MS-DEFCON 3: Get patched and brace yourself for a Malware-as-a-Service future

The times are a-changin’.

Last October, Microsoft started lumping together all of its Windows 7 and 8.1 patches. Before October, we had separate patches — separate KBs — for individual security holes, and for non-security improvements. After October’s patchocalypse, we were given two big monthly globs. You could choose to have all of your patches in one fell swoop — a choice I call “Group A” with Monthly Rollups — or you could take just the security patches, in a different fell swoop — “Group B” in my parlance, with Security-Only updates.

There have been a few changes since then — Internet Explorer patches got pulled out, for example — and a lot of confusion over, e.g., .NET Security-only and Monthly Rollups, but by and large, the Windows 7 and 8.1 patching world a month ago was divided into three parts:

• Group A – automated installation of Monthly Rollups
• Group B – manual installation of specific Security-Only patches
• Group W – folks who sat on the bench and didn’t patch at all.

That neat (if controversial and not really so neat) version of the world changed forever when, earlier this month, Shadow Brokers not only released the NSA’s trove which gave rise to the WannaCry worm, it also set up an auction for the “Shadow Brokers Monthly Data Dump” — what I’ve called Malware as a Service. You can bet that there are some very nasty malware surprises coming, all lovingly crafted by the US National Security Agency, stolen, then spread by Shadow Brokers.

In the not-so-good-old-days, supercharged Windows hacks were tools for expensive, targeted, usually politically motivated attacks. In the near future, that will no longer be the case. With the Shadow Brokers Monthly Data Dump comes democratization of the malware industry. Anybody, it seems, can strap their favorite piece of junk malware onto one of these souped-up infection methods and start attacking normal folks.

Group W — R.I.P.

With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month, Group W is just plain dangerous. It’s not an option. Sorry.

Group B — Only for experts with a high tolerance for pain

Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

Pick up the Pace

In the past I’ve waited several weeks to see if any big bugs appear before recommending that you install available patches. In the future, I need to pick up the pace. That means I may throw some of you under the bus, changing the MS-DEFCON level with some possible problems intact, and for that I apologize. Given the expected upswing in Windows-targeted malware, though, there doesn’t seem to be much choice.

That said, it’s now time to apply the May 2017 updates. Here’s what I recommend:

Windows 10

It’s still too early to jump to Win10 Creators Update, version 1703. Wait for it to be designated “Current Branch for Business.” You can block the upgrade with a few simple steps, detailed in this InfoWorld post.

Go ahead and run the steps in AKB 2000005: How to update Windows 10 – safely. You may want to use wushowhide to hide any driver updates. All of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .Net updates (go ahead and use the Monthly Rollup if it’s offered).

Windows 7 and 8.1

If you’re running Windows 7 or 8.1 on a PC made in the past 18 months, check to see if installing this month’s Windows patches will completely block Windows Update. See AKB 2000006: Check to see if Microsoft is blocking Windows Update on your new computer. In particular, if you try to run updates and get an “Unsupported hardware” notification (screenshot), Microsoft won’t willingly let you update your machine. See the AKB 2000006 article for a workaround.

If you absolutely must avoid Microsoft snooping at all costs, go ahead with the instructions in AKB 2000003: Ongoing list of “Group B” monthly updates for Win7 and 8.1, but realize that thar be tygers here. Be particularly sure to install the March Security-Only update; that’s the one with the patches to the SMBv1 driver that’ll block WannaCry and its ilk.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Watch out for driver updates — you’re far better off getting them from the manufacturer’s web site.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Win7 and 8.1 machines.

Good luck patching. Keep your eyes peeled for bugs — and be sure to update when next month rolls around.