Patch Tuesday arrives with Access error, 1909 in tow, and a promise of no more 'optional' patches this year

Credit to Author: Woody Leonhard| Date: Wed, 13 Nov 2019 07:59:00 -0800

The patches haven’t yet been out for 24 hours and already we’re seeing a lot of activity. Here’s where we stand with the initial wave of problems.

Many early patchers found that the MSRT, KB 890830, kept installing itself over and over again. Poster IndyPilot80 says:

It sits at “Installing: 0%” for a couple minutes then goes away. When I hit “Check for Updates” it shows up again and does the same thing.

There are hundreds of reports online of people who found that the MSRT installer threw an 800B0109 and wouldn’t install; or installed but then reinstalled on reboot; showed up multiple times in the Installed Updates list; didn’t show up in the Installed Updates list in spite of running; and several variations on those themes.

Ends up, it was all Microsoft’s fault. By last night, MSRT was behaving itself.

Günter Born first described this problem, based on reports on German-language sites, including deskmodder.de:

Microsoft Office security updates released on Patchday (November 12, 2019) cause Access to fail to access databases. An error 3340 ‘Query is corrupted’ will be dropped. …

It appears that a security update for the CVE-2019-1402 vulnerability in each version of Microsoft Office causes this error. Here is the list of Office security updates that you can uninstall.

Office 2010: Description of the security update for Office 2010: November 12, 2019 (KB4484127)

Office 2013: Description of the security update for Office 2013: November 12, 2019 (KB4484119)

Office 2016: Description of the security update for Office 2016: November 12, 2019 (KB4484113)

At least from what I’ve seen so far, uninstalling this security update seems to allow database access again.

Born says that he’s reported the problem to Microsoft, but it doesn’t yet appear on the official Fixes or workarounds for recent issues in Access list.

It isn’t clear to me why Microsoft re-released its most stable version of Win10 (at least, I’m still using 1809 on my production machines), but a new one’s out, apparently. At the same time Microsoft announced the re-release of 1809, it also reset the countdown date for version 1809 support:

On November 13, 2018, we re-released the Windows 10 October Update (version 1809), Windows Server 2019, and Windows Server, version 1809. We encourage you to wait until the feature update is offered to your device automatically. …  

Note for Commercial Customers: November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel (“Targeted”) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809.  Beginning with this release, all future feature updates of Windows 10 Enterprise and Education editions that release around September will have a 30-month servicing timeline.

And you thought Microsoft had abandoned the ridiculous “Semi-Annual Channel (“Targeted”)” bafflegab.

Microsoft released new updates for the Servicing Stack on all supported versions of Windows. Notably, Win7 and 8.1 also have new SSUs. (You only have to worry about SSUs if you manually download and install updates. If you use Windows Update, they should be installed automatically. Should.) There’s a complete list of the new SSUs in Security Advisory ADV990001.

Tell me if this sounds familiar

Yesterday’s patches includes one for an Internet Explorer security hole, dubbed  CVE-2019-1429, an “exploited” vulnerability. Just like the August “exploited” IE zero-day Keystone Kops episode, this appears to be a genuine flaw in IE. Just like the August doppelganger, Microsoft isn’t telling us very much. 

Dustin Childs says it best in his Zero Day Initiative post:

This patch for IE corrects a vulnerability in the way that the scripting engine handles objects in memory. This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document. That second vector means you need this patch even if you don’t use IE. Microsoft gives no information on the nature of the active attacks, but they are likely limited at this time. 

No doubt the Chicken Littles of the Windows reporting industry will bill this as a huge threat to 800 million Windows users — or some such drivel. In fact, it’s likely the discovered exploit appeared in a honed attack directed at a major governmental or industrial target.

Until we hear more about it (we haven’t heard of any attacks based on August’s exploit, have we?), you should be fine.

This should come as good news for Windows patchers of all stripes.

Microsoft has officially announced that it’s giving up on its practice of releasing (at least) two cumulative updates per month, through the end of this year. Tucked away in a neglected corner of the Windows Release Information page lies this little gem:

Timing of Windows 10 optional update releases (November/December 2019)

There will be no more optional “C” or “D” releases for the balance of this calendar year. Note There will be a December Security Update Tuesday release, as usual.

For those of you who don’t speak the A-B-C-D-E jargon, that means we won’t have second cumulative updates in November or December. The “optional, non-security” patches (which frequently contain fixes for bugs introduced by security updates) are a strange artifact that solidified in early 2017. Prior to that, Microsoft released one cumulative update on the second Tuesday of most months, then patched again at an arbitrary time, should the need arise — primarily to fix bugs introduced by the first patch.

Starting in 2017 or so (it’s difficult to pinpoint a date), somebody decided that it would be good to give Windows patchers a preview of the next month’s non-security patches, generally during the 3rd or 4th week of the month (thus, “C” and “D” week). The approach resembled something of an Insider Preview shot at the next month’s non-security patches. You could get a preview of the next month’s patches, but only if you downloaded and installed them manually, or (horrors!) became a Seeker and clicked “Check for updates.”

It looks like Microsoft is shutting that down, at least for the next two months, and I say good riddance. If there’s to be an Insider Preview ring for each version of Win10, I’m all for it — let people opt in, and give them a reliable way to report bugs. But playing footsie with Seekers just hangs too many innocent bystanders out to dry.

It isn’t clear if we’ll be spared the same indignity with Windows 7 and 8.1 “Monthly Rollup Previews.” Stay tuned.

As widely advertised, this month’s cumulative update for Win10 version 1803 is destined to be its last (unless we have a major security problem and Microsoft changes things). If you’re running Win10 version 1803, there’s no need to panic; in the normal course of events, you wouldn’t get another security patch until next month anyway. I’ll have more about the journey from 1803 in a subsequent column.

Those who have installed the Win10 1903 November cumulative update, KB 4524570, and rebooted, will see an offer on your Windows Update setting page (screenshot).

Right now, there’s no pressing reason to click that “Download and install now” link. Let’s wait and see what problems arise. 

Quite a haul for the first 24 hours, eh? 

Thx, @abbodi86, @PKCano, @gborn and many more

Join us for the usual patching follies on AskWoody.com.

http://www.computerworld.com/category/security/index.rss

Leave a Reply