On 13 November, Microsoft released a security update, KB4461529, which fixed four security vulnerabilities. These flaws could allow remote code execution if a user opened a specially crafted Office file, it said. KB4461529 solved this problem for the .msi 64-bit version of Outlook 2010 in the worst way by simply having the program not run at all. It crashed Outlook at startup.
Microsoft advised users not to uninstall the patch. Instead, it suggested they use Outlook Web Access until the problem was resolved. In the meantime, it wrote a second patch which it sent scurrying after the first on 21 November. KB4461585 will fix the crashing problem, it said.
This wasn’t the first Outlook 2010 patch problem for Microsoft users this month. On 6 November it released updates KB2863821 and KB4461522, which fixed the program’s Japanese calendar to support new ‘eras’. These patches also caused Access to crash on startup in some cases, it warned. It removed them.
The Japanese calendar inherited the idea of eras from China in the eighth century. Eras punctuate an emperor’s reign or some other major event. You only get a new one every few years, which is how many Windows users probably wish Microsoft would schedule its software patches right about now.
Microsoft has bungled Office-related patches before. One patch last year caused text to disappear from tables in Word causing users to panic and hassle admins. It followed another patch the previous month that caused a similar problem. Microsoft eventually fixed it in October with yet another patch.
These problems follow a worrying October for Microsoft users, some of whom watched files and settings disappear before their eyes after installing Windows 10 update 1809. Microsoft was forced to pause the update while it fixed things.
Concerns over the quality of Microsoft’s patches surfaced earlier this year when Microsoft Most Valuable Professional Susan Bradley wrote an open letter to the company about the problem.
While Microsoft may seem a bit quick off the mark when issuing some patches, it’s been reluctant to ship others. In May we wrote that it refused to patch a Windows-crashing bug after a security researcher reported it, on the grounds that the exploit needed a USB key and so didn’t meet its standards.
Perhaps the biggest problem here is one of trust. Microsoft wants people to install patches promptly – especially security ones – because it helps to prevent malware infections. Bitter experience with the likes of Conficker and WannaCry has taught Redmond that simply making patches available isn’t enough though, so it likes to install Windows 10 updates by default where it can. But the more patches that it messes up, the more likely users are to push back.
Enterprise users can stop patches by changing settings in the Windows Update Server. Windows 10 Pro and Enterprise users can pause patches. Windows 10 Home users don’t have any choice at all when it comes to installing Windows updates, the company says.
The company doesn’t force Office patches, instead giving users the option to turn on automatic updates. However, the more Microsoft fumbles the ball, the more users may start turning patches off where they can. That would be bad for the security ecosystem in general.
It’s a puzzling issue for a company that is supposed to excel at producing quality software. DevOps and continuous integration practices like automated testing and gating were meant to make software quality problems like these go away. So why are they still happening with such apparent regularity in Redmond?