Discussion on:

It's Microsoft Patch Tuesday: October 2009

Did you have (or are you having) trouble with this month's patch?

WARNING!

I just got off the phone with Microsoft support. After installing my patches and rebooting, my OCS 2007 R2 server would not start the "Front End" service internally or the Access Edge service externally. The error IEs in event log were 12299 and 12290, and it was saying that an evaluation copy had expired.

It turns out, KB974571 is causing the problem. At this time, DO NOT INSTALL KB974571 on any servers running OCS or LCS, Microsoft support informed me that both products are impacted.

J.Ja

I had the same symptom. After reboot, the LCS service would not run and I also noticed a problem with the antivirus client on that server. I uninstalled KB974571 and I'm back to normal.

*edit*
With a little more reading on this, I found mention that the uninstall of this patch is currently the only solution.

http://blogs.msdn.com/mssmallbiz/archive/2009/10/14/known-issue-with-kb974571-and-lcs-ocs-read-before-installing.aspx

Our Office Communicator service Front-End refused to start this morning on our 2003 server; read the info on OCS 2007 Standard FRONT-END server which confirmed that KB974571 was the culprit, so removed the update and all works fine now. I switched updating from automatic install to download and wait.. and after 10 minutes it was sitting there waiting to be installed again!! I have now declined the offer and removed it from troubling us again on this server. Luckily we only use this server for OCS 2007 (It's a VM). I have now read Microsoft's blog at http://support.microsoft.com/kb/974571 which confirms the problem.

I have W7 RTM from MSDN, and upon rebooting after Tuesday's updates W7 hangs at the "Preparing to configure windows - do not turn off your computer" message.

I have already forced a reboot and it is hanging at the same stage again. Hourglass is still turning, but nothing appears to be happening. Been at this stage for over 20minutes this time.

Any ideas apart from a system restore?

Cheers

KB974431 is causing this problem. It is an "important update" but is not selected by default. Keep it unticked if you wish to avoid any trouble!

... that's the "reliability update"!

For whatever reason, it wasn't offered to y W7 machine. At least, not yet. Maybe later on today it will be.

J.Ja

No sign of this patch on my W7 RTM machine, either... I just checked again and nothing offered.

Hank Arnold (MVP)

I booted my W7 RTM system this AM and saw the update offered. Wierd....

I installed it (hey, I'm a techie!) with no apparent problems...

I thought VISTA was the most secure windows ever offered?

I just installed that update.. no probs whatsoever after restart...

if an update ruins ur os, u had probably messed the os in other ways earlier.

for me, Win7 has been rock solid, freaking love it..
pathetic how some ppl tested windows 7's alpha versions (vista) and even paid for that.

[oh yeah, these account details, not valid]

You may simply have the lucky circumstance of HAL or absence of a race condition that passed initial QC. On your cue, assuming not all of your details are invalid as you state, I'm at least at the same level of management as you so the following should hold some weight:

My (new) Windows 2008 Server R2 machine also hung on a brand new install. The animation runs as others have noted, but the mouse behaves as if there's a deferred procedure call (DPC) problem.

At my level of experience (25 years), initial secure system state, and the due diligence required to set up a domain controller, in my professional opinion, the problem cannot be so easily identified as "you must have messed with the OS." I have a list of notes in front of me that show I have not.

In other words, sometimes patches are bad, and it's quite easy to verify this, e.g.:
"Microsoft (crashes servers) admits Exchange update goof":

* http://www.v3.co.uk/vnunet/news/2226121/microsoft-fesses-exchange

or "Black Screen woes could affect millions on Windows 7, Vista and XP" (patches KB915597 and KB976098):

* http://www.prevx.com/blog/140/Black-Screen-woes-could-affect-millions-on-Windows--Vista-and-XP.html

or "You may experience performance issues after you install the 811493 (MS03-013) security update" (caused by a Microsoft regression error):

* http://support.microsoft.com/default.aspx/kb/819634

and it's why many corporations run Windows Update Services, so that updates can be screened at the server before LAN distribution.

My point is, the very human attribute you give the end user, which may be (but is not definitely) true, can also be attributed to the patch developers...and faced with reinstalling my server and the subsequent delays, I really wish GM's and other perhaps less-than-technical staff recognized more often that it's not always the (installer's) victim's fault.

** Edit: Second installation...same procedure, no hang...yet the same patches were applied each time: KB890830, 973525, 974431, 974332, 974571, 975364, 975467, 976098, 976325. Unfortunately, while documenting this for others helps build causation/correlation, this is not enough for proof.

I'd like to report that I finished updating 25 XP Pro systems and 2 SBS2003 servers about 6 hours ago. All patches were applied. So far (knock on wood) no adverse affects. This included a mixture of Office 2003 and Office 2007.

We have had 2 Windows Server 2003 Enterprise Domain controllers go down after the automatic updates last night one we have recovered not sure why yet and the other one still does not boot.

Let us know when you find out any details

8hrs with ms tech support uninstalled patches and several other things nothing worked they are stumped, starting over

I'm waiting for restore points to start failing like Danger's backups did.

After applying all patches offered to my Win XP with SP3 machine I find that Microsoft Update keeps offering to install KB971486 again.

I have reinstalled it three times from Microsoft Update and also manually from an install file I got from the Microsoft Download site. Each time it seems to install ok, and Microsoft Update History says it installed correctly. Oh, I also manually installed it from Safe Mode as well.

I'm still being offered the KB971486 patch by Microsoft Update. Very Annoying!!!

BTW Secunia PSI and Belarc Advisor both say I have all pertinent patches for my system, and Belarc lists KB971486 as being installed correctly.

Anyone have any solutions for this? Thanks.

In my case, I had run a registry clean-up program too aggresively, and had removed an entry that Update looks for (seperate place from the Update History).
Microsoft has the solution to it in the knowledgebase or technet - I don't recall the details, since it was a couple of years ago.

Have had similar problem in the past. The easy solution is to simply untick this on the update list and at least it will stopp telling you. MY problem is that BITS doesnt work an I have to download updates on another computer as Admin and install them via a USB stick on my main PC

Microsoft has a tool that might help:
http://support.microsoft.com/kb/976220

Best regards,
Russell

My WSUS server synced at 10:30 and picked up the updates, but they all tagged as "expired" and were unavailable for my network. I found that someone else reported the same issue. Around 4pm, a manual sync got things back in order. I wonder how many others saw this or know why it happened. Did MS pull some back?

my server synced at 410 and all of the updates came through just fine... that being said a sql update(kb970892) and an office update(kb974554) has cause a few errors, a dozen or so... but we are getting that fixed.

One of the SQL Server updates won't install on one of my servers. I'm not worried about it, becuase it is the tiny SQL Server Express install for the Active Directory Migration tool, and it's pretty locked down already since the tool hasn't been used in a year.

J.Ja

Hi all,

Normally, my workstations get internet from the server. Yesterday I downloaded the updates on the server and once I restarted the server, all workstations had lost connection to the server (hence, internet). They only way to run things again was to uninstall all updates happened on Oct 14th.
Has anyone had the same problem? Any advice will be appreciate.
Many Thanks,

Omar

We have a service automation app (web based) that thanks to microsoft bombs on every attempt to update data for our techs. Smooth move microsoft , way to go. Bitten by the array access fault in kb974455 , Oh and by the way it doesnt show up as an un-installable for vista or 7 , just on Xp.

ms09-055 kb973525 breaks visio viewer. When installed, .vsd files no longer open with visio viewer. Remove patch and visio viewer works

I know this is late, but we wait two weeks before deploying updates to our live environment to flush out any problems.

Has anyone experienced issues with October?s updates causing a Nehalem based server running Server 2003 R2 to hang at the reboot after the patches are installed? We only have two in our environment, but both hung last night at the reboot after the update installation. I found this information, but it is specifically for blue screens and Server 2008 R2:

http://support.microsoft.com/kb/975530

So Far So Good, all patches seem to work ok.
Remember Adobe updates are out as well.

Since the patches on my Vista 64 OS IE 8 will only connect to web pages in 'InPrivate' mode.

I have looked around the and can't find a reason or anyone else wih this issue. I would appreciate any assistance. Nothing in any logs either :S

Seems like I get a new patch everyday now. Maybe we should change the name...

I've noticed that too. Sometimes it takes a few days to arrive in the pipeline. My WSUS server just got some more of these that were supposedly released on Tuesday just now.

J.Ja

Same thing here. My WSUS server just synched last night and 4 more updates arrived for Server 2008. Security Updates for Active Killbits (KB973525) and Windows Media Format RUntime 11 (KB954155) for 32 & 64 bit.

It *IS* getting a bit crazy....

Since installing these 16 updates (to Vista HP SP2 32-bit), I have lost all images from my incoming messages in Windows Mail. Any idea which could be the culprit?

The "Attackers" certainly have work-arounds already in place. Why else would Microsoft need constant fixes every month? This is beyond tiresome.....it's criminal on Microsoft's part.

I thing it is every week, not every month, and even that is less than strict - updates can come out any day, at any time.

Certainly, Microsoft bears a certain amount of blame going back to one of the most idiotic choices they made in releasing ActiveX, a technology which *requires* a trusted network when the internet was not trustable. That having been said, the *real* blame belongs squarely on the shoulders of the criminals who seek to abuse these vulnerabilities for various reasons, from plain impishness, to malice, to outright theft. If those people were hunted down to the ground mercilessly, and great rewards given to those who provide information leading to arrests, and these criminals prevented from any contact with the internet ever again, then the internet could become trustworthy. (Face it, for what is lost annually to virus damage, you could reward people reporting things $1M and still come out way ahead.) Until then, Microsoft, as the monopoly controller, has the onus of finding and fixing all the gaps in their OS's, and when you are dealing with this much of a code base, it is an eternal and infernal task.

It's Microsoft's responsibility to roll out a higher quality product not some half-baked beta version and give it a name. Look at all the trouble you guys need to go through to get your software back into working condition prior to your upgrading/servicing/PATCHING.
Microsoft should just re-name Windows to Patches. Because that's all it is - sewn together patches of code.

... take a look at Oracle. Their bug count is huge, they patch merely 4 times a year (leaving known holes in their applications for months at a time), and often, known bugs will sit unaddressed for YEARS. In comparison, Microsoft is saintly.

J.Ja

And you guy bash the holy crap out of Mac users. Ha! How superior is your freaked out Winbloze 7 = Vista = XP = MS DOS now? You guys are whacky.

Im gobsmacked at the number of people complaining their systems got bombed by a patch.
How is it Microsofts fault they can not possibly test a patch for every known config, the responsibility is yours as the system manager to ensure that a patch does not bomb a critical system.
If you are stupid enough to install a patch without testing you accept the risk.
Dont cry about it in here.

Pardon me, I see your point, nevertheless I find it bollocks.

As much as I agree that care should be taken administering patches, I totally resist the statement "it's not Microsoft fault", or "[admin] stupid enough to patch without testing]"

Being an admin, I have limited resources for patching and testing. I can barely get a machine or two for tests. And I definitely cannot spend a week on thorough testing of all possible scenarios. On the contrary, MS has much bigger resources and much deeper knowledge on what their patches would and could affect.

That's just the case of a doctor. You are not expected to "test" your medicines on yourself, right? You expect proper thoroughness and care being taken while preparing the drug; including the side effects listing. While of course it's not 100% proof and things like Thalidomide can happen, you basically trust your doctor and the pharma company that what they prescribe you would help you, rather than harm. Why shouldn't we treat OS patches same way? Or even more strictly, as they fix just what was screwed (omitted, neglected, forgotten) by the very maker of it (so we get them free, while we still pay for drugs).

Best

I agree that testing patches would be great. But, unfortunately, I do not have those resources. It took me *months* to build out this infrastructure and get all of those servers configured. Trying to clone the whole thing would be a killer on my time, and brutal on the budget.

There's another factor to consider as well, and that is the *time* issue. I could test. It takes me, oh, 4 hours at this point to do all of my patching, rebooting, verification, etc. So if I were to test first, I would not really be able to get the patches installed until Wednesday night, due to when the patches are released. Meanwhile, the moment the patches come out, the "bad guys" are analyzing it and coming up with all sorts of exploits based on what they see in the patches, so they can wreck unpatched systems.

In the last two years, I have had precisely one bad go south on me (the one I posted about above) on a server. If I have to choose between an extra 24 - 48 hours of vulnerability, plus the expense of doubling my hardware budget, not to mention the effort to construct a fully isolated test network (I may add, many, MANY of the services we have are public, so I'd need to duplicate the full public facing stuff too), or, possibly having to put an emergency phone call in to Microsoft on Tuesday night (like I did this time), which doesn't even cost me a cent because we're certified partners, guess what? I'm patching Tuesday night.

In a world of bigger budgets with bad guys that are slower to exploit, patching would definitely be something I'd be doing, though. But in this case, it's a matter of taking the lesser of two evils.

J.Ja

your drugs.

It broke a Msoft product , i don't believe they tested against their own applications

I know this is late, but we wait two weeks before deploying updates to our live environment to flush out any problems.

Has anyone experienced issues with October?s updates causing a Nehalem based server running Server 2003 R2 to hang at the reboot after the patches are installed? We only have two in our environment, but both hung last night at the reboot after the update installation. I found this information, but it is specifically for blue screens and Server 2008 R2:

http://support.microsoft.com/kb/975530