Monday , 23 July 2018
Home >> S >> Security >> Tiptoe through the bugs and get Windows and Office updated

Tiptoe through the bugs and get Windows and Office updated

The fourth Tuesday of the month has come and gone, and it now looks reasonably safe to patch Windows and Office. I was expecting two big releases yesterday—one to fix numerous bugs in Win10 Creators Update, version 1703; the other to plug the bugs introduced by June’s Office security patches—but neither trove appeared. Given Microsoft’s past patterns, it’s unlikely that we’ll see any more serious patches until next month’s Patch Tuesday, on Aug. 8.

There’s also a bit of additional impetus right now. On July 17, security researcher Haifei published a proof of concept for running malware scripts directly in Office apps. I haven’t seen any exploits in the wild as yet, but it would be a good idea to install KB 3213640 (Office 2007), KB 3213624 (Office 2010), KB 3213555 (Office 2013) and/or KB 3213545 (Office 2016) in the short term. (Thx to @LeaningTowardsLinux.) Note that none of these patches, as best as I can tell, correct the Office bugs introduced in June.

July was a particularly problematic month for Windows and Office patches. At this moment, I see the following outstanding problems — none of which are overwhelming, but all of which may prove to be a pain to you, depending on your configuration and expectations:

  • The June bugs introduced by faulty Office security patches still aren’t fixed. Those of you using Outlook to open attachments or run custom macros may encounter problems. The easiest solution, of course, is to avoid Outlook. I’ve seen no confirmation that running July patches will affect the June patches, which have appeared and disappeared in an unpredictable pattern.
  • The July patches reset Internet Explorer so it can print inside iFrames, but in so doing they reintroduce the CVE-2017-8529 security vulnerability. That’s a big deal if your company relies on IE to print customized pages, but the easiest solution is to just avoid IE. If you use Chrome or Firefox and couldn’t care less about IE’s problems, you might want to wade through the considerable mess documented here and avoid installing patches that fix IE but leave you exposed.
  • KB 4025331 for Server 2012 and KB 4025336 for Server 2012 R2 break client connections in WSUS and SCCM. Both need a manual registry key change to enable a fix for CVE-2017-8563.

On the brighter side, the Surface Pro 4/Surface Book firmware/driver update difficulties I talked about two days ago didn’t turn into major problems. Microsoft has provided the documentation, at last, and it looks like the driver update is good to go.

close
==[ Click Here 1X ] [ Close ]==