Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Microsoft Fixes problems With Win7/8.1 “Group B” Security-Only Patching Method

vissha

By vissha
in Security & Privacy News

Recommended Posts

vissha

vissha

Posted
Posted

Microsoft Fixes problems With Win7/8.1 “Group B” Security-Only Patching Method

 

Yes, MS has acknowledged the problem with fixing security-only bugs in non-security monthly rollup patches. And, yes, they say they’re going to fix it.

 

Big news. Tell your Win7 friends.

 

InfoWorld Woody on Windows

 

UPDATE: It pains me to say that my interpretation of Microsoft’s post may be overly optimistic. See the comments here for details. It’s possible that the fix will only be made to the supersedence chain – not to the underlying patches. Sigh.

 

Source - AskWoody

 

Microsoft fixes Windows 7 'Group B' security-only patching method

 

11682625885_b474026488_k-100697740-large

 

Great news: TechNet blog eschews fixing Win7/8.1 security-only bugs with monthly rollup patches

 

In what may be the most important news for ongoing Windows 7 customers since the patchocalypse, Microsoft field engineer Scott Breen has both analyzed the key problem with "Group B" security-only patching in Windows 7, and has promised a solution.

 

Don't be put off by the title -- Update to Supersedence Behaviour for Security Only and Security Monthly Quality Rollup Updates.  The underlying message is crucial for Win7 and 8.1 users who aren't connected to a corporate update manager.

 

The crux of the matter lies in the way Win7 (and 8.1) users update their machines, starting last October. I divide the patching universe into two hemispheres:

  • Group A is willing to take all of Microsoft's new telemetry systems, along with potentially useful nonsecurity updates. It installs the Monthly rollup (in Microsoft parlance the "Security Monthly Quality Rollup" patch).
  • Group B doesn't want any more snooping than absolutely necessary and doesn't care about improvements like daylight saving time zone changes. But it does want to keep applying security patches. It installs Security-only patches (Microsoft-speak "Security Only Quality Update").

The key problem arises when Microsoft introduces a bug in a Security-only patch and then fixes that bug in a Monthly Rollup patch. By forcing Security-only updaters to install a non-security rollup, Microsoft effectively bars customers from only installing security patches.

 

supersedence-100697658-large.jpg

 

Breen illustrates the problem with this graphic. A bug in an October Security-only patch was fixed in a November monthly rollup. (I believe he's referring to the MS16-087 print spooler bug.)

 

Says Breen:

 

Quote

This resulted in customers using WSUS or Configuration Manager 2007 being unable to deploy security only updates using the built in software update mechanisms without additional workarounds.

 

It also threw the Win7 (and 8.1, Server 2008 R2, Server 2012, and Server 2012 R2) patching community into a black hole. Although few people realized it, the integrity of the security-only patching method was at stake. Many knowledgeable Win7 patchers simply threw in the towel: If Microsoft was going to force them to install the non-security (read: telemetry) patches, they didn't want any of it. They didn't sign up for Windows 7 snooping, so they stopped patching entirely.

 

supersedence-december-100697659-large.jp

 

I'm very happy to report that Microsoft has acknowledged the error of its ways. Starting this month, Breen says, bugs in Monthly Rollup patches will be fixed in Monthly Rollup patches, and bugs in Security-only patches will be fixed by changing the metadata in those patches.

 

Those of you who deal with WSUS or SCCM can read his article and see how that key change will ripple into the WSUS listing. For those of you who just worry about patching Windows 7 (or 8.1, Server, etc.), you can stick to your guns. If there's a bug in a Security-only patch, it'll get fixed in a Security-only patch -- possibly the same Security-only patch will be re-issued, perhaps a subsequent patch will just roll over the bad one.

 

It's a great day for Windows 7 and 8.1 customers.

 

Source - InfoWorld Woody on Windows

Alternate Source - gHacks - Changes to Windows Update supersedence

 

Link to comment
Share on other sites
  • Replies 2
  • Views 1.2k
  • Created
  • Last Reply
straycat19

straycat19

Posted
Posted

For some reason I don't believe that Microsoft is going to let all those people who only want security updates skate on the telemetry items that Microsoft wants feedback/data on.  Trusting Microsoft would be like laying a $100 bill on the sidewalk at midnight and expecting it to be there at 8 the next morning.

Link to comment
Share on other sites
pc71520

pc71520

Posted
Posted
3 hours ago, straycat19 said:

For some reason, I don't believe that Microsoft is going to let

all those people who only want security updates skate on

the telemetry items that Microsoft wants feedback/data on.

I do Not believe it, too.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...