Bad Win 7 Security Only update for Feb

[TwoTankAmin]

Well I knew it would happen. Microsoft has just announced the bugs in February updates. Here is what their site said about the both the Windows 7 & Security Only and Momthly Rollup bugs

Windows 7 Security-Only and Monthly Rollup bugs

Both of the KB articles for this month’s Win7 patches have been updated. KB 4074598, the February Win7 Monthly Rollup, and KB 4074587, the Feb Win7 Security-Only patch, both triigger a bizarre error, “SCARD_E_NO_SERVICE.” The KB articles now say:

The LSM.EXE process and applications that call SCardEstablishContext or SCardReleaseContext may experience a handle leak. Once the leaked handle count reaches a certain threshold, smart card-based operations fail with error "SCARD_E_NO_SERVICE". Confirm the scenario match by reviewing the handle counts for LSM.EXE and the calling processes in the process tab of Task Manager or an equivalent application.

Monitor the handle counts for the LSM.EXE process and the calling process before and after installing this update. Restart the operating system that's experiencing the handle leak as required.

Microsoft is working on a resolution and will provide an update in an upcoming release

Which, I’m sure, is comforting news for most Windows 7 customers.

from https://www.computerworld.com/article/3258769/microsoft-windows/microsoft-patch-day-brings-bug-warnings-another-office-ctr-and-the-return-of-kb-2952664.html

I have already downloaded and installed the Security Only update. The above explanation from Microsoft might as well be in Chinese as far as I and, likely, most Win 7 users are concerned. So I need some advice from some of the members here who might have a clue about this. As I see it I have two options. The first is to uninstall the update completely and then wait until the solution is out. Or, I can leave the patch in place and wait for Microsoft to put out a fix. I have updates set to never check because I do it myself monthly, so knowing when a fix is out is a PITA. I now know to wait even longer before doing future monthly security only updates. (I never do any previews, so I avoided those Feb, bugs.)

Which is the smarter choice, please? And why? Please answer in plain simple English if it involves anything technical. Thanks in advance for any help. Also, am I wrong in thinking that the monthly Security only updates are cumulative so i just deleted the Feb. update and then do the one in March, I will end up OK?

[lyceus]

In plain English.

Bug: LSE.EXE fails if you made too many operations with smart cards and can reboot your system.

Info:
A smart card is a small, tamperproof computer. The smart card itself contains a CPU and some non-volatile storage. In most cards, some of the storage is tamperproof while the rest is accessible to any application that can talk to the card. This capability makes it possible for the card to keep some secrets, such as the private keys associated with any certificates it holds. The card itself actually performs its own cryptographic operations. https://technet.microsoft.com/en-us/library/dd277362.aspx

Are you affected?
Only if you use smart cards. Basically these dongles for passwords for bank operations, as example.

So how Microsoft will update this mess? There are two routes:

A. They will release the patch for FEB as v2.0 sometime and will popup in the Windows Update. Can happen or not.

B. March patches will have an extra patch for "patch" this bad patch. (I hope made well the pun) More likely to happen.

I hope you can understand, Microsoft will still release bad patches but at least the security only ones will have the less payload possible.

Lyceus

[TwoTankAmin]

@lyceus

TY very much for the info. I have no smart cards, so I guess i am safe. One of the reasons I am done with Microsoft when Windows 7 is finished is because they not only lie to users regularly, but they also appear intentionally to state things so the average user will not understand them. You had no trouble explaining this in plain language. Maybe Microsoft should give you a job because the people they have now sure cannot communicate well at all.

[RexyDallas]

If they have not released a fix by now, it just goes to show what type of company they are. They sure as hell have the resources to.

Of course, they always were the type to lie, cheat, and manipulate to get to the top. See the 1990s Internet Explorer scandal, the fact they still have many undocumented APIs, and the fact NT's native API still isn't completely documented on MSDN. The fact that, though they deny it, they undoubtedly have given some companies preferential access to their APIs. They were just more discreet about it before.

Of course, they are at it again with IE for Windows RT. There's also the fact Windows RT is literally built on top of the Win32 API, which is built on top of the NT native API, and yet you can't use those on tablets. Except that, you know, Internet Explorer DOES use those apis. Which is why there is neither Firefox nor Chrome for Windows RT.

This is why I hope ReactOS can get to a usable state by 2020, or 2023.

[lyceus]

[..] they also appear intentionally to state things so the average user will not understand them. [..]

They are expert on make things the most complicate possible .

Anyway if you use/need to service machines with some extra layer of updates like HP's softpacks it's worthy give them a look for extra security.