It's been a long time since Microsoft had a Patch Tuesday this bad. By Friday they were conceding problems with several updates. Not only did they withdraw four updates, but they recommended that users uninstall one of them.
Yesterday they reissued that update, but they also announced that it had its own set of new bugs, one of which can make windows inaccessible or invisible. Three of the four withdrawn updates are still withdrawn and two of those are also subject to the missing window bug. Two other updates, previously uninvolved with the August updates, also have this missing window bug.
I have no hard numbers to go on, but I do suspect that the number of users affected by all these problems is, as Microsoft says, small. Perhaps very small. Even so, it's hard to escape the feeling that something went very wrong recently at Microsoft's update shop.
Not only have the developers at Microsoft had a bad month, but the communications machine has faltered as well. Microsoft has a large collection of blogs, several of which touch on update issues, especially the MSRC (Microsoft Security Response Center) blog. There have been problems with updates in the past and Microsoft has been rather forthright about them in these blogs. But the discussions of the recent troubles with updates are so fleeting, perfunctory and, I would argue, misleading, that the company seems more embarrassed than concerned.
Since I just wrote "misleading," I should explain. The MSRC blog entry announcing yesterday's re-release of MS14-045 uses weasel words to give the impression that the problems were caused by a change in the company's scheduling practices for non-security updates, but they don't actually say that this was the cause or that it was even related.
The blog says that Microsoft would start releasing non-security updates on Patch Tuesday, rather than throughout the month. In fact Microsoft has, for a long time, released non-security updates on Patch Tuesday, although they have also released them at other times during the month. For years the fourth Tuesday has been a second Patch Tuesday for non-security updates. Does the new practice mean that the fourth Tuesday will no longer be used? A different Microsoft blog earlier this month indicated that the point of the change in update practice was to bring out new features quickly, when they are available, and not just once a month.
Update on August 28: I have spoken to Microsoft and they say that they will tend towards releasing new features on the regular Patch Tuesday (i.e. the second Tuesday of the month) but that they will continue to release non-security updates on the fourth Tuesday.
A better question is what any of this could possibly have to do with buggy security and non-security updates, unless they are claiming that it led to inadequate testing. This they clearly do not say although, to be honest, they don't say it didn't happen either.
There are other communications gaps. If you read the re-released security bulletin carefully, and specifically read the Update FAQ, you see that "Microsoft strongly recommends that customers who have not uninstalled the 2982791 update [the old update that was withdrawn] do so prior to applying the 2993651 update [the new, re-released update]." They don't say you must do this, just that they strongly recommend it.
What happens if you don't? They don't say. Why does the 2993651 update, or Windows Update, not remove the 2982791 update first? This is unclear. In fact, at the same time, Microsoft recommends relying on Automatic Updates which will install the new update without removing the old one and not inform the user of the fact.
Update on August 28: I have asked Microsoft why the new update does not replace the old one. The company has no official response, but I’m hearing that it is not, in fact, necessary to uninstall the old update before installing the new one. Once the new update is in place it is used by the system and the old code is never executed, even though the update remains installed on the system.
Another communications gap concerns new bugs in the new updates. The security bulletin is silent on them, but if you read the Knowledge Base article for the new update you'll see that there are two known issues with it. Neither are trivial and the second could be quite serious. It changes the z-order, or depth level of windows, so that they may be invisible or hidden behind other windows.
Furthermore, this z-order bug is also present in four other already-released updates (one of them is just a hotfix, so it will be less prevalent).
How often does this bug manifest when the user has any of the installed updates? No word on that but, as I said earlier, I suspect it's actually pretty rare, or we would have heard of them from parties other than Microsoft.
I've also been concerned that the same severe problem, such as the Stop 0x50 blue screen bugs for which the MS14-045 update was originally recalled, are also caused by updates for, at best, tangentially-related software. The same can be said of the z-order bug.
For years, Windows Update and the updates it delivers have had a high level of reliability. This has allowed Microsoft to default to delivery and installation of updates in Windows, to the great benefit of users. August 2014 has called this achievement into question. Can we just blindly trust Microsoft's updates anymore? At the moment, even Microsoft seems not to know.