The last several months have seen a disturbing string of problems in updates released for Microsoft products. Last week we saw
three four. It's time to worry about what's behind it all.
This isn't the first time I've brought this up. In Summer of last year Microsoft had buggy Patch Tuesday updates three months in a row. There had been others that year, some of which crippled systems.
The following list includes problems observed in just the last six months:
- Microsoft's June patches broke Office Click-to-Run for some
- August Windows updates cause systems to go into reboot loops (among other problems)
- September Lync server security update may not install successfully
- A file synch issue in OneDrive for Business force Microsoft to pull and reissue an update
- An update to add SHA-2 hashing to Windows 7 and Windows Server 2008 R2 could cause system reboots
- New ciphers included with a security update to Schannel caused connections to drop and programs to become unresponsive
- October updates to Microsoft Word 2010 and 2013 could stop fields from updating
- An Exchange 2010 update issued in December could stop Outlook from connecting to the server. It was withdrawn and reissued
- December update KB3004394 on Windows 7 and Windows Server 2008 R2 can cause an inability to install future updates
- December update KB2553154 for Office 2010 disables ActiveX controls
Update on December 15: They keep coming. KB3008923 describes problems with MS14-080, the December Cumulative Update for Internet Explorer:Known issues with this security update
- We are aware of some reports of functional issues on sites that use nested modal dialog boxes on Internet Explorer 11 that occur after you install this security update. Microsoft is researching this issue and will post more information in this article when the information becomes available.
- We are aware of some limited reports of Internet Explorer 9 crashing after you apply this security update. Microsoft is researching this issue and will post more information in this article when the information becomes available.
The MS14-080 security bulletin itself has no mention of any problems.
Note the (*) on the link about the October updates to Word. In Microsoft's explanations of what caused this update I saw inconsistencies and things that just didn't make sense. Sorry, it's complicated:
- According to an Office Sustained Engineering blog announcing the issue, both Word 2010 and Word 2013 suffer from the same problem caused by the October public updates. It refers the user to two different KBs: KB2920738 for Word 2013, KB2920807 for Word 2010.
- According to KB2920738, the Word 2013 problem requires "that you installed October hotfix KB2889939 for Word 2013."
- KB2920807 does not say whether a particular update/hotfix causes the problem in Word 2010.
- The purpose of KB2889939, the October update which (according to KB2920738) causes the problem in Word 2013, is that it "[I]mproves localization in the Kyrgyz and Mongolian language versions to make sure that the meanings are accurate." It's just my opinion, but I think that such an update sounds unlikely to have caused the problem described in Word (fields not updating some times)
- There is no update listed for Word 2010 that corresponds to KB2889939 for Word 2013
Update on December 15: Microsoft contacted me about the section above. They say that KB2920738, the article which explains the field updating bug in Word 2013, mistakenly attributed the problem to KB2889939 ([I]mproves localization in the Kyrgyz and Mongolian language versions..."). The correct article to point to is KB2889954 ("Hotfix KB2889954 for Word 2013 October 14, 2014 (Word-x-none.msp)"), which fixes a large number of Word bugs. Microsoft calls it a typo, (which I believe) and thanked me for pointing it out. KB2920738 has been corrected. I have had to cross out a big chunk of the story. The main point about the number and severity of updates stands unchecked. The Microsoft correction makes sense out of nonsense of their explanations.
If you're lost, I'm sorry but not surprised. It's convoluted. It's also strangely reminiscent of the problems with the August patches that caused systems to go into infinite reboot loops. The update for which this problem was blamed is KB2970228 "Update to support the new currency symbol for the Russian ruble in Windows." I just don't see how such an update could cause such a problem.
Whenever I see a change like this in anything I try to ask myself if there really is a change or if we're just noticing it more than in the past. In this case, I think the only way it's only a matter of perception is if Microsoft has begun reporting update problems more than they have in the past. This is entirely possible, but I don't have any real evidence that it's the case.
With products as complex as Windows, Office and Exchange and a user base as large and diverse as theirs, there are always people complaining of problems caused by updates and it's inevitable that some users will suffer ill effects from even a well-designed and tested patch, because there are just too many configurations and third-party products for Microsoft to test.
There's another complication potentially at fault in these bugs: Microsoft silently patches many security problems.
Who knows, perhaps the Kyrgyz/Mongolian and Ruble updates did a lot more than Microsoft claimed they did. If an undocumented function of an update were to cause problems it wouldn't be surprising for Microsoft to dissemble in their explanations. Of course I'm speculating here, but it's not like we have an official and logical explanation on which to rely.
I would assume that the people in charge at Microsoft know what the real problem is and aren't happy with it. In the long run, when almost all our software is in the cloud and managed, I think all patches will be silent and we won't know anything happened, other than perhaps a version number incrementing. Have there been any security bulletins for the online parts of Office 365?
In the meantime I have to figure that the update processes for Windows, Office and Exchange have become too complex and unwieldy. There's little Microsoft can do about it in the short term; they brought it on themselves, mostly by having excessively long support lifecycles. I wish I had some constructive advice with near-term benefits, but I think we're doomed to more of this sort of thing for the foreseeable future.