Windows 7, Windows Server 2008 Open to Microsoft Patch Issues
Microsoft's August security updates won't install for users of Windows 7 SP1 or Windows Server 2008 R2 SP1 if those operating systems lack certain March updates.
That was the gist of a Microsoft Twitter post last week. Those two systems need to have March updates KB4474419 and KB4490628 installed, according to the company. Those updates cause a switch in the update signatures from trusting both Secure Hash Algorithm-1 (SHA-1) and SHA-2 to only trusting SHA-2. The switchover to SHA-2 is required by Microsoft to continue to get future updates for those OSes.
Users experiencing this problem may see "error code 0x80092004" after the August updates try to install, according to a Born's Tech and Windows World post.
Users of Windows Server Update Services (WSUS) 3.0 SP2 also are affected. They'll need to have KB4484071 installed, which adds support for SHA-2 signatures, according to this Microsoft Knowledge Base article. Users of WSUS 4.0 already have built-in trust for SHA-2 only.
The switch to SHA-2 only for Windows 7 and Windows Server 2008 R2 users took effect on August 13 ("update Tuesday"), when Microsoft released its August security and quality updates for Windows systems. Microsoft documented the matter in the Knowledge Base article referenced above, which includes a timeline for when SHA-1 gets distrusted for various Windows OSes. Microsoft also previously announced that it was planning to distrust the use of SHA-1 for Windows systems back in February.
SHA-1, a 20-year-plus security algorithm for hashing data, is deemed insecure by the computer industry. It was broken by researchers last year using brute-force attacks, for instance.
Microsoft also described similar SHA-1 distrust troubles for users of Symantec and Norton anti-virus programs with this month's patches. August patches are getting blocked for some users of Windows 7 SP1 and Windows Server 2008 R2 SP1 that use those antivirus programs. It's one of the "known issues" this month, Microsoft explained:
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Microsoft and Symantec have set a temporary block on the delivery of the August updates for those affected systems. They are advising against manual August update installs. Symantec is working on updates to Symantec Endpoint Protection to remedy the situation, according to this Symantec article.
Visual Basic Problems
In yet another notable post-update Tuesday surprise, applications using Visual Basic 6, Visual Basic for Applications and VBScript may stop working after installing KB4512506, which is one of Microsoft's August security updates. The problem affects most supported Windows systems and Microsoft is presently investigating the issue.
Microsoft also has a Message Center for Windows releases. It appears to be yet another centralized place where Microsoft sends out important notices about patching issues.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.