Last week the patching world was afire with dire warnings to immediately install MS14-066/KB 2992611. That's the SChannel patch -- the one that BBC mixed up with a 19-year-old security hole, thus prompting enormous confusion, spread all over the Internet. If you followed the sky-is-falling admonitions (and ignored my entreaty to hold off for a bit), you may now be sitting in deep data do-do.
MS14-066/KB 2992611 was rolled out the automatic update chute this past Black Tuesday, Nov. 11, targeted to every Vista, Windows 7, Windows 8/8.1, and Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2 machine. What went wrong?
First, there's the problem that Microsoft has publicly acknowledged. KB 2992611 has been updated with a warning that, in certain situations where TLS 1.2 is enabled by default:
TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive. You may also receive an error message that resembles the following in the System log in Event Viewer:
Log Name: System
Source: Schannel
Date: Date and time
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ComputerName
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
Microsoft's workaround, which you can read in the KB article, involves deleting four Registry values, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256.
Then there's the problem that Microsoft hasn't acknowledged. SQL Server guru Darren Myher puts it this way:
Security Update MS14-066 causes major performance problems in Microsoft Access/SQL Server applications... When the update is installed to a server running Microsoft SQL Server (So far, confirmed as issue with SQL Server 2008 R2, SQL Server 2012, SQL Server 2014) client applications that access the database via ODBC such as Microsoft Access clients pointing to SQL Tables encounter a major performance hit...
Our customers are reporting that this security update causes MAJOR performance problems in any Microsoft Access application with a SQL Server backend (any version). For example, a simple operation such as clicking from one line of an order to another (without performing ANY data updates) can take from 5 to 15 seconds! For users having to update hundreds of lines of orders, the application becomes nearly unusable – an activity that used to take 5 minutes could take hours.to complete.
Please, if you have not installed this update yet – DO NOT INSTALL IT to the SQL Server machine
Myher also offers a fix to the problem: Uninstall the patch.
It isn't clear if uninstalling the patch will also fix the first problem, the TLS 1.2 hang. Microsoft didn't talk about it, although Sandi Hardmeier on the MSMVPs forum says uninstalling KB 2992611 will restore the old, good, registry settings.
Third, there's a report on TechNet that KB 2992611 breaks IIS sites, specifically when using Google Chrome. Poster Pascal Winter, among many others, writes:
After KB2992611 was installed via Windows Automatic Update users of our retail site on Google Chrome were not able to establish a secure connection and could not reach our secure pages to checkout/manage accounts.
The workaround offered by poster DBWYCL involves using a load balancer on the front end of the server, terminating SSL at the load balancer and re-routing back to the server over HTTP. Nothing like a secure solution to a botched security patch, eh?
There are other problems. Poster Nicholas Piasecki says that installing KB 2992611 throws internal errors 1250 and 1051 when using Firefox, Chrome, and Safari (but IE was OK). Leon McCalla on the Microsoft Connect forum says that KB 2992611 breaks ODBC access in SQL Server 2008. Mike G on the Citrix forum reports that KB 2992611 breaks XML. Cristian Satnic at OdeToData posted his experiences with https problems using IIS and Chrome. Even Amazon Web Services acknowledges the problem -- but doesn't yet have a solution.
Once again, we're sitting here with a bad patch, almost a week after Black Tuesday, and the patch is still being offered through Automatic Update. Microsoft hasn't pulled it, in spite of one acknowledged major problem, another that's the talk of the SQL Server community, and a few hangers-on that may clobber your machines. Amazon raised a red flag on Wednesday. What's wrong with Microsoft?
I wonder if we can open a tech support ticket, saying that Windows patching itself is broken? Kind of a meta-complaint.