We got through September’s Patch Tuesday without any major problems, after numerous small and large problems that arose from several August updates. Just as we were starting to breathe a sigh of relief, though, it seems October is bringing brand new troubles for those who were brave enough to install the patches immediately after release.
We experienced some patching weirdness ourselves this time. When one of our Windows 8 computers rebooted after installing updates, we were unable to authenticate to the domain controller. Troubleshooting revealed that logging onto the DC itself failed, too. Luckily, after another reboot, things returned to normal.
Then reports from other people having various problems started to come in. Quite a few people are having a difficult time getting some of the patches to install at all. There have been reports from users that an attempt to apply KB3000061 to Windows 8.1 computers fails with an error message that says “Failure configuring Windows updates.”
This is the MS14-058 patch, which is an update to the kernel mode driver designed to fix two vulnerabilities in that component that could be exploited to carry out remote code execution. It’s one of the three critical patches that were released this week and there had been limited reports of an exploit in the wild so installing this one was at the top of the priority list.
There is a small comfort if you’re unable to install it, in that the first of the vulnerabilities, CVE-2014-4113, can’t be exploited unless the attacker is able to log on locally, and there is a published workaround for the second vulnerability, CVE-2014-4148. You can find the instructions in the MS14-058 Security Bulletin on the TechNet web site.
There are also quite a few people running Windows 7 who are not able to get KB 2952664 to install. This is not one of the eight security updates released this month; it’s described as a compatibility patch for upgrading Windows 7. This patch is reportedly is in its seventh release. It’s designed to make it easier to upgrade Windows 7 to future versions of Windows. The linked article from Infoworld.com has instructions for uninstalling the patch and reinstalling it, which seems to fix the problem for at least some of the machines. The good news here is that this one doesn’t affect you if you aren’t running Windows 7, and even if you are, you don’t really need it unless you’re planning to upgrade your Windows 7 machine.
We’re also hearing some complaints about one of the more obscure security-related patches that were not part of the Security Bulletins, KB2984972. This is not a vulnerability fix; it’s an update for Remote Desktop Connection 7.1. that would enable the RDC client to perform restricted administration logons. We’re hearing that this patch can cause some problems with third party applications, resulting in some of those freezing up after installation of the patch, and some thin clients having problems with multi-monitor display with the patch installed. In most cases, simply uninstalling the update fixed the problems.
Woody Leonard reported additional details on some of these problems as well as problems with KB2995388, another non-security update, that’s not playing nicely with VMware and should be uninstalled if you’re running VMware and unable to boot your virtual machines.
Most of these problems are not as nightmarish as some we’ve had in the past, due to the fact that most are cleared up by uninstalling, most aren’t addressing critical security issues and the one that does fix a critical vulnerability also has a workaround that you can apply until Microsoft gets the patch fixed. Nonetheless, it’s creating big headaches for many computer users and IT pros and is likely to further erode their faith in the patching process and make even more hesitant to update for fear of “breaking what wasn’t broken.”