Microsoft Patch Alert: November patches behave themselves – with a few exceptions

Credit to Author: Woody Leonhard| Date: Tue, 03 Dec 2019 10:29:00 -0800

What a relief. The only major patching problem for November came from Office, not Windows. We had a handful of completely inscrutable patches – including two .NET non-security previews that apparently did nothing – but that’s the worst of it.

November saw the last security patch for Win10 version 1803. Win10 version 1909 got released, gently. We also had a much-hyped “exploited” zero-day security hole in Internet Explorer (again) that didn’t amount to a hill of beans (again).

As promised, we received no “optional, non-security” Windows 10 patches in November – and Microsoft promises there won’t be any this month, either. I think that’s great. If Microsoft wants to roll out beta test versions of Windows, it should have testers sign up for an Insider ring.

All of the Office patches in November throw a “Query is corrupt” error message in Access under certain circumstances. Access says “Query xxxx is corrupt,” when in fact the query in question is just fine.

 I talked about the bug on Nov. 13. Microsoft finally acknowledged it almost a week later.

Microsoft rolled out a patch for Access 2016 on Nov. 18, but didn’t get the other installed (“MSI”) versions patched until Nov. 27. We’re still waiting for patches to the Click-to-Run versions of Office, which are currently scheduled for Dec. 10 – the next Patch Tuesday.

Along with Win7 and 8.1 Monthly Rollup previews, we were also graced with four optional preview .NET patches – two of which don’t appear to do anything – and a group of one-off patches (not cumulative updates), available by manual download only, to fix a weird bug in ClickOnce.

In short, there weren’t any .NET patches in November worth the distraction.

Speaking of distractions…, November saw a fix for an “exploited” security hole, CVE-2019-1429. The parallels to September’s CVE-2019-1367 are hard to ignore. Like -1367, -1429 is a “Scripting Engine Memory Corruption Vulnerability” that is known (by Microsoft) to be used in some sort of attack. Like the earlier doppelganger, this new incarnation hits Internet Explorer directly, but can be leveraged by an aberrant Office document that links to IE. Both exploits seem full of sound and fury – 800 million Windows users exposed! Hurry and get patched! Click here! – but in the end, neither leaked into the wild.

There’s one big difference between the old -1367 and the new -1429: Microsoft didn’t start flailing around like a beached whale this time. If you recall, the September hole was subject to four – count ‘em, four – different out-of-band updates, poorly conceived and worse implemented. Local news broadcasts predicted the Windows sky was falling. Meh.

My advice then – and now – is to ignore the “exploited” designation, stop using Internet Explorer, set any other browser as your default, and read up on False Authority Syndrome (thanks, Rob).

If you’re thinking about moving on to Win10 version 1909, make sure you weigh the benefits (are there any real benefits?) against the problems. Several bugs in Win10 1903 are running over into 1909, and 1909 has a handful of its own:

It remains to be seen whether there are any 1909-specific bugs. But it also remains to be seen whether there are any real benefits to moving to 1909.

Those of you running Win10 1809 Home may be distressed to discover that, unless you take significant steps to prevent it, Microsoft now upgrades your machine to version 1909, not 1903. That may be what you want – if so, I salute you! – but moving to Win10 1903 now gives you the opportunity to choose when you’ll get pushed onto 1909.

In fact, if you’re running Win10 version 1803 or 1809 (or don’t know what version you’re running!), there’s a relatively easy way to make sure you end up on the version you want. Full step-by-step instructions are here in, Running Win10 version 1803 or 1809? You have options. Here’s how to control your upgrade.

Get the latest on AskWoody.

http://www.computerworld.com/category/security/index.rss

Leave a Reply