Microsoft? We need to talk. Lately youve been disappointing me. You released three sets of security updates this month for my Windows 10 machines. The first set of updates (KB5000802 for the 2004/20H2 versions) triggered blue screens of death when I attempted to print to Ricoh and Kyocera printers as caused issues with Dymo labels. As you yourself noted, after installing this update, you might receive an APC_INDEX_MISMATCH error with a blue screen when attempting to print to certain printers in some apps.
The second set of updates (KB5001567for 2004/20H2 versions) was supposed to fix these issues, but only fixed some of the BSODs and did not fix issues with Dymo label printers or printers that create images (such as bar code printers). You said it: After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps. Issues might include: Elements of the document might print as solid black/color boxes or might be missing, including barcodes, QR codes, and graphics elements, such as logos. Table lines might be missing. Other alignment or formatting issues might also be present. Printing from some apps or to some printers might result in a blank page or label.
Then you released a third version of the updates that reportedly would fix the issue with Dymo label printers and image or barcode printers. One would think that after three tries wed get the perfect and fixed update. KB5001649 for the 2004/20H2 versions was supposed to be that last and perfect update.
Now normally with Patch Tuesday, we never have patch perfection. There is always someone that will suffer some random side effect of normal computing weirdness that, while not directly related to the updating process, will get blamed on any updates because of coincidence. Ive often seen users complain about something on their computer and point to Windows updates as the trigger; often, its just a mere reboot that exposes underlying problems, not the patching process itself. (In best practices for servers, its often recommended that you reboot a system before installing an update to ensure your system is functional.)
Ive also seen where malware will insert itself into a system and when a patch is installed, the updated system is now unstable and deliver a BSOD. Several years agoa rootkit installed on many Windows systemswas impacted by a security update, which had installed a new version of the Windows kernel; when the system rebooted, the interaction between the rootkit and the new kernel update triggered a blue screen. So while we pointed to the security patch as the problem, in reality it actually helped expose the rootkits.
But its concerning to me that in the more 20 years Ive been patching machines and monitoring for side effects we have yet to solve two fundamental problems: You want us to turn on automatic updates to ensure our machines are kept safe, but as this months issues with printers shows, I cannot guarantee there wont be side effects from this months updates. Thats just flat out wrong. I have no more confidence about patching than I did 20 years ago: I am still telling people to hold back, to test, to watch for issues, to wait, not to install updates right away as I cant guarantee they wont have issues. Microsoft, thats not good enough! We are in a world where attackers are going after on-premises mail servers in small and medium-sized businesses and installing web shells to possibly inject ransomware. Installing quality updates immediately is key to protecting our machines. But if weve lost all faith in the testing process you use, Microsoft, how can we get to a place where we install updates the moment they come out?
Then there is the rebooting problem. In order to install updates and replace the original files with the fixed ones you force our systems to reboot And as a general rule, Windows users hate rebooting. It disrupts what were working on, it makes us lose our place in what were doing. And in the umpteen years that weve used Windows, weve yet to fix this rebooting issue. Ive literally seen consultants ask how to disable Windows update mechanism because they cannot set a specific time for Windows machines to reboot that wont be disruptive. How many of us have seen conference talks interrupted by a Windows 10 update triggering a reboot? (Rather than totally disabling Windows updates, I recommend using the metered connection trick so the system will only download updates when you want them to.)
Nowwe have word that youve has re-released KB5001649 for 2004/20H2 and will be offering it up again as an optional update for those impacted by the printing issues introduced this the month. Microsoft, you recommend that we install these optional updates should we be impacted, but thats asking all of us to carry the burden of testing. Thats just not right. If you want us to immediately install updates the second they are released, you need to do better than this. You need to widen your testing of updates to include consumers and not just enterprises.
People often think that the insider testing process impacts the quality of security updates. Its my opinion that they do not. Insider testing is for features not related to security. These are fixing security bugs that arent yet fixed even in the insider versions.
Recently you announced youll be closing your UserVoice feedback process, which allows users and IT administrators to ask for new features. At a time that I think you need to hear more from customers, it feels like youre pulling back.
So later on this week when I decide to tell people to update or not Im still not sure what Im going to tell my readers here at Computerworld or on Askwoody.com. Im not comfortable telling people to NOT update. But Im also not comfortable telling them to blindly install updates and trust that Microsoft has gotten it right. So far, you havent given me enough assurance that even with three times youve got it right yet. And thats a shame.
Because the attackers often get their attacks right the first time.
Copyright © 2021 IDG Communications, Inc.