Another massive outpouring of Microsoft patches yesterday — more than 1,100 separate patches — brought a few surprises and shouts of indignation from a forced but unannounced upgrade. Some bugs are already evident, and there’s a storm brewing over one Office patch. But by and large, if you don’t use Internet Explorer or Edge, it’s a non-event.

Every version of Windows got patched yesterday (Win10 1709, Win10 1703, Win10 1607, Win10 1511 Enterprise, Win10 1507 LTSC, Win 8.1, Win RT 8.1, Win 7, plus Server 2016, 2012 R2, 2012, 2008 R2, 2008). Almost every version of Office (2016, 2013, 2010, 2007, plus 2013 and 2010 Click-to-Run). Plenty of miscellaneous, too: IE 11, 10, 9 and Edge, Flash for all, SharePoint Server, the ChakraCore package, and various .Nets including ASP.NET. The good news? Unless you use IE or Edge, there’s nothing pressing — you can sit back and watch the bugs crawling out of the woodwork.

Martin Brinkman at ghacks has a spreadsheet you can download if you’re curious. He shows more than 1,100 separately identified patches.

All of that’s in addition to the 43 non-security Office patches released last week, the Win7 and 8.1 Security-only patches, and the Monthly Patch previews.

Behind the curtain

For most of you, the key patches are these:

There’s a handful of fully disclosed bugs in the patches. You can see them in the KB articles associated with the individual patches. For the Win10 patches:

Internet Explorer 11 users who use SQL Server Reporting Services (SSRS) may not be able to scroll through a dropdown menu using the scroll bar. (Fix: Change the document mode.)

Universal Windows Platform (UWP) applications that use JavaScript and asm.js may stop working. (Fix: Uninstall, then reinstall the application.)

May change Czech and Arabic languages to English for Microsoft Edge and other applications. (Fix: We’re working on it.)

But of course the disclosed bugs are never as interesting — or as problematic — as the unexpected ones.

[ To comment on this story, visit Computerworld's Facebook page. ]

According to Microsoft, four of the fixed holes have been publicly disclosed, but none of them are being exploited in the wild at this point (which is to say, they’re not zero-days):

CVE-2017-8700 — ASP.NET Core Information Disclosure Vulnerability

CVE-2017-11827 — Microsoft Browser Memory Corruption Vulnerability

CVE-2017-11848 — Internet Explorer Information Disclosure Vulnerability

CVE-2017-11883 — ASP.NET Core Denial of Service Vulnerability

Once again, you can see security holes in IE 11 inherited by Edge.

Adobe released 9 security bulletins and advisories, which fixed 86 individually recognized security holes in Flash, Acrobat, Reader and other Adobe products. As usual, Microsoft incorporated the Flash fixes into its Win 8.1, 8.1 RT, Win 10 and Server 2012, 2012 R2 and 2016 patches.

My long-standing advice still rings true: If at all possible, get rid of Flash and Reader and use any browser other than IE or Edge.

Forced upgrade to 1709

The most vexing issue to crop up so far: Win10 Pro users who have their Group Policy set to block upgrades from 1703 (Creators Update) to 1709 (Fall Creators Update) are getting pushed onto 1709. Win10 1703 Pro users set to hold off for "Current Branch for Business" got bushwhacked, too. Poster NetDef on AskWoody says:

All (and I mean ALL) 1703 systems today, even with correct Group Policy settings enforced, that were NOT under a WSUS system have picked up and installed (or attempted to install) the 1709 feature update. Test systems that had CBB set, but also had the defer updates set for 60 or more days, did NOT update today. Test systems where we used WUShowHide to hide/defer the 1709 update have ALSO attempted to upgrade to 1709 today. MS has apparently greatly shorted the wait time for (formerly known as CBB) from 4 months to 1 month. I do not yet know if this was an accident, or intentional.

Given all of the recent complaints about bugs in the Fall Creators Update, being forced onto 1709 even with the “Current Branch for Business” set in the Security & Updates Advanced Options (screenshot) is unconscionable.

Woody Leonhard/IDG

Microsoft has retroactively redefined “Current Branch for Business” — which is to say, it has eliminated it — without warning, and without allowing customers to change their settings to something that says, in effect, back off.

Poster @MrBrian echoes the damnation of many:

My educated guess is that this was not an accident. The “Microsoft recommends” tag on the official Win10 release information site now points to 1709. Microsoft is now purposely blurring the distinction between what was formerly Current Branch and Current Branch for Business. I’m not surprised that Microsoft did this, but I would have thought that Microsoft would have given prominent notice beforehand (or did they?)

The only solution at this point is to make sure you have the feature update deferral setting ratcheted all the way up to 365 days. See my recommendation from October. If you got upgraded and don’t want to join Microsoft’s unpaid beta-testing club for 1709, you can roll back using Start > Settings > Update & security > Recovery and under “Go back to the previous version of Windows 10” click Get Started. Provided you roll back within 10 days, you should end up with your old system.

Problems on the Office front

Catalin Cimpanu at BleepingComputer calls out a worrying Excel patch, CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability — previously undisclosed, that may allow jimmied Excel worksheets to bypass the usual auto-execution restrictions. No known exploits, as yet, but it’s unnerving.

There’s a new security advisory, ADV170020 - Microsoft Office Defense in Depth Update, that has exactly no description. Dustin Childs at Zero Day Initiative offers this possible explanation:

If one were to guess, it’s likely this advisory is related to the recent spate of malware abusing the Dynamic Data Exchange (DDE) protocol. DDE provides data exchanges between Office and other Windows applications, however attackers leverage DDE fields to create documents that load malicious resources from an external server. Microsoft claims attackers may be abusing the feature, but it’s not a vulnerability per se. Hopefully, the update provided by this advisory restricts the abuse of this “feature” in some manner.

I talked about the suddenly popular {DDEAUTO} field on AskWoody last week in response to Microsoft’s Security Advisory 4053440. It looks like the mysterious ADV170020 somehow automates a subset of the manual tweaks provided in SA 4053440 but, of course, Microsoft has provided zero documentation. Security by obscurity, eh?

It also appears as if the new fixes for the “Unexpected error from external database driver” bugs are working. You may recall that those buggy patches for the buggy patches — KB 4052233, 4052234, and 4052235 — were pulled and completely obliterated from the record late last month. This month, we’re seeing fixes for all versions of Windows, including 1709 with this reassuring note:

Addressed issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is: “Unexpected error from external database driver (1). (Microsoft JET Database Engine)".

More of a mixed bag

There’s some good news. @abbodi86 confirms that Microsoft fixed the retrograde bug I reported last month in the 2017-11 Win7 Monthly Rollup Preview, the SFC scanning bug that originated long ago in KB 3125574.

And there are some odd glitches:

Equation Editor phunnies

Finally, the most contentious patch of all. The Embedi malware folks found a severe security bug in the old — 17 years old — Office Equation Editor. You may remember the Word Equation Editor, which about 10 people once used to make equations look nice inside their Word docs. Almost everybody has the Equation Editor installed and enabled. Almost everybody with Office is vulnerable. But there’s no hue and cry as yet because working exploit code isn’t available. Yet.

Microsoft has a writeup for the security hole CVE-2017-11882 - Microsoft Office Memory Corruption Vulnerability. Microsoft lists it as “Important - Exploitation less likely” with no known exploit code.

Embedi insists that the problem can be triggered with no user prompt. Microsoft, by virtue of its “Important” designation, claims that some user intervention is required. Embedi says it has exploit code, which it delivered to Microsoft on March 8. Microsoft says it has no functioning exploit code.

Who’s right? Who knows? You can manually circumvent the problem by making two registry changes listed in the Embedi article.

It’s a messy month. With no “critical” Windows updates, as long as you don’t use IE or Edge, there’s no huge pressure to apply the updates just yet.

Thanks to @GossiTheDog, @teralhonen, @barbbowman, @abbodi86, @PKCano, @MrBrian, and the many intrepid testers on AskWoody.

Hit a bug? We’re all ears on the AskWoody Lounge.