Microsoft Pulls July .NET Framework Patches Following App Failures
Microsoft acknowledged that some organizations were adversely affected by the .NET Framework monthly updates that were released almost two weeks ago on "update Tuesday" (July 10).
Microsoft's Friday announcement specifically pointed to an "Important" security patch to the .NET Framework (CVE-2018-8356). It contains a flaw that affects applications that "initialize a COM component and run with restricted permissions," according to the announcement. Specifically, it can affect users of SharePoint, BizTalk Server Administration Console and Internet Information Services (IIS) with "classic" ASP, as well as other .NET applications that use "COM and impersonation."
Affected organizations may have applications that don't start or run properly. They may see error messages such as "access denied," "class not registered" or "internal failure."
In response to the problems, Microsoft has stopped distributing the July .NET Framework patches from its Windows Update service and is working on correcting and reshipping the July patch releases. Organizations should apply this reshipped July patch, when it arrives, even if they weren't affected initially.
"If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates," the announcement explained.
For affected organizations, the announcement described temporary workarounds for IIS, as well as .NET applications using COM and impersonation. There's a workaround described for BizTalk, although using it can expose a network to "malicious users" or malware, Microsoft warned. No workaround was described for SharePoint.
Microsoft didn't indicate when these revised July updates would arrive.
Microsoft apologized and surprisingly admitted that its patch testing processes weren't adequate:
This release was tested using our regular and extensive testing process. We discovered while investigating this issue that we have a test hole for the specific combination of COM activation and restricted permissions, including impersonation. We will be mitigating that gap going forward.
Microsoft's support article indicated that the problems may have affected systems running ".NET Framework 3.5, 4.0, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 and 4.7.2 on all applicable and supported versions of Windows."
Microsoft's July 10 quality and security patches had other bad effects on applications. Last week, Microsoft admitted that the July updates had adversely affected users of Lync Server 2013, Skype for Business Server 2015 and Exchange Server. In response, Microsoft withdrew the bad patches and reissued fixed ones on July 17.
IT Pro Discontent
Microsoft first initiated its "monthly rollup" patch model with Windows 10, where each month's quality and security patches were "cumulative," meaning that they included all of the fixes from prior months. Later, in 2016, Microsoft applied that same cumulative update model to the Windows 7 and Windows 8.1 operating systems, as well as to Windows Server 2008 and Windows Server 2012. The cumulative update model also was applied to .NET Framework patches. As a consequence, IT pros that maintain systems can no longer just remove a single patch each month when things go wrong. They have to roll back to the previous month's cumulative update or carry out a workaround.
Microsoft has argued that this cumulative update model was needed because the main causes of problems for organizations weren't individual failed patches. Instead, the problems were caused by incomplete patching. Organizations were experiencing problems that Microsoft had already fixed but they hadn't applied the patch. Microsoft's advice to organizations with patched systems that were still experiencing application issues was to address the problems to their application vendor.
It's now almost two years later since Microsoft broadly applied this cumulative update model to its software, but IT pros don't seem happy with it.
IT pros are either "not satisfied" (37.3 percent) or "very much not satisfied" (31.7 percent) with Microsoft's patch approach to Windows clients, according to a survey of more than 1,000 self-identified IT consultants conducted by Susan Bradly, a Microsoft Most Valuable Professional, and moderator of the PatchMangement.org list-serv discussion forum for IT pros.
With regard to the quality of Windows 10 updates, respondents were "very much not satisfied" (32.7 percent) or "not satisfied" (31.6 percent). Moreover, they didn't really find Microsoft's feature updates to be useful to businesses, with 35.0 percent calling them "not useful at all" and 34.5 percent saying that they were "rarely useful."
Still, 52.5 percent indicated that Windows 10 was meeting their business needs. Most, though, wanted to see a slower release pace from Microsoft.
The survey provides links to anonymous comments by the respondents in Excel spreadsheet form. Many of the complaints have common themes that are echoed in various patch forums. The respondents complained about poor quality assurance on Microsoft's part, and their inability to roll back a single bad patch. They complained about a lack of documentation, and not having control over when things update. They regretted having to put extra manpower behind testing the monthly quality and security updates, as well as the biannual feature updates. They also complained about getting patches to failed patches within the same month, and having to track the changes.
In that respect, this month's .NET Framework security patches were issued four times "in less than two weeks" by Microsoft, according to a blog post by Computerworld writer Woody Leonhard.
While Microsoft noted on Friday that it is withholding the July .NET Framework patches from the Windows Update service, the .NET updates still might show up for organizations if they use Windows Server Update Services (WSUS) to manage their updates, according to Bradley.
"For the record the .NET updates have not been officially 'pulled' but they are unchecked and not being pushed via Microsoft update," Bradley wrote. "If you use WSUS to patch you may want to pull back on approval."
Bradley also conducted a survey of consumers, with 862 responses, that she plans to publish later. She noted that her surveys were informally conducted and compiled, rather than being managed by survey experts.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.