabled
     
  4. swiftyb

    swiftyb Member

    Joined:
    Oct 24, 2007
    Messages:
    479
    Location:
    Melbourne
    The astute Sysadmin would stage patches and have a progressive roll out... just sayin :)


    Our strategy is to patch 1 month behind, and roll it out in 4 stages (across 4 days, at least 2 days apart - ensuring 'like' servers are split)

    Some companies don't have the luxury of being 1 month behind, but patching pre-prod / test / dev / uat first is a good way forward.
     
  5. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    Its all a delicate balancing act... Risk of patches breaking shit (which has been pretty low in the past, but over the past 6 months, has been at an all time high) vs Risks of Not patching (which is pretty high recently). if you've been running domain controllers without MS14-068 in any sort of remotely hostile environment (internally also) then you've probably got a disgruntled user with a domain admin token already.

    We have a pretty basic test plan to make sure that all key business apps function, but the definition of function is pretty loose.

    Theres a reliance on the vendor to at least do enough QA to ensure that key functionality isn't broken.... How the FUCK an Exchange Update Rollup gets away with Breaking Outlook Connectivity I'll never know...

    I don't like the '1 month behind' idea especially on RCE fixes. The bad people tm can look at what changes pre and post patch, and start to make some pretty educated guesses at what was exploitable pre-patch, even if disclosure has not been public.

    Staged updates would be good in a larger environment I think, but currently, one scheduled outage a month is doable (for non HA systems)... 4 would be a much harder sell (even if only 1/4 of the services are unavailable each time)
     
  6. NiTeHaWk

    NiTeHaWk Member

    Joined:
    Feb 22, 2002
    Messages:
    1,937
    Location:
    Brisbane
    I see people have mentioned exchange, office and the root cert update. The IE update from this month is breaking stuff as well. Two different issues one affecting IE11 which there is now a fix for and IE9 crashing for some users. It's in the main IE cumulative update known issues now. Updates have been very ordinary this year from Microsoft.
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    30,847
    Location:
    Brisbane
    Here's one I prepared earlier:

    http://forums.overclockers.com.au/showthread.php?t=983059
     
  8. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    I don't know what the Dev cycle is for MS Patches, but anecdotal, since the layoffs, Quality has gone downhill. Just Sayin'
     
  9. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    209
    Location:
    ACT
    Long shot...

    Has anyone had an update cause a BSOD on Win8.1pro in the last week or so?

    I have two Win8.1pro machines (Dell laptops) which have BSOD, almost both at the same time. Figured the chances for two BSOD issues at the same time was low and might have a common cause.

    Fortunately they are both remote stand alone users who update direct and not through our WSUS (no Win8.1 machines on my DC).
     
  10. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    There is reports of KB3021674 breaking shit, either for new profiles, or for people that are using a shell other than explorer.
     
  11. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    738
    Location:
    ork.sg
    how many patches you have found that would have damaged your environment, that you subsequently didn't deploy as part of this test process?

    How many intrusions, or work hours lost have you had as a result of security vunerabilities or bugs, because you didn't patch?

    how many hours of effort have you expended every month on your patching/test process?
    What percentage of time is that less than the effort required to fix bad patches?

    Your testing procedures must be very very considerable to be of much significant use. Must be a CMM of 5
     
  12. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    209
    Location:
    ACT
    Update:

    The two machines are now in my possession. Nothing to do with Win updates. Users were trying to run VMware workstation and HyperV functionality at the same time.


     
  13. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    Hooray for QA.

    KB3001652 is fucking things up good and proper.

    http://www.neowin.net/news/microsofts-patch-kb3001652-is-causing-pcs-to-lockup

    It's been pulled by MS already (which is a nice change from their other broken patches, that they didn't bother to pull). But if you're a Day 1 Auto-Approver (God speed, those who test patches for the rest of us), you might want to jump in and decline this one.

    And for good measure KB3013455 breaks fonts on 2003 and Vista SP2
     
    Last edited: Feb 11, 2015
  14. FromPaul

    FromPaul Member

    Joined:
    Oct 14, 2006
    Messages:
    1,166
    Location:
    Sydney
    Today is the day the manure impacted the rotating ventilator device for us.

    1.22Gb per machine inc 1085meg of Office 2013 patches.

    The boss is not happy about being in a tent let me tell you.
     
  15. cbb1935

    cbb1935 Guest

    I can't help but feel Google is partly to blame for disclosing Microsoft exploits after 90 days (to force MS to patch faster, and avoid MS forgetting to tell others about their exploits). Might be causing a few gltiches in the matrix.
     
  16. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    738
    Location:
    ork.sg
    Microsoft was fucking up patches long before Google announced their inform... wait... release strategy.

    I can't help but blame Microsoft for
    1) needing to patch in the first place
    2) releasing a shit patch (a = lots)
    3) not pulling them
    4) taking ages to patch them to actually reach (1) in the first place.


    Next Up, I blame Abbott.
     
  17. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    How much lead time would they have good if an 0-day exploiting it was released to the general public?, or a Code-Red/Nimda style worm was unleashed.

    They should be thanking anyone who gives them ANY lead time on these.


    Trollolol :).

    Patching is inevitable.

    Shit patches have increased in frequency, I blame the cloud first, mobile first policy by driven by Nadella, where there is massive emphasis on getting things out the door quickly, rather than doing it right

    Not pulling them is my biggest bugbear, I think they have learned, given how quickly KB3001652 was pulled, but the fact that they are still advertising patches that they know break things, shits me


    You are right though, it is Abbott's fault
     
  18. greebs

    greebs Member

    Joined:
    Dec 30, 2001
    Messages:
    925
    Location:
    Melbourne
    Yeah, Office 2013 does that a lot (were a few months last year that were similar). Crazy really. I pity anyone on a big site/small link not using WSUS or some other method of centralised distribution or caching.
     
  19. cbb1935

    cbb1935 Guest

    So with a massive push to use Azure these days... what happens when Microsoft install ShitPatch v1.01a to fix a 0 day on their cloud infrastructure, and it borks the OS??

    I wonder. . .
     
  20. OP
    OP
    PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,405
    The same thing that happens to application stacks when Joe Public does it on one node of a multi-node cluster...

    The node dies in the ass, the application keeps on trucking... the end user is none the wiser.

    Microsoft/Joe Public then resolve the issue, fix the node, bring it back up, and then repeat for every other node in the cluster.
     

Share This Page