To patch Windows or not: Do you want BlueKeep bug or broken Visual Basic apps?

This week's Windows updates fix critical 'wormable' flaws but may also break Visual Basic apps, macros, and scripts. What should you do?

Microsoft's plan to split Windows 10 from shell is happening Windows 10 preview shows signs of Windows OS separating from the shell in line with Microsoft's modular plans.

If you're running Windows and are having troubles with apps, scripts or macros this week, it could be because of Microsoft's August security updates. 

Microsoft says apps that use Visual Basic 6 (VB6), VBA, and VBScript "may stop responding with error" after its updates from this Tuesday have been installed. 

"After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says. 

The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions.  

"Microsoft is presently investigating this issue and will provide an update when available," the company said. 

Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch. 

"The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog. The change brought these versions of Windows in line with Windows 10.

However, it's not clear that the issues under investigation are related to this measure. 

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

Regardless of the cause, the error could be a hassle for organizations that rely on Microsoft's various incarnations of Visual Basic and might be a reason to hold off deploying the patches. 

On the other hand, Microsoft is urging all admins of Windows 10 systems to urgently install the August Patch Tuesday updates because they contain fixes for two 'wormable' Remote Desktop Services flaws it uncovered while looking for flaws like BlueKeep – a Windows bug that has caused jitters among US, UK, and Australian spy agencies.  

BlueKeep has the potential to be used for an attack similar to WannaCry in 2017, which rapidly spread across hundreds of thousands of vulnerable Windows PCs. However, no public exploit has been released at this time. 

Should admins choose not to install the VB-breaking update, Microsoft recommends enabling Network Level Authentication (NLA) on affected systems. This measure will at least keep remote attackers who don't have a valid password from leveraging the vulnerability to run malware on a system.