MS-DEFCON 3: Time to take your Microsoft update medicine

We’ve had a veritable blizzard of patches so far this month, with several that caused problems, one that was pulled after crashing Office 2013 systems, and a whole bunch that are woefully under-described.

It looks like there’s a lull on the Redmond front, so it’s time to jump in and get patched.

As was the case last month, I’m generally recommending that Vista, Win 7 and 8.1 users install identified Security updates, and that you give all of the rest a wide berth. If you’re running Win10 and have updates backed up (probably with the metered connection trick), it’s time to cross your fingers and get caught up.

The details:

Vista: Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Apply all outstanding patches, but DON’T CHECK any update boxes that are unchecked. Run the update. If your fonts turn fuzzy, follow the instructions in KB 3037639. Most of all, be very aware of the fact that extended support for Vista ends on April 11, 2017, so you’re going to be facing the piper before too long.

Windows 7: The “Get Windows 10” campaign is back in full force. If you don’t want to upgrade to Win10 right now – there are lots of reasons to hold off – here’s the easy way to get caught up without installing any of the latest dreck.

Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11.

I don’t recommend that you use IE. (Hey, Microsoft’s already put it out to pasture; that’s what Edge is all about.) But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

Step 2. Run GWX Control Panel and set it to block OS upgrades.

Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available” and select only security updates. In other words, check the boxes next to items that say “Security Update” and UNCHECK the boxes next to items that only say “Update.”

Yes, you should check KB 3134214, if it appears in your list, even though it’s a combined security and non-security patch.

Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it.

Step 5. Click OK, then Install updates.

Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

Step 7. Click OK and reboot.

Step 8. This one’s important. You need to run GWX Control Panel again. That’ll ensure Microsoft didn’t install anything untoward.

Windows 8.1: Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up.

Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebook to keep up on the latest. We’ve seen more than a hundred patches in the past month. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

My usual boilerplate advice:

For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

P.S. Yes, you read that right. I now recommend that you Win7 and 8.1 users only install Security Updates. For many months, almost all of the non-security updates Win7 and 8.1 customers have received are specifically designed to push them to Windows 10, or to increase Microsoft’s ability to snoop on Win7 and 8.1 machines. No thanks.

Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.