With Patch Tuesday imminent, make sure you have Automatic Update turned off. You have to patch sooner or later, but there’s no reason to expose your m
[See the full post at: MS-DEFCON 2: Time to make sure you turned off Automatic Update]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
MS-DEFCON 2: Time to make sure you turned off Automatic Update
- This topic has 59 replies, 19 voices, and was last updated 7 years, 8 months ago.
AuthorViewing 20 reply threadsAuthor-
Sometimes it takes more than a week for all the reports to come out.
Woody has implemented the MS-DEFCON method. There is a button at the top of website that leads to a more detailed description. But basically, when the number is 1-2, it means to hold off on patching because there are problems. When the number is 3-5, patching is safe and Woody will publish instructions with any caveats.
Because of the problems with patches in June, the HOLD time was almost a month, and all the problems have still not been resolved to date.
-
-
Turning off automatic updates will prevent the emergency patches from being installed. These patches have been what prevented the NotPetya Ransomware Wiper and WannaCry Ransomware attacks in the past few months.
OK. I’ll take the bait. 🙂
The WannaCry attack occurred six weeks after Microsoft released MS17-010, the patch that plugged the EternalBlue NSA holes.
NotPetya (I call it PetyaWrap) appeared a month later. The patches in MS17-010 are only effective against one of the infection vectors for PetyaWrap. Microsoft hasn’t released a fix for Windows that will block all machines from PetyaWrap infections. That’s why I (and many others) recommend that you disable SMBv1.
I don’t claim to be a cybersecurity professional (I’m not even sure what that is), but I’ve been helping Windows customers with problems for 25 years now – and invented the MS-DEFCON system for deferring Windows patches back in the XP era. I know more than a few people in the malware fighting biz. I don’t know of any of them who turn on Automatic Update.
That said, I appreciate the pushback! Keeps me honest.
-
As a cyber security professional…
Thank you for sharing your thoughts.
As a professional software engineer with 41 years experience, I feel that if you believe malware infections are a certainty without immediately-applied patches then you aren’t embracing the entire reality of how high tech things work.
We have entered the time of Microsoft treating customers as testers of work that may not be quite right, and which has not been tested by an internal testing organization.
It’s all about weighing risk against benefit.
There is risk – and it’s not large if you’re conscientious – that malware will wreck your data.
But there is ALSO risk – and it’s seen time and again lately with patches that claim to fix a vulnerability but also break functionality – that Microsoft will bork your system. Maybe it’ll break something you need, and maybe it won’t. But pretty much every patch Tuesday comes with something being broken for someone.
Woody and many others are here to offer advice to help to minimize BOTH of these risks.
Please, by all means, join up and let’s talk about this further. We love to discuss these things.
-Noel
-
And just make regular full disk image backups and keep them offline. That should solve both problems! 🙂
Windows 10 Pro 22H2
1 user thanked author for this post.
-
Umm, WannaCry was blocked by some antimalware applications (I know of Bitdefender Endpoint Security Tools [BEST] because we use it) before MS released their patch protecting Windows against it.
The notion that you have to update the day a patch hits to stay secure is asinine; there are more variable at play here, and I would think that a self-proclaimed “cyber security professional” would already know that.
-
Yup, just run HitmanPro.Alert and you should be covered from most exploits and malicious cryptoware!
This is the key technology now used in Sophos Intercept X for protecting enterprise endpoints.
Windows 10 Pro 22H2
Cyber Security Professional!
Your ill-informed rant betrays the depth of your ignorance.
Any new to The Lounge please ignore this childish foolishness.
I always follow Woody and The Crew’s expert advice.
It has saved my computer so many times.Thanks again guys and gals – in you we trust!
sainty??⛵️??
1 user thanked author for this post.
-
-
but for the poor WX Home user, it’s not much help…
-
-
-
How many people go to sites like this and say they have no issues ? I have not had 1 issue with a patch under Windows 10 since original release. Would love to see had data on how many have issues vs don’t besides on scare sites like this.
Many of us here report when we have no problems. It’s one of the beautiful things about information sharing via the Internet – we can learn from others’ experiences.
I haven’t had a problem personally with an update in quite a long time.
Nor have I ever had a malware infection, yet I have been waiting until the dust settles on new operating system patches, sometimes for months at a time, since well before there even was a Microsoft. It’s only common sense.
I’ll ask, in counter to your question: How many updates have been re-issued with fixes to the fixes after Microsoft hears back en masse from folks who installed the patches immediately then had problems?
-Noel
-
Alas, the only people who know – certain individuals at Microsoft – don’t tell us how many people are affected by any single buggy patch.
But there are lots and lots of buggy patches.
I would submit – based on experience, and no hard numbers – that the threat from delaying Windows and Office updates by a few weeks is much less than the threat of installing all patches as soon as they’re released.
As for being a “scare site” I would only note that sometimes the truth is scary. I try diligently to report what people are seeing, factually, and warn folks who may encounter similar problems. On those occasions when I overstate a problem – and it happens more frequently than I would like – I immediately correct the error. But I’m not going to pull any punches.
-
-
Check out the relevant Disable Automatic Updates topics for your WinOS version in the AskWoody Knowledge Base
1 user thanked author for this post.
-
I don’t believe that stat is applicable to many of the readers here at AskWoody.com, but in general, you may have a point (with the exception of borked updates, of course) 🙂
-
-
Okay folks, the July critical updates to Adobe Flash Player for all browsers have now gone live (please excuse the earlier SNAFU).
Here are the direct download links for version 26.0.0.137 (as well as the uninstaller); right-click on a link and select “Save Link As…”:
Flash Player for Firefox 26.0.0.137 – NPAPI | 19.6 MB
Flash Player for Internet Explorer 26.0.0.137 – ActiveX | 19.1 MB
Flash Player for Opera and Chromium-based browsers 26.0.0.137 – PPAPI | 19.6 MB
For a clean installation, existing versions must first be uninstalled: Adobe Flash Player Uninstaller 26.0.0.137 | 1.22 MB
(Adobe Flash Player for IE and Edge in Win 8, 8.1 and 10 will be available through Windows Update sometime after 10 AM (PT) Tuesday, 11 July 2017.)
3 users thanked author for this post.
-
-
Perhaps the advice is fine, but should just be tempered with a warning:
If you do a full install, BEWARE that the software will offer to install extra stuff that you may not want. You may have to opt out by clearing checkboxes.
Trying to keep people from stumbling on the bad things on the internet is a noble idea, but assuming they’re always too reckless (or too stupid to learn how) to avoid them is a bit insulting.
When it matters, people can be surprisingly careful and get surprisingly good at navigating pitfalls.
I always like to think about such things like this:
Just look at the many folks who manage to drive their cars from point A to point B every day without any problems. Sure, there are occasional accidents, but they’re QUITE RARE by comparison to the number who get it right. Why? Because their lives depend on it, they’re informed, and they’re trained.
Let’s try to teach ’em that responsible, conscientious computing matters and how to get it right, rather than trying to insulate them from doing any thinking.
-Noel
-
Well, so much for the reply that I [thought I] had posted at zero-dark thirty (US PT); in any case, it is just as well as additional comments have since appeared.
People, what were posted are official enterprise download links from Adobe Systems, Inc., and the executables supplied are all “clean” (that is, devoid of any cr*pware).
Every link I post has been checked (at a minimum) through URL Void, Norton SafeWeb and ScanURL. Additionally, if a download is involved, then it is checked through VirusTotal utilizing PEStudio.
Finally, should there be any question whatsoever about safety or reliability, then the link in question is simply not posted.
How much more dubious these offers can be?
By clicking Install, an .exe is offered.
Please be aware!
2 users thanked author for this post.
-
That’s actually malware, right? Not a legitimate flash player update?
Can’t say I’ve personally seen that particular panel. As I recall, the legitimate Flash installer only offers to install Google Chrome or a toolbar or something at its worst, and some checkboxes may need to be cleared to opt out.
-Noel
-
Agreed with Noel, I have never seen anything like that, and I would be suspicious about that; Flash updates which are offered to me (on the “inform me” option) have always, including the most recent occasions, offered pre-ticked check-boxes to install Google Chrome (with a pre-ticked option “make Chrome my default browser”) and to install a toolbar in IE. Nowadays I do remember to watch for those three check-boxes and to untick all of them. But I have never seen anything like these samples.
1 user thanked author for this post.
-
I’ve seen ones very much like this, but with Firefox instead of Flash. They appeared to have copied the actual FF page pretty closely, then set a trap for anyone who has a FF UA string to happen by. I bet it ensnares quite a few people who are trying to do what they’re supposed to.
I read an anecdote on The Reg that illustrates the difficulty that IT-savvy people (whether IT workers or not, though The Reg caters to those who are) have in trying to get regular users to develop their sense of smell to be able to “smell a rat.” The IT department sent around a message that was a deliberate example of a phishing scam email, explicitly telling people DO NOT REPLY TO A MESSAGE THAT LOOKS LIKE THIS.
Several workers emailed their passwords, just as the text in the email said to do.
Regular people cannot (easily) and do not want to understand security. Their eyes glaze over when you try to tell them what not to do; you might as well be talking to a basketball. Any kind of warning prompt might as well say, “Something has happened, and now you need to hit allow/continue/accept/yes to continue whatever it is you were doing.” It’s true that behavior is the most important thing in combating malware threats, but when the people who use the computers you manage REFUSE to learn the correct behavior, and you lack the power to fire them, then what?
I feel for the IT guys who have to clean up the mess and take the blame for “allowing” things to happen. IT guys get the short end no matter what… if something bad happens that they heroically and rapidly fix, they are blamed for letting it happen. If nothing bad happens because their preventative measures work, they’re dismissed as unnecessary and a waste of money, since nothing ever happens anyway.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
-
-
-
1 user thanked author for this post.
-
-
I hope the IE browser crashing thing gets fixed. It crashes about every 15 minutes, and crashes immediately on askwoody’s site.
I suspect you have a specific problem; I’m not aware of any “IE browser crashing thing”, and it’s the only browser I use.
3rd party Add-ons are usually the reason Internet Explorer gets a bad rap.
My suggestion: Click the gear icon, choose “Manage Add-ons”, and disable any you don’t KNOW that you need (that may be all of them). Then close all instances of Internet Explorer and reopen it. I’ll bet it stops crashing for you.
You can always re-enable ones you discover you do need – if any. There’s no requirement to run ANY Add-ons in order for Internet Explorer to be a proper browser. IMO, the fewer the better!
-Noel
AKB2000003 has been updated 7/11/2017 – July Group B Security Only Quality Updates and IE11 Cumulative Updates
1 user thanked author for this post.
-
-
Except the advice isn’t not to install the updates at all, it is to wait and see if there are any problems with the updates that you should be aware of, so that when you do install the updates (since they will be eventually installed) you are prepared in advance to deal with those problems if you end up being affected by them. It is better to be careful and cautious and prepared in advance than to rush in and possibly have to spend more time trying to deal with a problem that you have no idea why it is happening. Yes, plenty of people have no problems after updates, but plenty of people do have them, so it makes sense to be prepared for the worst case scenario. Please keep in mind that, in general, people frequenting this site, if they weren’t initially tech-savvy, are here to learn more about the current state of technology and how to deal with both the good and the bad of it.
4 users thanked author for this post.
-
-
We take security very seriously in these parts. Just a quick look should remove any doubt of that:
https://www.askwoody.com/forums/topic-tag/ms17-010/
https://www.askwoody.com/forums/topic-tag/wannacry/
https://www.askwoody.com/forums/topic-tag/wannacrypt/
https://www.askwoody.com/forums/topic-tag/vulnerability/
https://www.askwoody.com/forums/topic-tag/ransomware/PS Forgot to link Code Red – security advisories!
-
deferring Windows patches back in the XP era
Switching off auto-update, or at least wait for quite a time [before installing them/servicepacks] …. those were the days: even in the very early Windows 3 time this was a rule of thumb!!
Thanks Woody, keep up the goodwork please 😀* _ ... _ *1 user thanked author for this post.
Viewing 20 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Missing api-ms-win-core-libraryloader-11-2-1.dll (Awaiting moderation)
by 17 minutes ago
-
How Much Daylight have YOU Saved?
by 2 hours, 36 minutes ago
-
A brief history of Windows Settings
by 2 hours, 20 minutes ago
-
Thunderbolt is not just for monitors
by 1 hour, 55 minutes ago
-
Password Generators — Your first line of defense
by 1 hour, 42 minutes ago
-
AskWoody at the computer museum
by 52 minutes ago
-
Planning for the unexpected
by 56 minutes ago
-
Which printer type is the better one to buy?
by 11 hours, 51 minutes ago
-
Upgrading the web server
by 2 hours, 8 minutes ago
-
New Windows 11 24H2 Setup – Initial Win Update prevention settings?
by 17 hours, 22 minutes ago
-
Creating a Google account
by 16 hours, 8 minutes ago
-
Undocumented “backdoor” found in Bluetooth chip used by a billion devices
by 22 hours, 32 minutes ago
-
Microsoft Considering AI Models to Replace OpenAI’s in Copilot
by 1 day, 9 hours ago
-
AI *emergent misalignment*
by 1 day, 10 hours ago
-
Windows 11 Disk Encryption/ Bitlocker/ Recovery Key
by 9 hours, 3 minutes ago
-
Trouble signing out and restarting
by 11 hours, 25 minutes ago
-
Windows 7 MSE Manual Updating
by 1 day, 19 hours ago
-
Problem running LMC 22 flash drive
by 18 hours, 1 minute ago
-
Outlook Email Problem
by 18 hours, 7 minutes ago
-
“Microsoft 365 Office All-in-One For Dummies, 3rd Edition FREE
by 1 day, 1 hour ago
-
Cant use Office 2013 – Getting error message about Office 2013
by 1 day, 18 hours ago
-
Nearly 1 million Windows devices targeted in advanced “malvertising” spree
by 1 day, 18 hours ago
-
Windows 11 Insider Preview build 27808 released to Canary
by 2 days, 19 hours ago
-
Windows 11 Insider Preview Build 22635.5025 (23H2) released to BETA
by 2 days, 19 hours ago
-
Sysprep issue
by 2 days, 19 hours ago
-
Android Security Bulletin—March 2025
by 2 days, 21 hours ago
-
23h2: PIN TO START randomly available on right-click
by 2 days, 21 hours ago
-
Microsoft Defender
by 3 days, 3 hours ago
-
New Laptop-Another ?
by 2 days, 21 hours ago
-
Global USB power controls
by 2 days, 8 hours ago
