boot13It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.
This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.
Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.
All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).
- MS16-118 Cumulative Security Update for Internet Explorer (KB3192887) – a set of security updates for Internet Explorer that address eleven separate vulnerabilities of six distinct types
- MS16-119 Cumulative Security Update for Microsoft Edge (KB3192890) – a set of security updates for Edge on Windows 10 that address thirteen separate vulnerabilities of seven distinct types
- MS16-120 Security Update for Microsoft Graphics Component (KB3192884) – a set of security updates for graphics components that are used in Windows, .NET, Office, Skype, and Lync; seven separate vulnerabilities of four distinct types are fixed
- MS16-121 Security Update for Microsoft Office (KB3194063) – a security update for Microsoft Office that addresses a single vulnerability
- MS16-122 Security Update for Microsoft Video Control (KB3195360) – a security update that addresses a single vulnerability in video control software on Windows
- MS16-123 Security Update for Windows Kernel-Mode Drivers (KB3192892) – a set of security updates for Windows kernel-mode drivers; five separate vulnerabilities of two distinct types are addressed
- MS16-124 Security Update for Windows Registry (KB3193227) – a set of security updates affecting the Windows registry; four separate elevation of privilege vulnerabilities are addressed
- MS16-125 Security Update for Diagnostics Hub (KB3193229) – a security update for the Windows Diagnostics Hub; a single vulnerability is fixed
- MS16-126 Security Update for Microsoft Internet Messaging API (KB3196067) – a security update for the Windows Messaging API; a single information disclosure vulnerability is fixed
- MS16-127 Security Update for Adobe Flash Player (KB3194343) – a set of security updates for Flash in Internet Explorer and Edge; thirteen separate vulnerabilities are fixed
So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.
I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.
The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.
Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.
Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.