Software Contract Solutions

Microsoft Patch Alert: October 2020

The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes for IE or Edge. And the new .NET “optional” preview patches aren’t optional at all.

October 2020 brought a lighter-than-usual crop of patches. For the first time in recent memory, there were none at all for Internet Explorer or the (Chromium-based) Edge browser. The cumulative updates went in with few reports of problems, although there were many complaints about printers not working after the update.

Strange things happened, though, outside the usual monthly patching schedule. The day after Patch Tuesday, Microsoft announced a(nother) fix for a security hole in the HEVC codec — CVE-2020-17022 — distributed, once again, only through the Microsoft Store.

HP’s Secure Click Enterprise started falling over immediately after installing this month’s Windows cumulative updates. HP released a Win10 update-friendly version a couple of days later. It continues to astound me that a mainstream product from a major manufacturer isn’t tested before the cumulative updates roll out.

There was a security hole plug specifically for Visual Studio programmers, CVE-2020-17023.

Then there’s the security patch for Microsoft Dynamics 365 Commerce, CVE-2020-16943, that was announced but never appeared. It’s still missing in action. Something in there about counting chickens before they’re hatched.

As usual, we had dire warnings galore from the usual patch-right-now sources (“Microsoft warns beeeelions of customers to patch immediately!”). As usual, we haven’t seen any immediately exploited security holes, with the possible exception of SharePoint Server 2016 and 2019.

The usual grab-bag of bugs

Every month for the past year or two, we’ve seen a big accumulation of bugs arrive on the heels of Patch Tuesday. This month’s no exception. You can see a motley collection of blocked update error messages, error codes, blue screens, crashes, and peripheral problems in Mayank Parmar’s article in Windows Latest, Lawrence Abrams’ piece for BleepingComputer, Venkat’s rundown in Techdows, Günter Born’s post in Born’s Tech and Windows World, and countless parrot sites around the web.

I don’t see any particular pattern to any of it, which has become increasingly common. New patches just seem to bring along a trove of unrelated bugs, any one of which can be hugely frustrating — but none of which seem to be particularly widespread.

The one exception: I’ve seen many reports of printers that stop working after the latest cumulative update gets installed. In every case I’ve seen, pulling the plug on the printer and plugging it back in solves the problem — an easy task for individuals, not so much for admins.

‘Windows can’t verify the publisher of this driver software’

Some people are reporting an unexpected error when installing certain drivers. Microsoft describes the situation in the Resolved issues portion of the Windows Release Information Status page:

When installing a third-party driver, you might receive the error, “Windows can’t verify the publisher of this driver software.” You may also see the error “No signature was present in the subject” when attempting to view the signature properties using Windows Explorer.

This issue occurs when one or more of the following is present in a driver package:

  • An improperly formatted catalog file is identified during validation by Windows. Starting with this release, Windows will require the validity of DER encoded PKCS#7 content in catalog files. Catalogs files must be signed per section 11.6 of describing DER-encoding for SET OF members in X.690.
  • A driver catalog file extension is not one of the supported extensions.

That’s a feature, not a bug. Microsoft suggests that you contact the driver manufacturer and ask for an update. If your hardware vendor isn’t real interested in keeping up with Windows 10, well, joke’s on you. Günter Born puts it succinctly: Windows is a huge hardware exterminator, rendering still working devices as electronic waste, because drivers can no longer be installed.

‘Optional’ .NET previews aren’t optional any more

We’ve seen this problem for several months, and it still hasn’t been fixed.

Windows Update doesn’t handle the .NET “Preview” monthly rollups the way you (or at least, I) would expect. Cumulative Update previews have to be manually approved by clicking a “Download and install” link. .NET Previews don’t even offer the option.

There’s a convoluted set of rules about Windows automatically installing .NET Previews. @abbodi86 has unrolled the behavior this way:

The new .NET Previews are nothing different from all previous non-security .NET cumulative updates. They just have the term “Preview” in label.

If you’re a “seeker” (click Check for updates in Windows Update), the .NET Preview update will be  installed regardless of your other settings.

If you aren’t a “seeker,” when a normal update scan takes place, one of two things will happen. (1) If the previous .NET Security update is not yet installed, the .NET Preview update will be flagged as potentially superseded, and Windows Update will not offer it. (2) If the latest .NET Security update is already installed, the .NET Preview update will be installed.

If that isn’t confusing enough for you, @abbodi86 has full details here.

I have no idea why Microsoft thinks that its “preview” (i.e., not-yet-ready-for-prime-time) patches should be installed on machines without any warning or opt-out capability. But there you have it.

Microsoft pulls back on potentially unwanted PWA apps

When is a PUP installer not a PUP installer? When it’s a Windows beta, of course.

Somebody at Microsoft decided it would be a good idea to jury-rig some beta test versions of Windows 10 so they automatically installed the new PWA (progressive web app) versions of Word, Excel, PowerPoint, Outlook and OneNote. Several beta testers took umbrage at an operating system that cavalierly installed potentially unwanted programs. A couple days later, Microsoft changed course, claiming that the pushy behavior was a bug.

Right. Sean Hollister at The Verge has details.

Office 2010 and Exchange Server 2010 hit end of life

As of Oct. 13, both Office 2010 and Exchange 2010 fell off the support cycle. You won’t get any more patches. A pity, really, because Office 2010 (in spite of its interface peculiarities) was a real workhorse. Patch Lady Susan Bradley has details.

Version 20H2 (or is it 2009?) rolling out

Microsoft is starting to make Win10 version 20H2 available for the masses — although you have to click “Download and install” to get it. At least, that’s the theory.

Considering version 2004 had almost no new worthwhile features, and 20H2 has fewer still (theme-related shading on Start tiles? Alt+Tab switching Edge tabs? Puh-lease), the push to 20H2 is now under way. Think of it as yet another cumulative update, except it doesn’t plug any new security holes.

If you ever needed a concrete example of why twice-a-year upgrades for Win10 make absolutely no sense at all, now you have it.

 

This article originally appeared on ComputerWorld.

Share