Looking back at Microsoft’s July 2018-Patches

[German]July 2018 represents another low with regard to issues caused from Microsoft's updates. Since the month is almost over, here is a look at security advisories and problematic updates, as well as some basic thoughts..

Currently Microsoft has a nice run …

Actually, it works great for Microsoft. Last week some sites reported, that the tax administration of Lower Saxonia (Germany) wants to migrate 13,000 computers from Linux to Windows and Microsoft software. Then, at the Inspire partner conference in Las Vegas, it was announced that Microsoft wanted to win over professional consumers. Mary Joe Foley reported here on that topic – whatever the marketing drivel of Microsoft may mean.

(Source: Statista)

And Microsoft's latest quarter revenue figures let stock market participants rejoice, a profit of 7.6 billion euros, in the fourth quarter of the 2018 financial year. With turnover rising by more than 17 percent to 30.1 billion US dollars. The cloud boom is driving sales and profits at Microsoft. Microsoft's management did everything right in Redmond, at least when it comes to making money.

And Microsofts sales team have even started to raise the prices for subscriptions for the upcoming Office 2019 and Windows 10 Enterprise – because there is a cash cow. The details can be found at OnMSFT. But there is still another thing. Microsoft has to provide old customers with something like updates for products – and there is something going wrong at Microsoft – and that could pay off in the long run.

July 2018 Security Advisories and Vulnerabilities

There are two pieces of information that have come to my attention these days. Once I came across a link to the exploit-db.com website on a social network. Under the linked search term, the site lists all vulnerabilities or exploits that affect Windows or Windows software.

Well, the hint came from a Linux fan who pointed out that there too Ubuntu has vulnerabilities. But these would be fixed quickly, while in Windows you had to wait for the patchday. And there, so my objection, users must hope that the patch can be installed and causes no collateral damage.

The second tip came from Susan Bradlay at askwoody.com, who pointed out vulnerabilities closed at Microsoft for July 2018 and patch problems (see following section). Microsoft's Juli 2018 release notes contain the following CVEs with additional information and release notes that administrators should note.

• ADV170017*
• ADV180002*
• ADV180012*
• ADV180016*
• ADV180017
• CVE-2018-8202 *
• CVE-2018-8260 *
• CVE-2018-8281
• CVE-2018-8282
• CVE-2018-8289
• CVE-2018-8297
• CVE-2018-8299*
• CVE-2018-8300*
• CVE-2018-8305*
• CVE-2018-8306*
• CVE-2018-8310
• CVE-2018-8312
• CVE-2018-8319*
• CVE-2018-8323*
• CVE-2018-8324
• CVE-2018-8325
• CVE-2018-8326*
• CVE-2018-8327*

All links with an asterisk behind them contain additional information which must be observed after the installation of the relevant updates. A lot to read for administrators.

Known issues from July 2018 updates

The much more critical part of Microsoft's July 2018 release notes deals with known problems with the July 2018 updates. Here is the list:

• 4295656
• 4338415
• 4338416
• 4338417
• 4338418
• 4338419
• 4338420
• 4338421
• 4338422
• 4338423
• 4338424
• 4338600
• 4338601
• 4338602
• 4338604
• 4338605
• 4338606
• 4338610
• 4338611
• 4338612
• 4338613
• 4338814
• 4338815
• 4338818
• 4338819
• 4338820
• 4338821
• 4338823
• 4338824
• 4338825
• 4338826
• 4338829
• 4338830
• 4340004
• 4340005
• 4340006
• 4340007
• 4340556
• 4340557
• 4340558
• 4340559
• 4345232
• 4345418
• 4345419
• 4345420
• 4345421
• 4345455

For some KB articles there is a note that the problem has been solved with a subsequent update. But especially the Security and Quality Rollup updates for.NET Framework 3.5 SP1 for Windows 8.1, RT 8.1, and Server 2012 R2 (KB 4338424) has kept administrators around the globe busy. The update was supposed to close the vulnerabilities CVE-2018-8284, CVE-2018-8202 and CVE-2018-8356, but could not be installed on many systems in the Windows 8.1/Server 2012 R2 environment. Those who managed the installation might have faced further problems (applications threw errors or could not start). After several attempts for rework the update was withdrawn.

If you look at the list of links above, you get a bad feeling and the question 'Is Microsoft does things in a right manner?' arise. The effect may be a result of layoffs in the quality assurance and test departments in the last three or four years – the developers should test the updates themselves. In 2016 I published some thoughts in a German blog post Scheitert Microsofts neuer Entwicklungs-Workflow?  The 'lack of testers with experience' after a wave of layoffs and the changed development paradigm were also addressed there. At that time, however, I did not come to a definitive conclusion as to why the quality of the updates, at least I felt, was diminishing.

A second cause could also be the increased complexity has been patched into Windows 7 to Windows 10, for example, at least I will be quite different. But at this point, I have to say: It's all speculation on my part, there could be other causes. All in all, however, my interpretation is that updates and patch days have become a game of Russian roulette for administrators. And the July 2018 updates represent (at least in my impression) a new low point in terms of quality and update issues. Even if Microsoft is doing well at the moment in terms of sales, a mortgage may be building up, which at the moment only through the WinTel monopoly and the lack of alternatives will lead many users to stick to the old-fashioned. Or have you made other observations and insights that you want to share as comments?