MS-DEFCON 4: Get Windows patched, but watch out

I’m still running down details, but figured it’s time to release the floodgates. While it may look like the August 2015 Patch Tuesday updates are just fine, in fact we’ve seen a real problem – solved earlier this week – and there’s been a lot of speculation about a host of “snooping” patches. 

I’ve been looking high and low for more information about the snoopers, and lemme tell ya, it’s hard to find real facts buried in a big mound of, uh, opinions, both for and against. The debate over new surveillance in Win7 and Win8.1 sounds more like a Microsoft loyalty test than a dispassionate look at the facts.

But I digress.

There aren’t any patches sitting in the closet, screaming to get out, unless you use Internet Explorer. If you still use IE – knowing that Microsoft has put it out to pasture – you should check Firefox or Chrome (or any of a dozen other browsers).

Let’s take ’em from the oldest to the scrappy youngest.

Vista – Install all offered updates.

Windows 7 – Here’s where things get interesting. If you’re concerned about Microsoft snooping (and you should be), it would be a good idea to avoid KB 3068708, 3022345, 3075249, and 3080149 for now. I say that realizing that my tinfoil hat is showing. I have an inquiry into Microsoft at this moment which should shed some light — if I get a straight answer.

All of those patches are from the June Patch Tuesday crop. If you already have them installed, don’t worry about it — I’ll update you on my findings in InfoWorld shortly. If you don’t have those patches installed, though, I’d hide them for now. (In the Windows Update available patches list, right-click on the patch and choose Hide.)

The rest of the Windows 7 patches are now OK.

Windows 8.1 – Same thought process, parallel advice. For now, hold off on installing KB 3068708, 3022345, 3075249, and 3080149 (from June’s Patch Tuesday). If they’re already installed, don’t do anything drastic just yet. There may be a much simpler way to blunt their snitching proclivities. The rest of the Win 8.1 patches are also OK.

Windows 10 – We’re up to Cumulative Update 5, and aside from some ongoing driver heartburn (which you may be able to blunt using this approach), I haven’t heard of any major problems.

If you’re using the metered connection trick to block forced updates, tell Win10 that your internet connection isn’t metered. Run out to Updates (Start, Settings, Update & security, Windows Update), click Check for updates and let Windows run its course. Then turn the metered indicator back on.

If you’re using the new Windows Store setting to block Automatic Store app updates, turn the switch in Windows Store on, then in Windows Store, click on your picture, choose Downloads and Updates, then click to Check for updates.

UPDATE: In the comments, @Louis asked, “If we haven’t installed KB 3076895 yet, and KB 3092627 isn’t currently available, should we install KB 3076895 and then look for KB 3092627? Or just hide KB 3076895 altogether?”

My answer: “Unless you’re using Symantec Endpoint on a server, or Microsoft Forefront, you shouldn’t have any problem with 3076895. I’d say install it, with the expectation that 3092627 will show up shortly. In fact, if you run the updates, re-boot, then re-run Windows Update (standard procedure), I bet it appears in the second round.”

In summary, then, I’m cranking us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

The usual admonition applies: In Vista, Win7 and Win8.1, use Windows Update, DON’T CHECK ANY BOXES THAT AREN’T CHECKED, reboot after you patch, and then run Windows Update one more time to see if there’s anything lurking. When you’re done, make sure you have Automatic Update turned off. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source).

For Windows 10, the situation’s more complicated, depending on how far you’ve gone to block forced patches. The general procedure’s described above.