Where are the fixes to the botched Outlook security patches?

Where are the fixes to the botched Outlook security patches?

On June 13—five and a half weeks ago—Microsoft released a series of buggy patches for Outlook. We know they’re buggy because Microsoft acknowledged se

Windows Zero-Day Emerges in Active Exploits
US device searches at borders ignite resistance
FBI Denies Service to 15 DDoS-for-Hire Sites, Charges Operators

On June 13—five and a half weeks ago—Microsoft released a series of buggy patches for Outlook. We know they’re buggy because Microsoft acknowledged seven bugs (including one primarily caused by bugs in Windows patches) in those four original June 13 security patches. As of this morning, we still don’t have fixes for those seven bugs.

Here are the known buggy original security patches:

  • KB 3191898 – Security update for Outlook 2007, released June 13, 2017
  • KB 3203467 – Security update for Outlook 2010, released June 13
  • KB 3191938 – Security update for Outlook 2013, June 13
  • KB 3191932 – Security update for Outlook 2016, June 13

If you have Automatic Update turned on, you were treated not only to those patches, but to all of these three later, interim fixes for the bugs in the security patches. Don’t get too excited about them. In fact, they didn’t fix the bugs:

  • KB 4011042 – Yet another update for Outlook 2010, released July 5, pulled July 15
  • KB 3191849 – Another update for Outlook 2013, released June 27, pulled July 15
  • KB 3213654 – Another update for Outlook 2016, released June 30, pulled July 15

Those KB numbers don’t line up with the originally buggy security patch numbers because Microsoft didn’t re-release the bad patches. These new interim patches aren’t cumulative. In other words, in order to get Outlook 2016 patched, for example, you had to install the June 13 patch, then install the June 30 patch. Except, well, the June 30 patch didn’t fix the problems created by the June 13 patch.

Got that?

Lots of Outlook users and admins have been waiting for new fixes ever since Microsoft pulled the three interim patches on July 15. (Outlook 2007 never received an interim patch.) If Microsoft’s told anyone why they pulled those interim patches, I haven’t heard about it. I haven’t seen any instructions about removing the interim patches. We’re all left sitting in limbo.

On Monday, Microsoft sent its largest customers a secret email saying they would release new patches on Tuesday.

The new security updates scheduled for release are intended to address currently unresolved functional issues affecting Outlook.

But Tuesday came and went, and there weren’t any new patches—re-issues, interim, cumulative or otherwise.

One of the “fixes” to the Outlook bugs proposed by Microsoft relies on patches to Windows itself, and those patches are going through a mind-numbing series of flip-slops. Anybody who used Automatic Update this past month has seen their systems flop around like a beached bluegill.

Ball’s in your court, again, Microsoft.

Discussion continues on the AskWoody Lounge.

Go to Source

COMMENTS