Microsoft? We need to talk. Lately you’ve been disappointing me. You released three sets of security updates this month for my Windows 10 machines. The first set of updates (KB5000802 for the 2004/20H2 versions) triggered blue screens of death when I attempted to print to Ricoh and Kyocera printers as caused issues with Dymo labels. As you yourself noted, “after installing this update, you might receive an APC_INDEX_MISMATCH error with a blue screen when attempting to print to certain printers in some apps.”
The second set of updates (KB5001567 for 2004/20H2 versions) was supposed to fix these issues, but only fixed some of the BSODs and did not fix issues with Dymo label printers or printers that create images (such as bar code printers). You said it: “After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps. Issues might include: Elements of the document might print as solid black/color boxes or might be missing, including barcodes, QR codes, and graphics elements, such as logos. Table lines might be missing. Other alignment or formatting issues might also be present. Printing from some apps or to some printers might result in a blank page or label.”
Then you released a third version of the updates that reportedly would fix the issue with Dymo label printers and image or barcode printers. One would think that after three tries we’d get the perfect and fixed update. KB5001649 for the 2004/20H2 versions was supposed to be that last and perfect update.
Now normally with Patch Tuesday, we never have patch perfection. There is always someone that will suffer some random side effect of normal computing weirdness that, while not directly related to the updating process, will get blamed on any updates because of coincidence. I’ve often seen users complain about something on their computer and point to Windows updates as the trigger; often, it’s just a mere reboot that exposes underlying problems, not the patching process itself. (In best practices for servers, it’s often recommended that you reboot a system before installing an update to ensure your system is functional.)
I’ve also seen where malware will insert itself into a system and when a patch is installed, the updated system is now unstable and deliver a BSOD. Several years ago a rootkit installed on many Windows systems was impacted by a security update, which had installed a new version of the Windows kernel; when the system rebooted, the interaction between the rootkit and the new kernel update triggered a blue screen. So while we pointed to the security patch as the problem, in reality it actually helped expose the rootkits.
But it’s concerning to me that in the more 20 years I’ve been patching machines and monitoring for side effects we have yet to solve two fundamental problems: You want us to turn on automatic updates to ensure our machines are kept safe, but as this month’s issues with printers shows, I cannot guarantee there won’t be side effects from this month’s updates. That’s just flat out wrong. I have no more confidence about patching than I did 20 years ago: I am still telling people to hold back, to test, to watch for issues, to wait, not to install updates right away as I can’t guarantee they won’t have issues. Microsoft, that’s not good enough! We are in a world where attackers are going after on-premises mail servers in small and medium-sized businesses and installing web shells to possibly inject ransomware. Installing quality updates immediately is key to protecting our machines. But if we’ve lost all faith in the testing process you use, Microsoft, how can we get to a place where we install updates the moment they come out?
Then there is the rebooting problem. In order to install updates and replace the original files with the fixed ones you force our systems to reboot And as a general rule, Windows users hate rebooting. It disrupts what we’re working on, it makes us lose our place in what we’re doing. And in the umpteen years that we’ve used Windows, we’ve yet to fix this rebooting issue. I’ve literally seen consultants ask how to disable Windows’ update mechanism because they cannot set a specific time for Windows machines to reboot that won’t be disruptive. How many of us have seen conference talks interrupted by a Windows 10 update triggering a reboot? (Rather than totally disabling Windows updates, I recommend using the “metered connection” trick so the system will only download updates when you want them to.)
Now we have word that you’ve has re-released KB5001649 for 2004/20H2 and will be offering it up again as an optional update for those impacted by the printing issues introduced this the month. Microsoft, you recommend that we install these optional updates should we be impacted, but that’s asking all of us to carry the burden of testing. That’s just not right. If you want us to immediately install updates the second they are released, you need to do better than this. You need to widen your testing of updates to include consumers and not just enterprises.
People often think that the insider testing process impacts the quality of security updates. It’s my opinion that they do not. Insider testing is for features not related to security. These are fixing security bugs that aren’t yet fixed even in the insider versions.
Recently you announced you’ll be closing your UserVoice feedback process, which allows users and IT administrators to ask for new features. At a time that I think you need to hear more from customers, it feels like you’re pulling back.
So later on this week when I decide to tell people to update – or not – I’m still not sure what I’m going to tell my readers here at Computerworld or on Askwoody.com. I’m not comfortable telling people to NOT update. But I’m also not comfortable telling them to blindly install updates and trust that Microsoft has gotten it right. So far, you haven’t given me enough assurance that even with three times you’ve got it right yet. And that’s a shame.
Because the attackers often get their attacks right the first time.
Copyright © 2021 IDG Communications, Inc.