Introduction

By Tracey Capen, editor in chief

Welcome to the new incarnation of the Windows Secrets Newsletter. It might have a new name and home, but to long-time subscribers it should be as familiar and comfortable as a good pair of shoes.

After years of management by the two previous owners (iNet Interactive and Penton), the newsletter has returned to its roots. It lives on, thanks mostly to the efforts of AskWoody.com's Woody Leonhard, who saw the value of the publication where previous owners couldn't. Put bluntly, if Woody had not stepped up to the plate, Windows Secrets would cease to exist.

Fortunately, Woody is not working alone on this project. The original cast of creators — Brian Livingston, Fred Langa, and Susan Bradley — have signed on to help return the newsletter to its original goal: helping PC users get the most out of their computing experience. The original motto is still apt and still applies: "Everything Microsoft forgot to mention."

I joined Windows Secrets back in 2010 as editor of the newsletter and held that position for nearly seven years, stepping down at the end of 2016. Then, late last year, when Woody asked if I'd be willing to help keep the newsletter afloat, I was happy to join the fun. (My occupation the past two years has been managing my 67-acre commercial tree farm. But watching trees grow is akin to watching paint dry.)

We hope you will continue to support the newsletter under its new name, AskWoody Plus. Our commitment is to provide readers important technical news and information — including tips and advice that transcend Windows. We also promise to respond to the needs and queries of our subscribers, to the extent our small staff (in number, not stature) permits. But ultimately this is your newsletter, and your input is critical to make it relevant and useful. We want to hear from you!

Please note that this will be a complex transition. We're not simply moving databases from one server to another. We are effectively rebuilding the entire newsletter infrastructure, and doing it in a remarkably short time. There will be gremlins in the system for the first few weeks. We ask for your patience.

Currently, we are working to return the newsletter to its acclaimed roots. We'll start by publishing the full newsletter to paid subscribers (both AskWoody and Windows Secrets) once a week on Monday mornings. But we will also send out shorter news alerts during the week, on no set schedule. And we are returning to a more flexible payment system: donate what you think the newsletter is worth — or what you can afford. Once we have the publishing system on firm ground, we will again publish an abbreviated free edition.

Most important, we are working with a different email-distribution vendor (Mailchimp), so you'll want to ensure that the newsletter is listed on your email system's "safe senders" list. Equally important, we ask that you do not forward the newsletter to others. Doing so sets us up for spam complaints, and we hate spam just as much as you do. If you know somebody who'd be interested in this type of coverage, encourage them to sign up for an AskWoody Plus Memberhip.

The transition from Windows Secrets to AskWoody Plus subscriptions will mean a few changes for both AskWoody.com and Windows Secrets members — and that some things will remain the same.

To start, if you're a Windows Secrets paid subscriber, your renewal date remains unchanged. You're automatically enrolled as an AskWoody Plus member, and you'll start receiving the new newsletter in your email on Monday mornings. In addition, you'll receive email-based breaking AskWoody Plus Alerts. When your current subscription runs out, we hope you'll continue to support the newsletter and the AskWoody site by renewing your AskWoody Plus account. We'll also honor lifetime Windows Secrets subscriptions.

Note, however, that if you're currently set up for automatic renewal with Windows Secrets, you'll have to renew with AskWoody Plus manually. Any payment information you have on file with Windows Secrets won't make the transition to AskWoody. We don't store any credit card information on the AskWoody site. I know that might annoy some subscribers, but your privacy and security are our number-one concern.

Last year's donors to AskWoody.com qualify for a free year of AskWoody Plus Membership, with our thanks. Simply apply for Plus Membership and during checkout use the PATRON coupon code. If we have any questions, we'll send you an email.

To learn more about the Plus Membership benefits you've inherited automatically and for free, as either a Windows Secrets subscriber or AskWoody donor, please visit our Plus Membership signup page. Use the checkout coupon WSN, and you'll get a free extension of your newsletter subscription — just for joining the AskWoody Lounge. If you're already a Lounger, you can use the WSN coupon, too.

If you're not registered on AskWoody.com (the AskWoody Lounge forum, which is currently a separate membership from the AskWoody Plus newsletter), you can still look at everything on the site and post questions, too. But as a registered member, you'll get better and faster results — and it's free!

Thanks again for your patience during the transition. If you have problems receiving the newsletter, send us an email at editor@askwoody.com. And for subscription issues, shoot us an email at customersupport@askwoody.com. We've got your back.

From all of us at AskWoody.com, many thanks for your past and future support.

— Tracey Capen, editor in chief

Tracey Capen has had a love/hate relationship with personal computing (and technology in general) since the days of Commodore 64s, CP/M, and DOS. He was a managing editor at InfoWorld, executive editor at PCWorld, and editor in chief of Windows Secrets. He's also worked as a boat builder, carpenter, SCUBA instructor, photographer, and numerous other odd gigs. He lives on Winter Creek Farm, on Washington State's fabulous Olympic Peninsula.

Join AskWoody Plus Today! Help support fiercely independent technology journalism. A one-year subscription gives you full access to the AskWoody.com forum, breaking news alerts, and weekly newsletters featuring acclaimed columns such as LangaList, Patch Watch, and Woody's Windows Watch. Donations from Plus members keep this site going. Already an AskWoody Plus member? Thanks, and feel free to encourage others to support the site with a paid subscription. To Join AskWoody Plus, simply click over to our AskWoody Plus Signup.

Woody's Windows Watch

By Woody Leonhard

Although there's been no official announcement, it's pretty obvious that Microsoft is working on a new, rented version of Windows, code-named Microsoft 365 Consumer.

Before you start throwing brickbats — I know that's your immediate reaction — there may be some redeeming social value.

You've probably read that, sometime in the future, you'll be required to pay a monthly subscription for Windows. That's hogwash. Don't worry: Microsoft will continue to sell full copies of Windows to consumers, primarily on new PCs (for as long as there are new PCs).

What actually seems to be coming down the pike is something akin to the transition from bought-and-paid-for Office (so-called "perpetual" Office) to the rented Office 365. As many of you have discovered, if Microsoft can find a decent price point, perhaps in conjunction with some worthwhile extras such as free cloud storage, it can make sense to rent Office. Office 365 Home, for example (more info), is a good deal at U.S $99.99 per year for up to six family users — and it's frequently available at a discount.

It could happen to Windows, too. Ya never know.

Mary Jo Foley was first to piece together the tea leaves (ZDNet article), based on a "Help Wanted" ad from Microsoft. She came up with a plausible description for Microsoft's next version of Windows.

"If I were betting on what Microsoft 365 Consumer might include, I'd think some variant of Windows 10, Office 365 Home, Skype, Cortana, Bing, Outlook Mobile, Microsoft To-Do; and maybe MSN apps and services could figure into the picture."

At first that sounds like an ill-conceived grab bag of randomly chosen products. But if you squint really hard, it's possible to come up with a combination that may actually make sense for some folks — a combination that's worth paying for.

Don't get me wrong. When you buy a new computer, it should always come with an operating system that lets you use the machine in a reasonable, secure, straightforward way. (You can decide for yourself if Windows 10 fits that description.) But if Microsoft is willing to toss in some truly useful extra features — and I'm not talking about 3D drawing, Edge, or Candy Crush Soda here — a subscription-based Windows isn't out of the picture.

It will all come down to what's in the bundle and at what price. That said, dropping a subscription to Office isn't a big deal — there are plenty of alternatives. Dropping a subscription to your OS is another whole kettle of fleas.

I could write a book — several!

These days, most consumer PCs, even those beefy gaming systems with inflated price tags, ship with Windows 10 Home. If you want advanced features such as Hyper-V virtual machines; Domain Join, for attaching to corporate networks; and BitLocker, to encrypt your hard drives; you need to pay an extra hundred bucks for Win10 Pro. And if those tools aren't on your shopping list, there are features not included in Home that you may be willing to pay for.

(By the way, to see if you're running Home or Pro, type "winver" into the Cortana search box and click on the winver run command.)

First is the Group Policy Editor (aka gpedit), which makes some complex customizations relatively easy. Although many of the gpedit settings can be implemented manually by editing the registry, gpedit takes a lot of the grunt work out of a potentially error-prone process. Notably, many of the current gpedit settings don't work in Home. They'd have to work in Microsoft 365 Consumer.

Second, and much more important, is the ability to delay updates and upgrades. Win10 Home is by design a cannon-fodder version. Microsoft makes no bones that it'll force patches and even version upgrades on Win10 Home machines. There are ways to take some control over the process yourself (I'm partial to the metered-connection kludge, more info), but those methods rely on undocumented behaviors and Microsoft's sense of fair play, which has come under a lot of fire lately.

Given Microsoft's recent track record of two botched upgrades in 2018 and dozens of computer-crushing patches, protecting yourself from the company's first volleys of attacks — er, fixes — should be a top priority.

As you probably do, I think it's unconscionable that Microsoft forces patches on machines without your consent. But such is the world we live in. If I could spend an extra five bucks a month to reliably keep the Microsoft malware monkey off my back, I'd do it.

Microsoft had a precedent in Office 365. You probably don't remember, but the company first tried to rent Office XP in Australia, back in 2001 (InfoWorld article). "Office as a service," as it was then called, was an abject failure. Over time, though, it got better — first with Office Business Productivity Online Services (BPOS) in 2008 and then with Office 365 in 2011.

At first, Office 365 struggled to keep up with the features in the "perpetual" (for-purchase) releases of Office. But eventually the tortoise outpaced the hare. Now, many new features appear in Office 365 before they're brought into the perpetual version. Even with the recently released Office 2019 (perpetual), the 365 tortoise has clearly taken the lead. In short, if you want all of the features offered in Office, you need the subscription-based 365. Looked at in a glass-half-empty way, Office 2019 is still very much a subset of Office 365.

What's remarkable isn't so much the feature disparity as the way the features are being delivered. While Windows 10 limps along with massive buggy-version updates every six months — with an often dubious list of new features (Timeline, Mixed Reality, Your Phone, anything to do with Edge or Cortana) — Office 365 has been delivering relatively smooth and almost continuous improvements. You may not want or need the new Office features, but they're rolling out with few hiccups and only occasional bits of drama.

Perhaps Microsoft can pull off the same graceful transitions, replacing the current semi-annual, drop-dead dumps of new versions with feature updates rolled out when they are, you know, ready.

Don't be too quick to condemn the concept. If Microsoft can offer just those two key benefits — gpedit and deferred updates — along with a smooth upgrade cycle instead of the six-month dumps, and deliver it all at a reasonable price, yeah, I'd take a look.

What about you?

Eponymous factotum Woody Leonhard writes lots of books about Windows and Office, creates the Woody on Windows columns for Computerworld, and raises copious red flags in sporadic AskWoody Plus Alerts.

LangaList

By Fred Langa

Welcome to the return of Windows Secrets' LangaList column, now proudly associated with Woody Leonhard's AskWoody.com.

It's great to be back! As with the previous iterations of this column — in Windows Secrets, the original stand-alone LangaList, and elsewhere — I'll do my level best to provide a useful and interesting mix of answers to your real-world tech questions. But I'll also include original research and reporting, along with complete, no-step-skipped how-tos.

Microsoft Windows and PCs are the obvious main topics, but the tech world is much wider than it once was, so there's plenty more to talk about, too: smartphones, tablets, Android, Linux, Chrome OS, the Internet of Things (IoT), and so on. Tons of interesting tech topics!

If you'd like to ask a question or suggest a topic, I'd love to hear from you! Feel free to send emails to fred@askwoody.com. You'll also find me lurking in the AskWoody Lounge. But the best way to ensure I see your question ASAP is via the above email address.

Now, to get things started — or restarted — here are some reader questions recently sent in.

An anonymous reader asks:

• "Do Windows 10 Activation Keys need to be used immediately?"

Nope! The keys are good for life, but only with the Windows 10 version they're intended for — e.g., Home, Pro, etc.

Moreover, here's something not well known: You don't have to use the keys — ever! If you wish, you can run Windows unactivated for an indefinite period! The core of Windows works just fine without activation.

That means there's no rush to activate, and you shouldn't feel pressured to do so. It's completely legitimate to install and test a new, unactivated Windows setup for as long as you need to — even weeks or months. It's your call!

The guts of Windows — the essential core functions — are the same whether the OS is activated or not. An unactivated installation of Win10 is by no means "crippled," but, yes, some higher-level functions are limited or absent.

For example, unactivated Windows will accept critical updates, but it won't download lower-priority optional or recommended updates. It also won't accept general feature enhancements or some Microsoft downloads, services, and apps that are normally included with an activated setup. And, of course, you'll get some nag screens at various places in the OS.

Those limitations typically don't matter for most test drives — even extended ones. Again, the essential core of the OS works just the same, whether it's activated or not. You can, for example, use an unactivated test setup to troubleshoot problems and get everything working as you like — before activating and locking in the license.

That said, eventually you'll want to activate your copy of Windows 10. You paid for a valid activation key, so you might as well use it and get full value from your purchase, right?

Besides, if you keep an unactivated Windows running long enough, you'll eventually start to feel the impact of the missing noncritical updates and enhancements. Windows currently gets two major refreshes each year, one in the spring and another in the fall. By the time the next major refresh rolls around, your unactivated Windows will begin to be seriously outdated.

In short, if you want to hold off activating a new setup for a while — even for weeks or months — feel free. Nothing horrible will happen!

Reader Dave Warner encountered massive trouble with a half-terabyte hard drive. He writes:

• "Can you explain what is going on here?

  "A brief history: A PC with a 500GB drive, originally loaded with Win8.0, was upgraded to Win10. All went OK for a while, until a family member turned it on one day and discovered that it would not boot properly. It went into a lame circular attempt at diagnosis and recovery — with no resolution.

  "I applied Steve Gibson's SpinRite 6, set to Level 2. The app choked, displaying the dire message: 'INVALID PARTITION FOR DRIVE SIZE! The Partition exceeds size of drive as defined by system's BIOS or BIOS Extension. Do not use SpinRite until you have corrected the disparity between the drive and BIOS' understanding of the drive size!'

  "OK …. So I then whipped out GParted to get a glimpse into the drive. Before GParted booted, a non-message message appeared: 'Invalid Offset' — then GParted loaded and appeared to show that the total of the several partitions was a tad greater than 500GB.

  "At this point the needed diagnostic abilities far exceeded my pay grade. Bottom line: I can't find a lucid explanation for what these messages mean. Do they indicate the HDD is either toast or possibly repairable?

  "Can you please interpret this problem?"

Wow! If low-level tools like SpinRite and GParted have trouble with a drive, you know something's seriously wrong. But is it a mechanical problem or a logical "soft" error?

When I've run across "invalid offset' drive errors on newer systems, it's usually due to some kind of errant, low-level drive operation — e.g., moving, resizing, or image-restoring a partition. However, I've also seen it after major Windows updates/upgrades, when the OS diddles with the normally hidden system and/or recovery partitions. Typically, these "soft" problems are serious and may require repartitioning or reformatting to restore the drive's proper operation. Fortunately, the drive itself is usually unharmed and may be used normally after the soft repair.

In Dave's case, the PC originally came with Win8, so it's not a "newer" system anymore. Win8 is over six years old and, notably, that's more or less the average lifespan for a consumer-grade hard drive. It wouldn't be at all strange for a six-year-old drive to start hiccupping.

Plus, Dave said the problem happened out of the blue, without obvious cause, and at boot time. Boot time is when PCs look to the UEFI (more info) data stored on the hard drive (stuff that used to be in the firmware BIOS). A drive hiccup — a mechanically botched operation — at the wrong moment during booting might result in the operating system not being able to figure out the drive geometry or layout. The data is offset from where the OS expects it to be.

So, what to do?

If you have backups, and if the drive is around six years old or more, I'd be inclined to replace it with a new one. For that matter, because the whole PC is now getting up there in age, other parts might wear out in the foreseeable future. So this would be a good time to start thinking about replacing the entire machine.

Whether it's a new drive or a new PC, you'll use your backups to restore your files and setup.

On the other hand, if you don't have backups, and you need the data on the malfunctioning drive, you're in for some labor and/or expense.

You said GParted could somewhat access the disk, so perhaps a full, normal, live or portable Linux distro can access the drive as well. If you boot the PC from a Linux-based DVD or USB drive, you might then be able to copy files from the damaged hard drive to a known-good drive, to the cloud, to DVD, or to some other storage device.

If neither GParted nor a full live Linux distro can do it, you might as well try other portable and self-contained hard drive repair tools to see if any can help. There are many examples, as shown in a quick Google search.

But note: Don't let any tool actually make changes to the drive, except as an absolute last resort! Once you start making changes to a damaged drive, the odds of further successful data recovery go down.

If you don't have backups and if the do-it-yourself approach doesn't cut it (but you really need the data on the drive), your final and best bet is to farm out the job to data-recovery pros. Just be prepared to seriously lighten your wallet!

But with luck, one of the simpler, less-spendy options — like using a live Linux distro to access and copy the important files — will do the trick!

Some readers, like Dave (above), include their names in the questions they send in. Others prefer anonymity. Either way is fine with me, such as with this anonymously submitted question:

• "Do you prefer OpenOffice or LibreOffice?"

Of the two, I currently prefer LibreOffice. Here's why.

Both suites are quite similar; they're open-source, completely free, and generally compatible with Microsoft Office. They both include a word processor, spreadsheet, database, presentation tool, and more. The similarities aren't merely cosmetic: as open-source projects, they both trace their roots to the same original codebase (more info).

But LibreOffice appears to have a smoother development cycle. Its updates are released on a reliable schedule — a confidence-booster for users who depend on their software being up to date. In fact, a major new release of LibreOffice (6.2.0) is due out soon, reportedly at the end of January 2019.

As of early January 2019, two versions of LibreOffice are available: Version 6.0.7 is recommended for large installations and enterprise-class setups, and Version 6.1.4 is recommended for personal/SOHO-type setups. Each is available as a free download.

In contrast, updates for OpenOffice have appeared slowly and irregularly — at one point, it even looked as if the suite were going away for good. But OpenOffice was just updated to version 4.1.6 in November 2018, so the current code is quite fresh. You can download it for free, too.

Everyone has their own personal preferences. Because both OpenOffice and LibreOffice are 100 percent free and compatible, you can try 'em both! Then decide which suite works best for you.

Fred Langa has been writing about tech — and specifically about personal computing — for as long as there have been PCs. And he is one of the founding meembers of the original Windows Secrets newsletter. Check out Langa.com for all Fred's current projects.

Patch Watch

By Susan Bradley

It would appear that not all versions of Windows 10 are created equally.

The upgrade to Version 1803 — aka Spring Creators Update — was broken at the gate, and it’s had various problems ever since.

4480966

It’s always a bit puzzling when one Windows 10 version gets a fix for something that other versions don’t have. For example, the January updates include a bug that impacts only Release 1803 — no other version is affected.

The bug is in Windows’ Dynamic Host Configuration Protocol (DHCP, more info) subsystem, which is how your computer manages its networking IP address. Fortunately for many AskWoody readers, the flaw appears to be less of a risk in home settings than in enterprise environments.

Again, it’s interesting (or confusing) as to which configurations are impacted and which are not. For example, the defect shows up on systems running Windows Server Core Mode Version 1803 (typically a datacenter edition). On the other hand, Windows Server 2016 is built on Version 1609, and Windows Server 2019 is built on Version 1809 — so neither is affected by the bug.

Bottom line: Only firms running editions of Version 1803 need to quickly test and deploy KB 4480966. Be aware of a side effect, however, the patch’s documentation notes that third-party apps might have difficulty authenticating hotspots after you’ve installed this update. It goes on to state that Microsoft is working on a more permanent solution that should be available in mid-January.

What to do: If you are running editions of Win10 1803 in a business, you’ll want to fast-track testing and installing KB4480966.

4480979

Windows 8.1 and 10 users should expect to see KB 4480979 — a rare Flash Player update that includes no security fixes, according to the related security advisory. So feel free to install the update whenever you like.

Win7 machines that have Flash Player installed will also see a non-security patch — Version 32.0.0.114. As noted in the Adobe bulletin, the patch includes only feature and performance fixes.

What to do: On Win7 machines, check that your copy of Flash Player is up to date, and install Version 32.0.0.114 if you don’t already have it.

Microsoft has a lot to do to make Windows 10 rock-solid. Here are the specific updates for editions of Win10 and a summary of the more worrisome and lingering issues.

• KB 4464619 for Windows 10 1809 and Server 2019
• KB 4480966 for Windows 10 1803
• KB 4480978 for Windows 10 1709
• KB 4480973 for Windows 10 1703 (end of life, see note below)
• KB 4480961 For Windows 10 1607 and Server 2016 (end of life, see note below)

If you’re still running Win10 Version 1703 Enterprise or Education, be sure to install the latest servicing-stack update, KB 4486458. It’s important for receiving future updates.

Note: If you’re running 1703 Home, Pro, or Pro for Workstation, you need to upgrade to a newer version of Win10. Microsoft ended security updates for most versions of 1703 this past October. Support for Home and Pro editions of Win10 1607 ended in April 2018.

All the latest Win10 updates have a networking bug — third-party apps may have difficulty authenticating network hotspots. There’s also a problem with Access 97 databases that have column names longer than 32 characters. A fix for that should be coming in February.

Another flaw affecting Versions 1803, 1709, 1703, and 1607 has been around for months. According to the bulletin for KB 4470809, “After you install the August Preview of Quality Rollup or September 11, 2018, .NET Framework update, instantiation [setting up an instance] of SqlConnection can throw an exception.” Microsoft has a couple of workarounds but is still working on a solution.

Other known problems with Version 1803: KB 4470809 may prevent users from pinning a Web link to the Start menu or the Taskbar. And, beginning with the November updates, if the Group Policy Minimum Password Length is configured with greater than 14 characters, the Windows Cluster Service may fail to start and display the error “2245 (NERR_PasswordTooShort).” The workaround is to set the domain default “Minimum Password Length” policy to fewer than or equal to 14 characters.

Win10 1803 isn’t the only version with lingering problems. Version 1607 has unresolved flaws that have hung around for many months. Problems that specifically impact Windows Server 1607 include:

• If you’re using System Center Virtual Machine Manager (SCVMM) to manage workloads, you might see infrastructure-management issues after a VMM refresh. The problem, according to Microsoft, is (and follow this carefully):

  “Windows Management Instrumentation (WMI) class around network port is being unregistered on Hyper-V hosts. As a workaround, run mofcomp for the scvmmswitchportsettings.mof, VMMDHCPSvr.mof, and other relevant SCVMM MOF Files. It’s recommended to upgrade thru the SCVMM 2016 Update Rollup 6 (UR6) to expedite the Host Refresh activities after running mofcomp command.”

• After updating Windows Server 2016, running an instant search in a Microsoft Outlook client fails and tosses out the error, “Outlook cannot perform the search.” The solution: Run sfc /scannow to repair missing or corrupted system files and then restart Outlook. Microsoft is still working on a fix.

• Finally, if you install KB 4467691 for Win10 1607 on some Lenovo laptops with fewer than 8 GB of RAM, the machine might not boot. Microsoft recommends restarting affected machines via the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

  Note: If BitLocker is enabled on your machine, you might have to go through BitLocker recovery after Secure Boot is disabled. Reportedly, Microsoft is working with Lenovo to provide a fix. But, again, you really want to be on a newer version of Win10.

Given this sizable list of Windows 10 problems, I recommend pausing updates to ensure there are no additional side effects. To do so, you’ll need Windows 10 Pro, as I will detail in an upcoming article. (You can’t pause updates on Home versions.) Spoiler alert: You’ll need to go into Win10 Pro’s advanced updates settings and select the options to delay patches. (If you can’t wait a week for my article, check out a Laptop blog post.

What to do: Delay Win10 updates until most or all these problems are resolved. For a deep dive into security-updates issues, see the Microsoft Security Update Guide.

4480960, 4480965, 4480970

KB 4480960 is a January security-only update for Service Pack 1 versions of Windows 7 and Server 2012 R2. There are no new features in the patch. For AMD-based systems, it does include more robust protection from Speculative Store Bypass vulnerabilities (more info). According to the patch information, the protections against this threat are not turned on by default.

(Note: The full Win7 security rollup for January is KB 4480970.)

On Jan. 9, Woody Leonhard reported that both Win7 security patches could break peer-to-peer sharing between workstations. And according to a Martin Brinkman quote in that story, “The issue is triggered only if the user attempting to make the connection is an administrator on the machine that hosts the Share.”

Three days later, Woody posted an update: that Microsoft released KB 4487345 (available in the Microsoft Update Catalogue) to fix the flaw. Note that this is a hotfix, so it should be installed after installing the other updates — and only if you’ve experienced problems such as connecting to network-attached storage (NAS) units or sharing files with another PC. If you have a simple setup with only a standalone computer and printer, you won’t see this issue.

What to do: On your Win7 systems, delay installing KB 4480960 or KB 4480970 while we wait to see whether Microsoft pushes out the hotfix more widely. On the other hand, do install KB 4480965 for Internet Explorer.

4480963, 4480964, 4480965

If you’re still on Windows 8.1, be aware that it’s also vulnerable to Speculative Store Bypass attacks on AMD-based computers. As with Windows 7 systems, these protections aren’t enabled by default.

On Win8.1, January’s security-only patch is KB 4480964, and the related Internet Explorer fix is KB 4480965. Your security rollup is KB 4480963. Note that both security updates come with the bug that might make it difficult for third-party apps to authenticate hotspots.

What to do: Consider delaying the installation of KB 4480964 or KB 4480963 until we know whether there are any other side effects. Do install KB 4480965 for Internet Explorer.

4480056

With Win10 1809, Microsoft pulled .NET updates back out of the combined security updates. You now install .NET patches separately. January’s primary .NET update, KB 4480056, patches a .NET vulnerability in Cross-origin Resource Sharing (CORS, more info) configurations. Bypassing CORS might allow an attacker to steal information.

The rest of January’s .NET Framework updates, as noted by the .NET blog, include the following:

• KB 4481480 has both security and quality rollups for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2, running on Win7 SP1 and Server 2008 R2 SP1.
• KB 4481481 includes security-only fixes for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2, running on Win7 SP1 and Server 2008 R2 SP1.
• KB 4481484 has both security and quality rollups for .NET 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2, running on Win8.1, RT 8.1, and Server 2012 R2.
• KB 4481485 has security-only patches for .NET Versions 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2, running on Win8.1 and Windows Server 2012 R2.

What to do: Keeping .NET updates separate from other patches is a good thing — it can make it somewhat easier to track down update failures. But I still recommend that you delay installing these patches.

4468742, 4471389

If you’re still managing an on-premise Exchange server, you’ll want to pay attention to a patch for Exchange Servers 2016 and 2019. There’s a potentially nasty bug that could allow an attacker to run arbitrary code in the context of a System user. The attacker could then install programs; view, change, or delete data; or create new accounts.

You’ll want to review and test the updates in KB 4471389 before installing them on your production system. And in the meantime, review what spam-filtering mitigation you can put in front of your Exchange server.

The vulnerability is much less dire on Exchange 2010. So KB 4468742 is merely an information disclosure.

What to do: KB 4471389 is an important update, but be sure to review and test it first.

We’ve already had issues with the January Office 2010 updates; the problems were severe enough that Microsoft pulled the updates earlier this month. I’m hoping we won’t see similar issues with the security releases.

For those of you running Office 2016 and 2019 Click-to-run versions, you should soon have a background upgrade to the latest release (more info). On the other hand, if you have the old-fashioned Microsoft Installer (MSI) or patch-based Office deployments, expect to see the following fixes:

Office 2016

• 4022162 — An Office remote-code execution vulnerability, if a user opens a maliciously crafted Office file.
• 4461535 — Another remote-code execution vulnerability, if a user opens a malicious Office file.
• 4461543 — Yet another remote-code threat in Word.
• 4461601 — An information-disclosure vulnerability that arises when Outlook improperly handles certain types of messages.

Office 2013

• 3172522 — An Office vulnerability that could allow remote-code execution via a malicious Office file.
• 4461537 — Another Office remote-code execution vulnerability.
• 4461594 — A Word remote-code execution vulnerability.
• 4461595 — An Outlook vulnerability caused when the app improperly handles certain types of messages.

Office 2010

• 2553332 — An Office vulnerability that could allow remote-code execution via maliciously crafted Office files.
• 4461614 — Another Office remote-code execution threat via malicious files.
• 4461617 — Yet another Office remote-code vulnerability.
• 4461623 — A remote-code execution vulnerability in Outlook.
• 4461625 — A remote-code execution vulnerability in Word.

Office 2007

• 2596760 — An Excel Viewer vulnerability that could allow remote-code execution if a user opens a maliciously crafted Office file.
• 4461635 — A Word Viewer remote-code execution vulnerability.
• 4462112 — Yet another Word Viewer remote-code execution vulnerability.

What to do: Due to the number of dangerous remote-code execution bugs in Office, install these updates as soon as possible.

There’s no rush to install January’s Office feature fixes. They include:

Office 2016

• 3203480 — Lets Visio use the correct Japanese calendar.
• 4032230 — Various issues with Office and add-ins.
• 4461435 — Database Compare tool updated to require Microsoft Report Viewer 2015.
• 4461531 — Visio update.
• 4461533 — Scan performance when Office document opened on a system with Win10 1709 and certain third-party antivirus scanners installed (system trying to determine which antivirus provider to use).
• 4461586 — Skype update.
• 4461587 — Project update.
• 4461600 — Fixes to various PowerPivot and Excel issues.

Office 2013

• 4461557 — Skype for Business 2015 update.
• 4461560 — Updated Japanese support in Project.

Office 2010

Note: Previously released January updates pulled.

What to do: Put these non-security fixes on hold, unless they’re needed immediately.

Note to regular Patch Watch readers.\:

Over the past couple of years, Microsoft has, obviously, dramatically changed how we receive Windows and Office updates. Our original chart no longer works with Microsoft’s new patching format. So we’re doing some research to see whether a problem-patch chart is still feasible. I’m currently working on a master problem-patch list for Windows 7; who knew that platform had over 500 patches! Look for the downloadable Master Patch List at AskWoody.com.

Susan Bradley was for many years the Windows Secrets Patch Watch diva. She's happy to be back writing in detail about patching and security for the new AskWoody Plus newsletter. In real life she's a Microsoft Security MVP and IT wrangler at a California accounting firm, where she manages a fleet of servers, virtual machines, workstations, iPhones, and other digital devices. She also does forensic investigations of computer systems for the firm.

Publisher: Woody Leonhard, (woody@askwoody.com); editor: Tracey Capen (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S, or road, and Star), and the slogan Everything Microsoft Forgot to Mention are all trademarks and service marks of AskWoody LLC. All other marks are the trademarks or service marks of their respective owners.

Mailing address: *|HTML:LIST_ADDRESS_HTML|*

Your email subscription:

• This email sent to *|EMAIL|*
• Update your preferences
• Unsubscribe *|EMAIL|* from this list
• Subscription help: customersupport@askwoody.com
• Subscribe to the paid AskWoody Plus

Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.