1/15/2016 – See Update at the bottom of this post. I’d tell you now, but I don’t want to spoil it.
In this scary world of hoverboards bursting into flames, one can never let their guard down. SharePoint security is no exception. This month’s Patch Tuesday (a big event in the Klindt household, even bigger than “liver and onions night”) has a security patch for Office and SharePoint, MS16-004 (KB3124585). It patches a nasty remote code execution bug, which I don’t have to tell you is bad. It’s even worse than missing “liver and onions night.” Security patches inherently have a sense of urgency around them, so sometimes they are published with a few, shall we say, rough edges. MS16-014 has that distinct honor.
It wasn’t too long after the patches were pushed out that people started noticing problems. Their tales of woe popped up on the TechNet forums and StackExchange. It seems people that installed KB3124585 from Windows Update, but did not install the full January 2016 SharePoint CU are having problems. A little over a year ago I published a blog post, “Don’t Enable Automatic Updates on SharePoint Servers” where I, obviously, recommended not having Windows Update automatically update your SharePoint servers, for SharePoint or Windows. This situation is exactly why. Not only does this patch break SharePoint, it cannot be uninstalled. No “get out of jail free” card to be had.
In this case, there appears to be an easy fix. From the posts in the threads referenced above, if you install the January 2016 CU for SharePoint Foundation the problem goes away. Now, of course, that puts you in the uncomfortable spot of installing a CU right after it comes out, and we all know what kind of fun that can lead to. In this case though, you don’t have many options. Cross your fingers, say your prayers, maybe help some little old ladies across the street, then double-click that EXE and hope for the best.
Good luck with all your patching. Post to either of those threads, or leave a comment here if your experience is different than what I’ve blogged.
1/15/2016 – Update
On his blog, Stefan Goßner offered a workaround for this bug. We know that installing the January 2016 CU fixes the issue. Stefan provides the individual patch from the Foundation CU that fixes it. If you install patch KB3114508 (download) on all of your servers, and run the Config Wizard, you should be good to go. This is a SharePoint patch, so like MS16-004 it cannot be uninstalled. You should test it as much as you can before you install it on your farm.