Microsoft July 2018 Patch Tuesday Issues

After we patched some of our dev environment with this month’s Microsoft updates, we started getting BSOD issues on most servers. We determined the issue was likely due to the Security Only updates released by Microsoft this month. I’ve been monitoring feedback on issues arising from patching through various forums/sites, and I’m seeing more and more reports of problems. There are some reports of MS pulling the Security/Monthly updates from WSUS, and sysadmins saying their TAM have told them to stop patching altogether. Besides Security updates, there’s reports of issues with .NET and Office updates as well.

I know that after the BSOD issues we experienced, I’m pulling all July 2018 patches from our baseline until we hear more from Microsoft. Here’s some of the info I’ve found:

https://old.reddit.com/r/sysadmin/comments/8xfdyd/patch_tuesday_megathread_20180710/?sort=new

https://www.askwoody.com/2018/microsoft-yanks-buggy-office-2016-patch-kb-4018385-re-publishes-all-of-this-months-patches/

[https://www.computerworld.com/article/3289506/microsoft-windows/patch-tuesday-problems-abound-server-2016-crashes-and-a-net-patch-goes-down-in-flames.html]

1 Like

https://www.catalog.update.microsoft.com/Search.aspx?q=2018-07
Looks like they were re-released Friday

Do we know when IBM is going to re-release the updated Microsoft patches?

Hi all, we’re reviewing our July 2018 PT content and we’re expecting updates to be released by end of day.

Doesn’t look like the re-release resulted in any updated patch binaries from MS.
We just finished our review of our July PT content and all the binary sha1s referenced in our fixlets match what is currently available in the MS catalog.

Looks like new updates released to replace the July rollups, for Win10 at least…

Few KBs got released by Microsoft.

KB4345420
KB4345459
KB4345424
KB4345421

The team is aware of the new Kbs and are currently working on those.

2 Likes

Release in Patches for Windows version 3033.

1 Like

So now we seem to have two patches for everything? Two cumulative Updates for Server 2016 etc… I would think the older one would be superseded? Thoughts?

According to Microsoft’s documentation for the cumulative updates they do supersede the previous ones. For some reason BigFix hasn’t marked them as such but from a practical perspective there’s no reason to install both packages.

The new updates are not classified as “Security Updates” by MS.
BigFix supersedes “Security Update” content only with other “Security Update” content.

I’m guessing Microsoft is leaving this up to our own interpretation on how to handle this situation :slight_smile: Weird stuff. Our organization decided on just hiding the original since it was not superseded. Since we are a larger organization with many admins patching we do not want the confusion of both patches showing.

jmanini,

Just to be clear, MS does mark the cumulative updates released on PT as being superseded by the new cumulatives.
It is just general BigFix practice in Windows Patch that a “Security Update” fixlet only be superseded with another “Security Update” fixlet.

There does seem to be some confusion over which ones to install - if you’re supposed to install both, or what. The TechNet page for these new KB state that they do not replace any previously released updates. And, the previously released KB are still out there. On top of that, this is the most I could find on what you’re supposed to do about:

https://old.reddit.com/r/sysadmin/comments/8xfdyd/patch_tuesday_megathread_20180710/e2m0d8t/

From our understanding, the original BSOD issue was caused by “network monitoring loads”, i.e. high network loads. We’re in a datacenter environment, so we experienced BSODs on all servers that received the patches. We removed the original KB, or restored VMs when we couldn’t, and stopped patching last week. With the quote above, I’m still unsure of whether we install the original KB, and then the fixes (because we’ll likely have high network load). Or, if the fixes contain all the same security updates as the original, minus the Kernel fix that caused the BSOD in the first place. Anyone have any ideas? I tried to reach out to our TAM, but apparently he’s on vacation (I’d go on vacation too).

4 Likes

It seems Microsoft is still releasing updates with new KB numbers:

https://www.askwoody.com/2018/yet-another-massive-mess-of-windows-patches/

In particular, there are some .NET updates that have been released that aren’t in BigFix:

  • KB4340556
  • KB4340557
  • KB4340558
  • KB4340559

The funny thing is when you search Fixlets in BigFix for those numbers you get the old update because the body of the description states things like:

Note: This security update is also referenced under KB4340556.

Do you know if the updates listed above will be released through BigFix?

Hi jsast,

The KBs listed aren’t actually new KBs. Those were there since July PT and we have corresponding fixlets for them already.

You can think of each one as a “container KB” or “parent KB” that encompasses the entire spread of .NET Framework version and OSes. But there isn’t a single patch that can be applied to all .NET Framework versions and OS combinations.

Instead, each combination gets it’s own… what I’ll call “child KB”. This is the format that Microsoft has been using for .NET framework patches.

Take for example, KB4340556. When you go to the KB article, you won’t actually get directed to a patch download link from this KB. If you look at the “Additional information about this security update” section, you’ll see that it directs you to separate KBs to address individual .NET Framework product version. Note that these KB numbers are likely the KB numbers in the fixlets that you saw when you searched for KB4340556 in the BigFix console.