[German]A strange thing happened today: Windows 7 machines are receiving Internet Explorer 11 security update KB3008923 via Windows Update. This update is dated from December 2014. Here are a few details and observations.
I received the first notification this morning, when blog reader Leon wrote: ‘hallo mr. born, this night an internet explorer 11 update KB 3008923 has been offered’. After searching the web, I came to the conclusion, that it was a false alarm, because all I could find, was articles from 20124.
But then a comment from @Webmasta within my old German blog post Patch-Flicken: Internet Explorer-Update KB 3025390 verfügbar published on December 2014 mentioned also update KB 3008923. Webmasta wrote: KB (3008923) has been offered on my fully patched Win7 Pro 64 machine. Does somebody else received this update?
Checking Windows Update on my Windows 7 machine
I currently run a Windows 7 SP1 machine (for productive work), so during writing this blog post I opened Windows Update and let it search for new updates. Here is, what I got (click to the screenshot, to enlarge).
Windows Update offers a ‘Cumulative security update for Internet Explorer 11 for Windows 7 for x64 systems (KB3008923)’ with a download size of 52.7 MB. The update is dated 12/09/2014 and is quoted as important. The descriptiong says:
this security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. This security update helps protect Internet Explorer from being attacked.
Additionally, this security update includes several non-security-related fixes for Internet Explorer.
But this article was published on December 9, 2014.
Update KB3008923 is from 2014
I searched the web, but all I could find related to this update, was articles dated from december 2014. Then I searched Microsoft Update Catalog.
All I could fiund, was updates from December 2014 – and some versions from January 2014 for Windows Embedded 7 Standard and Windows Server 2003 (this software has reached end of life). The English KB article 3008923 says:
The update that this article describes has been replaced by a newer update. We recommend that you install the most current cumulative security update for Internet Explorer.
But there is no note about the release date of this quote. So overall I conclude: Windows Update says, there is an important IE 11 security update, but all information I found, was dated from 2014. There is also another remark within the KB article:
KB3022827 redirects you to this article because KB3022827 contains the same security updates from this KB that apply to Windows 10 Technical Preview.
Really odd is the note given under known issues in KB3008923. Microsoft says:
We are aware of some reports of functional issues on sites that use nested modal dialog boxes on Internet Explorer 11 that occur after you install this security update.
We are aware of some limited reports of Internet Explorer 9 crashing after you apply this security update.
Well IE 9 seems to be history in Windows 7 SP1, but the modal dialog box issue doesn’t sound well. Update KB3008923 will also be mentioned in 2014 as a root cause for several other issues (see here, here, here). Also at askwoody.com is a short article and a discussion about this patch. Currently I recommend to hide this update.
Let’s nail it down:
- Maybe something went wrong on Microsoft Update servers and they are offering an old patch.
- Or Microsoft has changed something, but forget to change the description within the KB article, the update catalog and within the Windows Update meta data.
Independently from the answer, this is obscure, and it won’t help to raise Microsoft’s reputation. I still have the interview with Microsoft’s Brad Anderson, Corporate Vice President of Enterprise Client and Mobility, during Ignite 2016 made by The Register within my head. Anderson stated:
Our long term vision on Windows 10 management is that organizations should rely on Microsoft to do more for them on their behalf. Let us worry about your images. Let us keep your devices updated through Windows Update for Business. Rather than you approving which patches you want, we are saying let them all flow because the way organizations get the most secure, the most compliant, the most reliable and most performance devices is to stay updated with all of our updates …
There is years of experience that IT pros have, sometimes we release updates that break something. As we build confidence with IT pros around the world that our updates are solid they will get more comfortable with just letting the patches go through, in Windows Update for Business you have the ability to say, I want to delay these updates, so you have some level of control. You don’t have the degree where you can say I want to deploy these three but not these 10.
Well, Windows 7 is old stuff – and Microsoft is promoting heavily Windows 10. But I can’t believe, that such actions as we have seen again today build trust on Microsoft’s ability to handle updates in a proper way. I would say, that Update thing is terrible broken. Or do you have a different opinion?
Addendum: An explanation
An explanation may be found at askwoody.com from @abbodi86 within this comment: they expired most of IE11 cumulative updates (around 14 updates)
however, the supersedence chain for KB3008923 is now broken, the update that supersede it is expired – therefore and by metadata rules, KB3008923 is not superseded now.
So, just hide update KB3008923 – and probably other updated (KB3003057 and KB2987107) within the broken update chain.