Microsoft update blunders going out of control
The last several months have seen a disturbing string of problems in updates released for Microsoft products. Last week we saw three four. It's time to worry about what's behind it all.
Must See Gallery
'Must-have' MacBook Air and MacBook Pro accessories
Being thin and light brings with it compromises, but by adding a few essential accessories into the mix, you can create a mobile working platform that is second to none.
This isn't the first time I've brought this up. In Summer of last year Microsoft had buggy Patch Tuesday updates three months in a row. There had been others that year, some of which crippled systems.
The following list includes problems observed in just the last six months:
Microsoft's June patches broke Office Click-to-Run for some
August Windows updates cause systems to go into reboot loops (among other problems)
September Lync server security update may not install successfully
A file synch issue in OneDrive for Business force Microsoft to pull and reissue an update
An update to add SHA-2 hashing to Windows 7 and Windows Server 2008 R2 could cause system reboots
New ciphers included with a security update to Schannel caused connections to drop and programs to become unresponsive
October updates to Microsoft Word 2010 and 2013 could stop fields from updating
(*)An Exchange 2010 update issued in December could stop Outlook from connecting to the server. It was withdrawn and reissued
December update KB3004394 on Windows 7 and Windows Server 2008 R2 can cause an inability to install future updates
December update KB2553154 for Office 2010 disables ActiveX controls
Update on December 15: They keep coming. KB3008923 describes problems with MS14-080, the December Cumulative Update for Internet Explorer:
The MS14-080 security bulletin itself has no mention of any problems.
Note the (*) on the link about the October updates to Word. In Microsoft's explanations of what caused this update I saw inconsistencies and things that just didn't make sense. Sorry, it's complicated:
Update on December 15: Microsoft contacted me about the section above. They say that KB2920738, the article which explains the field updating bug in Word 2013, mistakenly attributed the problem to KB2889939 ([I]mproves localization in the Kyrgyz and Mongolian language versions..."). The correct article to point to is KB2889954 ("Hotfix KB2889954 for Word 2013 October 14, 2014 (Word-x-none.msp)"), which fixes a large number of Word bugs. Microsoft calls it a typo, (which I believe) and thanked me for pointing it out. KB2920738 has been corrected. I have had to cross out a big chunk of the story. The main point about the number and severity of updates stands unchecked. The Microsoft correction makes sense out of nonsense of their explanations.
If you're lost, I'm sorry but not surprised. It's convoluted. It's also strangely reminiscent of the problems with the August patches that caused systems to go into infinite reboot loops. The update for which this problem was blamed is KB2970228 "Update to support the new currency symbol for the Russian ruble in Windows." I just don't see how such an update could cause such a problem.
Whenever I see a change like this in anything I try to ask myself if there really is a change or if we're just noticing it more than in the past. In this case, I think the only way it's only a matter of perception is if Microsoft has begun reporting update problems more than they have in the past. This is entirely possible, but I don't have any real evidence that it's the case.
With products as complex as Windows, Office and Exchange and a user base as large and diverse as theirs, there are always people complaining of problems caused by updates and it's inevitable that some users will suffer ill effects from even a well-designed and tested patch, because there are just too many configurations and third-party products for Microsoft to test.
There's another complication potentially at fault in these bugs: Microsoft silently patches many security problems. Who knows, perhaps the Kyrgyz/Mongolian and Ruble updates did a lot more than Microsoft claimed they did. If an undocumented function of an update were to cause problems it wouldn't be surprising for Microsoft to dissemble in their explanations. Of course I'm speculating here, but it's not like we have an official and logical explanation on which to rely.
I would assume that the people in charge at Microsoft know what the real problem is and aren't happy with it. In the long run, when almost all our software is in the cloud and managed, I think all patches will be silent and we won't know anything happened, other than perhaps a version number incrementing. Have there been any security bulletins for the online parts of Office 365?
In the meantime I have to figure that the update processes for Windows, Office and Exchange have become too complex and unwieldy. There's little Microsoft can do about it in the short term; they brought it on themselves, mostly by having excessively long support lifecycles. I wish I had some constructive advice with near-term benefits, but I think we're doomed to more of this sort of thing for the foreseeable future.
