Microsoft's latest patches bring many Windows and Office fixes and lots of confusion


Patch Tuesday has hit with a vengeance. Microsoft’s Official lists 243 Windows patches, 81 of which are critical. If you click on the Details button to show individually identified security problems (typically CVE numbers), the list swells to 997 entries. Be of good cheer. You can download the whole list into an Excel spreadsheet with a click on the Download button.

Microsoft has also published its : 36 security updates and 28 nonsecurity updates. 

Wait, that’s not all. In addition to the Security Update spreadsheet and the Office list, there’s also a list of new nonsecurity patches on the old site.

I count a (but only for Windows 8.1), two so-called Dynamic Updates for Win10 1703 (see of Dynamic Updates—they’re used during installation of an upgrade), a security update for the , and the usual Malicious Software Removal Tool.

of fixes

  • 1607 to build 14393.1198 — list of fixes
  • 1511 to build 10586.916 — list of fixes
  • 1507 to build 10240.17394 — another  list of fixes. This should be the last cumulative update for 1507.
  • Note that the patches for  for IE11 and Edge SSL/TLS Authentication are listed separately. Looks like a Security Bulletin to my jaundiced eye.

    Windows 7

    Windows 8.1

    In the Lounge, and note that the odd new terminology is proliferating, where patches for Win7 and 8.1 are now preceded by the year and month. For example, we have “2017-05 Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4019263).” That’s not to be confused with names that include dates that go the other way around, such as “May, 2017 Security Only Update for .Net Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4019108)” or names that don’t mention dates, such as “Cumulative Security Update for Internet Explorer (KB4018271).”

    . Most folks can (and should) ignore it. Thx to .

    Microsoft has also released four in the past two days:

    • Identifying and correcting failure of Windows Update client to receive updates
    • Vulnerabilities in .Net Core, ASP.Net Core Could Allow Elevation of Privilege
    • Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
    • Security Update for Microsoft Malware Protection Engine

    The last one is the Security Advisory I .

    In addition, Microsoft announced last week that .Net Framework 4.7 is on Windows 7, Windows 8.1, and all versions of Win10. Thanks to .

    If you’re looking for even more detail,  has an extensive list and analysis. The ZeroDay Initiative organized by CVE number.

    Personally, I would love to see a small chart that groups similar CVEs into, well, Security Bulletins. Microsoft recenlty published a Security Advisory that looks , to centralize the discussion of SHA-1 deprecation in IE11 and Edge. I’d pay to have another column in the Security Update Guide with a link to a collection of aggregating articles. Security Bulletins, if you will.

    Note: I do not recommend that you update yet. It’s much, much too early to tell which patches are causing problems. 

    Help us sort this giant mess out on the .