MS-DEFCON 3: Get patches installed, except for a couple

We have more than a hundred patches sitting on the back burner, since the last foray to MS-DEFCON 3, three weeks ago. For those of you staring at a bunch of patches, here’s my recommendation.

As has been the case for a couple of months, I’m generally recommending that Vista, Win 7 and 8.1 users install identified Security updates, and that you give all of the rest a wide berth. There are two Security updates, though, that are probably worth avoiding. If you’re running Win10 and have updates turned off (probably with the metered connection trick), it’s time to cross your fingers and get caught up.

The details are similar to last month’s:

Vista: Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Apply all outstanding patches, but DON’T CHECK any update boxes that are unchecked. Also, see the description in the next paragraph about KB 3139398 and KB 3139852: If you see them, uncheck them.

Windows 7: There were two patches released earlier this month that still need some time to stew before they’re ready: KB 3139398, the Windows 7 and 8.1 USB driver fix; and KB 3139852, the kernel mode driver patch. Susan Bradley recommends holding off on both (paywalled). I haven’t seen any specific reports of problems with either, but given the headaches we’ve had in the past with kernel patches, it’s worthwhile to wait.

Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

I don’t recommend that you use IE. (Hey, Microsoft’s already put it out to pasture; that’s what Edge is all about.) But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

Step 2. Run GWX Control Panel and set it to block OS upgrades.

Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available” and select only security updates. In other words, check the boxes next to items that say “Security Update” and UNCHECK the boxes next to items that only say “Update.”

Uncheck KB 3139398 and KB 3139852, if they appear.

Yes, you should check the KB 3139929 Internet Explorer cumulative update, even though it hides an ad generator in the guise of a security patch. We haven’t seen the ad appear yet and, when it does, you’ll just avoid it, OK?

For those of you who have asked, I don’t see any worthwhile updates in yesterday’s bountiful crop of patches. Apparently KB 3103709 is appearing on some Windows 8.1 machines. I don’t have a clue what that one does — there’s no KB article, and it isn’t included in the master Windows Update list. KB 3115224 doesn’t have a KB article either. Can’t think of any good reason to install either of them.

Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

Step 5. Click OK, then Install updates.

Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

Step 7. Click OK and reboot.

Step 8. This one’s important. You need to run GWX Control Panel again. That’ll ensure Microsoft didn’t install anything untoward.

Windows 8.1: Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up.

Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebookto keep up on the latest. Microsoft’s releasing patches at the rate of more than a hundred – maybe 200 – a month. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

My usual boilerplate advice:

For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

P.S. Yes, you read that right. I now recommend that you Win7 and 8.1 users only install Security Updates. For many months, almost all of the non-security updates Win7 and 8.1 customers have received are specifically designed to push them to Windows 10, or to increase Microsoft’s ability to snoop on Win7 and 8.1 machines. No thanks.

Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.

P.S. Remember when patching was easy?