A most unusual Patch Tuesday

Topic

New Reply

Microsoft has released its usual Patch Tuesday flood, and it’s enormous: 358 patches addressing 96 individually identified security holes. Gregg Keize[See the full post at: A most unusual Patch Tuesday]

12 users thanked author for this post.

Morty, lmacri, AJNorth, JDeC, SueW, TonyS, ch100, Elly, Cesar, MrBrian

Reply | Quote

Replies

Some older unsupported operating systems had new security updates released today. See https://technet.microsoft.com/en-us/library/security/4025685 for more details.

4 users thanked author for this post.

Morty, lmacri, ch100, Elly

Reply | Quote

From Microsoft: Latest security fixes thwart NSA hacking tools:

“Microsoft has confirmed its latest round of security patches has fixed three remaining vulnerabilities built by the National Security Agency, which the company previously said it would not fix.

The company confirmed to ZDNet that it had reversed course on releasing patches for the exploits, which Microsoft said earlier this year only affect older operating systems that have since been retired, notably Windows XP and Windows Server 2003.”

5 users thanked author for this post.

Morty, grayslady, ch100, woody

Reply | Quote

Those that still use a Vista machine do not have to install all updates mentioned on the Guidance for older platforms page, if the machine has been patched until the last Patch Tuesday in April. Some of the updates mentioned on that page have been published earlier when Vista was still supported and therefore are likely already installed. If you have patched a Vista machine until April, the updates to download and install manually from the table are: 4018271, 4018466, 4019204, 4021903 and 4024402.

Reply | Quote

Please tell me this doesn’t mean 48 patches to individually download and install…

LABS - a family friendly webcomic about scientists, robots and Wisconsin

Reply | Quote

No, the number relates to total fixes, not separate updates – individual updates generally incorporate a number of fixes.

On my Windows 7 home machine with Office installed I have the single Quality Security Monthly Rollup (KB4022719) plus the usual MSRT, along with 7 updates for Office 2010. Nothing installed yet, of course, but I’ve already hidden a Silverlight update (KB4023307) as I don’t have Silverlight installed and have also hidden the old favourite KB2952664.

I imagine I’ll get the same updates on my Windows 7 gaming machine but without the Office updates as I don’t have Office installed on that machine.

2 users thanked author for this post.

Cartoonist Aaron, SueW

Reply | Quote

Is Computerworld and offshoot of InfoWorld?

Reply | Quote

IDG is the umbrella company for Infoworld and Computerworld

4 users thanked author for this post.

JDeC, SueW, ch100, woody

Reply | Quote

According to https://www.zerodayinitiative.com/blog/2017/6/13/the-june-2017-security-update-review, two vulnerabilities fixed today have already been exploited: CVE-2017-8464 | LNK Remote Code Execution Vulnerability and CVE-2017-8543 | Windows Search Remote Code Execution Vulnerability.

A summary of all Microsoft vulnerabilities fixed today, by severity: http://blog.talosintelligence.com/2017/06/ms-tuesday.html.

3 users thanked author for this post.

Jan K., ch100, Elly

Reply | Quote

This is unbelievable, even for Microsoft. I sure hope Woody can sort them out.

 

 

Reply | Quote

To be fair to Microsoft, and I’m not generally one who tries, the unbelievable part is the secret vulnerabilities in place for so long. Now that they are exploitable, full credit to MS and the folks in Redmond for doing the right thing… belatedly.

The problems that may arise are likely to result from flawed code standing so long, that changing it now may have unforeseen results. But this part is in MS’s wheelhouse, they’ll likely get it right.

It’s the new ideas they have difficulties with.

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

Bear in mind that the SMB1/Eternalblue vulnerability has existed since Win 2000/Win XP days and was secretly used by the NSA for a very long time to infect their targets with spyware until recently exposed/leaked by Shadow Brokers in Aug 2016, and subsequently released into the wild in April 2017.
… Looks more like damage control or a cover up by MS.

2 users thanked author for this post.

woody, abbodi86

Reply | Quote

Everyone remember, MS-DEFCON 2 means Woody recommends we let other folks test the software for a little while first before we jump in and start stomping around the minefield ourselves.

-Noel

4 users thanked author for this post.

JDeC, SueW, Cascadian

Reply | Quote

So they released updates for XP and Vista long after support for them has ended? Why do I feel like this sets a dangerous precedence for Windows 10? We all know that Microsoft wants everybody on Windows 10, but by releasing updates for XP and Vista after support has ended it’ll make people less likely to upgrade won’t it? Because they see Microsoft is still patching the older operating systems.

1 user thanked author for this post.

JohnW

Reply | Quote

Well I just gotta say, I am glad that they did.  I am a happy Win 10 user on two computers, but I also run one with Windows 7, as well as one WinXP as a VM.

The only reason I use XP is to run old software that Win 10 has broken.  I cannot see replacing hundreds of dollars of commercial software, just to run it on Windows 10.  I do my best to keep XP contained and locked down, but it is reassuring that MS has our backs on these major exploits.

At the same time, I would encourage everybody to update to a supported OS, unless you have a major overriding reason to run an old OS beyond end of life!

Windows 10 Pro 22H2

Reply | Quote

UPDATE: Microsoft even released a patch for Win10 1507 — the original, “RTM” release, which is supposed to be out of support. See KB 4022727.

Brad Sams, writing on Petri.com, calls the XP patch “a dangerous precedent.” I say hogwash. It’s an overdue CYA patch. Can you imagine what would happen with a working XP SMB worm?

Peter Bright = Dr. Pizza, writing on Ars Technica says “Microsoft’s decision to patch Windows XP is a mistake.” I say he’s wrong. Microsoft didn’t have any choice – and won’t have any choice, in the future, but to patch NSA-derived security holes in all versions of Windows from XP onward.

Dan Goodin, also on Ars Technica, now has technical details. He hits the nail on the head when he says, in conclusion:

Company officials are showing that, as much as they don’t want to set a precedent for patching unsupported Windows versions, they vastly prefer that option to a potential replay of the WCry outbreak.

It is all in the numbers.
Microsoft is not protecting old operating systems, but the internet as a whole.
There are multiple other vulnerabilities which are known to Microsoft but because each of them affects lower numbers of users, they are not and will never get patched.

It also has to do with politics.
I was always wondering why when there is a bush fire affecting tens or hundreds of people, the Government feel like compensating those affected and pass emergency legislation, while when there is an isolated fire burning down one person’s house, it is considered just a personal issue. Aren’t those affected impacted in the same way?

8 users thanked author for this post.

satrow, JohnW, SueW, NetDef, woody, MrToad28, Alice, Cascadian

Reply | Quote

A lot of people see only the patching issue when considering older operating systems and end of support.
In fact an even bigger issue is that many newer applications are either blocked from running on the older operating systems by manufacturer’s design or simply use newer technology which was not available at the time when the older operating systems were in mainstream use.
Microsoft could keep a single OS and enhance it forever, but they are running a business and fixing an existing OS does not fit their business model, unless they would charge for updates.
Charging for enhancing an existing operating system seems to be less accepted by the public than charging for something “new” and so we end up by having this mess.

2 users thanked author for this post.

Ascaris, flackcatcher

Reply | Quote

ch100, I agree completely as far as this goes. Have made similar points about the cost of development and the need for revenue.

But given these truths, why would Microsoft make a sales pitch promising the one Operating System that will forever be current, and answer all user’s needs? Did they oversell?

I think many of us recognized this was an impossible goal that would never be true, and should not have been promised.

Reply | Quote

Agreed, plus moreover there has never been a really clear statement to ordinary Windows 10 users as to how MS are going to raise revenue from it. Most people went for the upgrade because it was free, but it can’t remain that way forever.

I also find it interesting that Windows 10 has pretty much as many security fixes as the older systems, despite being said to be so much safer!

2 users thanked author for this post.

Cybertooth

Reply | Quote

Windows 10 was only free in the consumer/SOHO sector.  For corporate customers, it was never free, and that’s the most important market for MS.

In the consumer sector, the vast majority of money MS made from Windows was from OEM sales.  People buy a PC with Windows preinstalled, and for the most part, use that version until the PC dies or is retired.  It was only a small segment of that market who would take it upon themselves to buy and install a newer Windows version than what came on the PC.

As such, MS is not losing a great deal of money by not charging for consumer-level upgrades.  MS was already paid for Windows (7 or 8.x) on all of those PCs (by the OEM who preinstalled it), and they were never going to get any more than that on 99%+ of them.  MS no doubt calculated that the benefit of boosting the adoption rate outweighed the small decrease in revenue incoming from the relative few who do buy and install Windows.

Given how the uptake of 10 has slowed since the official free upgrade ended (unofficially, it’s still going, of course), it is quite likely that the Windows 10 market share would be but a fraction of what it was if not for the free upgrade (not to mention the means of questionable ethics that MS used to push those upgrades).  MS is trying hard to convince us all of the inevitability of Windows 10 (resistance is futile), and that would be a much harder thing to do with less market share than they have now.  The marketing value alone was certainly worth much more than the loss of upgrade revenue.

While it is true that MS is looking for new ways to “monetize” Windows (they’ve told us this), there’s no need to make up for the lost revenue of the free upgrade.  I think they’d happily keep the official free upgrade going indefinitely in the consumer sector if it wouldn’t arouse people’s suspicions about why they’re doing it and where the revenue is coming from.

There was discussion of whether MS would extend the free upgrade period in the months before it actually did expire (officially), given that their desired “one billion devices running Windows 10” goal was looking more and more unrealistic.  The general consensus seemed to be that MS would seem too desperate if it did so.  The open secret of the free upgrade period that really never ended is the next best thing, I suppose.  If the powers that be in MS didn’t see it so, there’s no doubt that the unofficial continuation of the free upgrade would not have continued one minute past the expiration date.  There’s just no way it is an oversight or something that is unintentional on Microsoft’s part.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Microsoft would probably like move to Software as a service SAAS model, [annual fees] and away from versioning as a way to solve the need for revenue and keep OS up to date. Users who have bought versions will resist this. Microsoft can’t just say, ‘s**ew em’ because of the ecosystem vulnerability.

Edit for content

Reply | Quote

Lets not forget the PR aspect here. For three years Microsoft has been hammered for the way they have tried to move users to Windows 10. Combine that with hand waving away best practices with massive personal cuts, and  MS has a mushrooming nightmare on their hands. If they did not patch, then they would be signing their own death warrant. It is not Microsoft’s fault that we and they are caught in the middle of a major fight between two state actors. But it would be Microsoft’s fault, if  having the means to protect their products, they did nothing. Woody’s right, MS had no choice.

1 user thanked author for this post.

Cybertooth

Reply | Quote

What is much more interesting when it comes to this Tuesday is:

“Addressed issue where an unsupported hardware notification is shown and Windows Updates not scanning, for systems using the AMD Carrizo DDR4 processor or Windows Server 2012 R2 systems using Xeon E3V6 processor. For the affected system, follow the steps in the Additional Information section below to install this update.”

Additional information says:

“Run the DISM /Online /Add-Package command to install the update: DISM.exe /Online /Add-Package /PackagePath: CAB file path”.

 

Does this mean that in case of any future block it will be possible to install updates via DISM or there must be something special in this particular package to bypass it?

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Yes, DISM works for all blocked systems

1 user thanked author for this post.

radosuaf

Reply | Quote

So, with one, two cumulative patches each month, the block shouldn’t be much hassle then.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

More info about DISM method: see https://www.askwoody.com/forums/topic/installing-win-updates-on-win-7-or-8-1-computers-with-kaby-lake-or-ryzen-cpus/#post-108648.

Reply | Quote

Indeed. I’ve been taking my time catching up on Security-Only updates, Net Framework, IE and all that stuff and I exclusively use the DISM command to install them. I write/edit batch files for each update and run them before I reboot my system for whatever reason or I’ll reboot, run the next batch file and then reboot again. Haven’t had an issue yet.

So, yeah, the block doesn’t seem like it will be much of an issue.

Reply | Quote

Woody, I don’t know how many times I scanned over your update before I noticed:
“This doesn’t smell right.”

Which immediately reminded me of the very real, and metaphorical value of, “sunlight is the best disinfectant.”

Lets get these out in the open and shine light on the tests that confirm patches, to remove the stench.

1 user thanked author for this post.

Reply | Quote

Is it true they didn’t do anything with the .Net Preview update – kb4019288? It’s still there and I didn’t get any other .Net Framework update offered.

Reply | Quote

I can confirm too that I did not get any proper .NET Framework update either. All there was, was the preview rollup for it.

Reply | Quote

The article Peter Bright wrote that Woody mentioned was written more than 3 years ago when Windows XP just went off support. It is just a rerun with minor updates for the just released XP patches.

Anyway, I agree with Woody that Peter Bright is dead wrong on this issue. He said in one of the recent comments that “Nobody should be using Windows XP today. At all.” I say that he obviously has no or little understanding why so many people still stick with Windows XP today. Perhaps he should ask those users before making such a sweeping statement?

Peter Bright also said that “It isn’t exceptional. There are lots of unpatched and exploitable Windows XP flaws now. The release of the patch this week doesn’t alter that.” Oh, but it is exceptional. The vulnerabilities probably can be adapted for use by a computer worm that propagates without user action, like WannaCrypt, which can potentially affect a large number of users. I believe that’s why Microsoft decided to release the corresponding patches for Windows XP / Vista / Server 2003.

Hope for the best. Prepare for the worst.

Reply | Quote

Didn’t sound too bright to me either…

Perhaps he’s not aware of the many instances used by “non-persons” like the info-boards in my daily train (sometimes I see it boots… nearly brings me to tears). I think some process controls boards are xp based and Ive heard atm machines use xp as well.

But Woody is way out of touch with mr. Bright’s readers! Not much xp love there! 😀

Reply | Quote

Could anyone help me understand this comment by Woody?

There’s a reason why Microsoft released XP/Server 2003 updates – they didn’t bother to patch either last month, with the WinXP patch for WannaCry.

which seems to conflict with his statement in the ComputerWorld article;

There’s a reason why Microsoft released XP and Server 2003 patches again this month.

Reply | Quote

Last month XP/Vista were patched for the EternalBlue vulnerability. The three additional vulnerabilities that were mentioned in the ComputerWorld article (EnglishmanDentist, EsteemAudit and ExplodingCan) were not patched in XP/Vista.

There’s a reason why Microsoft released XP and Server 2003 patches again this month. Three reasons, actually. As I said in April, when the Shadow Brokers revelations emerged, the earlier MS17-010 patched all of the NSA-derived attack vectors, except three known vectors in XP and Server 2003 machines:

Microsoft says none of the other three exploits—EnglishmanDentist, EsteemAudit, and ExplodingCan—runs on “supported platforms,” meaning Windows 7 or later and Exchange 2010 or later.

That appears to be the motivation for this month’s highly unusual XP and Server 2003 patches. Microsoft is fixing known holes in XP and Server 2003 that weren’t fixed before — holes that were plugged already for Win7 and later.

MS didn’t bother to patch those three vulnerabilities so they are releasing patches again this month for XP/Vista to do so. Where is the conflict?

1 user thanked author for this post.

woody

Reply | Quote

Thanks. I had trouble understanding that “they didn’t bother to patch either last month” was referring to the three additional vulnerabilities (which hadn’t been mentioned here at that stage).

Reply | Quote

It is a good thing that Microsoft released security updates that remediate certain exposures in out of support systems (e.g, XP, Vista).  However, we should not attach more significance to these updates than is warranted.   These are not cumulative updates that magically fix all security issues between the date that these Windows versions reached End of Life and now.  These older systems, especially XP, will continue to contain exploitable vulnerabilities.

Moving away from out of support versions that are past End of Life continues to be an appropriate recommendation.  Those who choose to remain with XP and Vista do so at their own risk.  Don’t complain later should problems occur.

4 users thanked author for this post.

Kobold Curry Chef, woody, MrBrian, b

Reply | Quote

“These are not cumulative updates that magically fix all security issues between the date that these Windows versions reached End of Life and now.”

Is that true for the IE10 update for Windows 8 and the IE9 update for Windows Vista listed in Older platforms 2 of 3 in the Microsoft Security Advisory that Woody linked to? These updates are described as Cumulative Security Updates and are fairly large updates.

Cumulative Security Update for Internet Explorer 9 for Windows Vista for x64-based systems (KB4018271)
https://www.microsoft.com/en-us/download/details.aspx?id=55426

Cumulative Security Update for Internet Explorer 10 for Windows 8 for x64-based Systems (KB4018271)
https://www.microsoft.com/en-us/download/details.aspx?id=55449

Reply | Quote

Has Woody permanently shifted from Infoworld to Computerworld? I see nothing on the June patch on Infoworld patch management.

Reply | Quote

Yes, he will be on ComputerWorld now. Both InfoWorld and ComputerWorld are in the IDG group.

Reply | Quote

Yep, Computerworld is my new home sweet home.

IDG is moving its Windows coverage to Computerworld. Should be pretty amazing.

But I’m still on vacation! So I only post when I absolutely can’t stand sitting on my thumbs…

4 users thanked author for this post.

Kobold Curry Chef, jelson, JohnW, JDeC

Reply | Quote

@woody ahh thats why you popped in to my inbox this morning “all is revealed” better come in here first before dealing with the mail lol 🙂

Reply | Quote

Non-security fixes are documented for both the Windows 7 and Windows 8.1 June 2017 monthly rollup and security-only update that are not documented in the Windows 7 and 8.1 May 2017 preview monthly rollup.

Reply | Quote

June 2017 Office Update Release

1 user thanked author for this post.

SueW

Reply | Quote

For those in Group B, AKB2000003 has been updated 6/13/2017 with the Security-only and Cumulative IE11 patches

3 users thanked author for this post.

JDeC, amraybt, David F

Reply | Quote

hey woody.

check out this recent ZDNet article from Ed Bott titled “Microsoft warns of ‘destructive cyberattacks,’ issues new Windows XP patches”

http://www.zdnet.com/article/microsoft-warns-of-destructive-cyberattacks-issues-new-windows-xp-patches/

Reply | Quote

Patch is causing issues with printing in at least Internet Explorer 11. Basically, IE creates a temporary file to print but looks on the server for the temporary file instead of the local machine.

 

More info:

https://stackoverflow.com/questions/44547861/ie11-windows-7-print-issue-after-kb4021558

Reply | Quote

Reference is to KB 4021558 June Cumulative Update for IE11. Since this is included in the 2017-06 Security Monthly Quality Rollup, it may also include the Rollup.

Reply | Quote

All right. Win 7 Ultimate 32-bit, installed security-only patch (4022722), IE patch (4021558) and that update required for .NET 4.7 (4019990), though I’m not installing .NET 4.7 itself yet. So far so good, not spotting anything obvious. Just that Comodo logs seem to indicate that regsvr32.exe did something with the startup folder (nothing there now though).

Regarding the mentioned IE printing issue, don’t have a printer, so no clue.

Reply | Quote

James Bond 007 wrote:

The article Peter Bright wrote that Woody mentioned was written more than 3 years ago when Windows XP just went off support. It is just a rerun with minor updates for the just released XP patches. Anyway, I agree with Woody that Peter Bright is dead wrong on this issue. He said in one of the recent comments that “Nobody should be using Windows XP today. At all.” I say that he obviously has no or little understanding why so many people still stick with Windows XP today. Perhaps he should ask those users before making such a sweeping statement? Peter Bright also said that “It isn’t exceptional. There are lots of unpatched and exploitable Windows XP flaws now. The release of the patch this week doesn’t alter that.” Oh, but it is exceptional. The vulnerabilities probably can be adapted for use by a computer worm that propagates without user action, like WannaCrypt, which can potentially affect a large number of users. I believe that’s why Microsoft decided to release the corresponding patches for Windows XP / Vista / Server 2003.

Peter Bright and the others need to educate themselves before making “dummer than a rock” statements like they did.

The only thing for XP that changed April 2014 was security patch release to the GENERAL PUBLIC ceased.  XP security patches  became a “pay for service” where you could pay MS “your two first born children” for XP Sec Updates every month.  I get/have gotten them every month since “XP support ended” and it averages about 4-5 Sec patches per month.

What MS did this, and last, month was to release SELECT security patchs to the general public for Uber Bad Exploits developed by our very own US NSA (and were hacked into and stolen from those very same US NSA idiots), that were made for paying business/enterprise customers.  There is little doubt that was all about MS liability CYA.

The simple fact is WinXP still is the OS (embedded version) used in miilions of POS terminals and ATM’s in the US and around the world.  It is also still used in a hugh numbers (one could almost say it is still the primary OS in some areas) that runs the propriatary software used on 1000’s of SCADA Command and Control systems used to control power generation on the US Grid as well as other utilities like Water, Sewage Treatment, HVAC systems, etc, etc, etc……….

Viper

2 users thanked author for this post.

jelson, PKCano

Reply | Quote

Should we consider “DEFCON 2” for Windows XP as well or those systems should be patched right away?

Any know problems on the XP patch?

Reply | Quote

Yes, go ahead and patch. The supported versions of Windows were patched last month. Microsoft is late with this. It’s important to get protected.

I patched mine yesterday with no problem.

Edit to add info

Reply | Quote

I’m not quite sure which updates I should be installing… The MS page on https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms is a little confusing…

Which of those KBs should I be applying on my XP SP3 system?

Also, since I’ll be installing them manually, should I reboot upon each install, or install them all then reboot?

Reply | Quote

There are three tables for XP SP3
Table 1: 988644, 2347290, 4012598, 4012583
Table 2: 4022747, 4018271 (for IE8), 4018446, 3197835, 4024343
Table 3: 4025218, 4024402, 4019204

Check my numbers, I can mistype.
Just to be safe, back up your data before you start.
It would be a lot easier if you could use Windows Update to do the installation for you.

Reply | Quote

Thanks a lot mate…

I’ll be doing things manually, so would it be necessary a reboot at every single update?

Reply | Quote

You can try to install without reboot. If the next patch won’t install, reboot. Then wait 10 minutes after logging in to give the install time to complete before trying to install again.

Reply | Quote

I couldn’t get the first two to install, apparently. They appeared to install with no problems, but when I went looking for them in Add or Remove Programs, they were nowhere to be found. Interestingly, if it weren’t for Ask Woody, I wouldn’t even have known about these additional patches. What I did receive today, unasked, was a security update for my Office 2003 which is on the same machine. This whole issue of remote access and control seems to be a major problem for MS.

Reply | Quote

PKCano wrote:

It would be a lot easier if you could use Windows Update to do the installation for you.

Well actually you can with a registry edit but beware once done you can’t undo it.  It’s also technically cheating but no worse than MS’s highway robbery IMO.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
“Installed”=dword:00000001

Viper

 

Reply | Quote

Did that one a long time ago. Updates are important (even cheating).

Reply | Quote

anonymous wrote:

So they released updates for XP and Vista long after support for them has ended? Why do I feel like this sets a dangerous precedence for Windows 10? We all know that Microsoft wants everybody on Windows 10, but by releasing updates for XP and Vista after support has ended it’ll make people less likely to upgrade won’t it? Because they see Microsoft is still patching the older operating systems.

Only free security updates to the general public ended for XP 04/2014.  Dearly paid for security updates never stopped and come the 2nd Tuesday of every month like clock work.  That included Feb 2017 when W7 thru W10 patch Tuesday was  canceled.

As for not upgrading (oximoron) to W10.  Most people seem tp be doing all they can to not get roped into “downgrading” their good OS’s to that steaming brown pile of spyware known as Windows 10.  That’s one of the reasons W10 uptake has fallen off the table since MS stopped trying to force W10 down users throats in every under handed way imaginable (and you can still “upgrade” for free to this day).

1 user thanked author for this post.

Cybertooth

Reply | Quote

Table 1 in https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms omits the 32-bit version of Windows Server 2003, for all patches including MS17-010 and MS17-013. Is this an error?

Reply | Quote

If you click on MS17-010 at the top or the table (it’s a link), it takes you to the bulletin. Scroll down and you will find the 32-bit version. Click on its name on the left and it takes you to the MS Catalog to download.
I didn’t check out the other, but I suspect it’s the same

Reply | Quote

Thank You, found it after selecting Server 2008 32-bit in the manner you suggest.  Selecting an “older” out-of-extended-support 32-bit system {Server 2008, 8, Vista} shows the set for all of the older 32-bit systems MS has this patch for.  Selecting one currently under support (7, and using their newer patch bundling style) does not for Server 2003.

Reply | Quote

I updated my Win XP Service Pack 3 today with 12 updates found here.

https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

 

Windows 10 Pro 22H2

Reply | Quote

June 13, 2017
Microsoft Releases Additional Updates to Protect Against Potential Nation-state Activity
By Adrienne Hall | General Manager, Cyber Defense Operations Center

On May 12, 2017, the WannaCrypt ransomware served as an all too real example of the danger of cyber attacks to individuals and businesses globally.

In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows. Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt. For more technical information and links to related articles, visit our Microsoft Security Response Center blog.

 
Read the full post here

Reply | Quote

A data point:

I have virtual machines I pre-test updates on. They are not critical and are easily restored to prior states if something goes wrong.

I’ve just updated my Win 7 test VM with June security-only updates per: This AskWoody page

Specifically, I downloaded the .msu files for these updates and installed them in the following order, rebooting after each:

1. KB4022722 (Security Only Quality Update for Windows 7 x64)
2. KB4021558 (Cumulative Security Update for Internet Explorer 11 for Windows 7 x64)

The updates went in smoothly and initial testing seems to imply they have not caused new problems.

-Noel

3 users thanked author for this post.

MrBrian, samak, AJNorth

Reply | Quote

I’m using SCCM 2012 to deploy updates and wanted to make sure I distributed these packages to the very small number of XP machines we have.  However, I cannot find the updates themselves in the SCCM database although they appear on the WSUS.  These aren’t all bundled together somewhere?

Brad

Reply | Quote

Seff wrote:

I also find it interesting that Windows 10 has pretty much as many security fixes as the older systems, despite being said to be so much safer!

That one is really an interesting observation. It is the nature of the industry I suppose and the fixes may not be the same for different operating systems, unless they have the same KB number, which seems common in many instances for Windows 7 and 8.1 (and their server equivalent 2008 R2 & 2012 R2).

Reply | Quote

So Microsoft is patching old OSes out of support (although security updates is always a good thing), while not supporting Windows 7 (ok, under extended support only) and specially 8.1 (under full support and development) for new CPU architectures. MMMmmmm… Right………

Reply | Quote

@woody:

A total non-sequitur: was the title of this post in any way influenced by the scene in Alfred Hitchcock’s classic film of murder, mayhem, mistaken identity and screwball comedy, “North By Northwest” (1959), where Roger O. Thornhill (Cary Grant) walks into the Plaza Hotel with “A Most Unusual Day” heard playing in the background in the lobby?

1 user thanked author for this post.

Cascadian

Reply | Quote

Niche reference these days, but very cool. I like how you make connections. Worth another viewing now.

1 user thanked author for this post.

AJNorth

Reply | Quote

More data points:

For my Win 8.1 Pro/MCE x64 systems, managed in an “almost group A” fashion…

On my test system, I installed all updates except optional KB2976978 (which I always hide) via Windows Update, including Office 2010 updates.

• The updates went in easily and quickly.
  
• All my software that I tested appears to be working. No new error messages or failures are noted.

My verdict: “Group A with exceptions” June Win 8.1 x64 updates are OK from my perspective.

—

For my heavily tweaked Win 10 Pro v1703 test system, I installed the latest cumulative update from the Windows catalog to bring it up to build 15063.413. I’ve also done some brief testing on this system and found it to be functional.

This Win 10 setup does NOT make any unexpected/unsolicited online connections, and has been trimmed to optimize for “legacy Win32-only” operation – i.e., no Apps, no cloud integration, compatibility with desktop software such as Visual Studio, Photoshop, etc. It settles to 66 processes and 1.3 GB of RAM usage to support an idle desktop.

The only minor instability I’ve seen on this test setup so far is some minor issues with the program I use to resurrect Aero Glass and facilitate re-theming – something I could do without in a pinch, though it’s still being actively developed and I suspect there will be a new version before long. I’ll drop it back to an unthemed, ugly Win 10 desktop if I must.

My verdict: “Group A” June Win 10 v1703 x64 updates are OK from my perspective.

—

At this point I’ve tested the June Win 7, 8.1, and 10 updates to my own satisfaction using virtual machines.

I still recommend waiting for Woody to raise the MS-DEFCON level unless you have your own test methodology as I do, and/or you feel particularly vulnerable to current security threats.

-Noel

1 user thanked author for this post.

AJNorth

Reply | Quote

Hello,
W10 Home 1607 (14393.1198) waiting for DEFCON to change.

I have 4022715 Cumulative 1607, 4022730 Flash Player, 3150513 compatibility, 4023834 Servicing Stack & 3186568 NET Framework 4.7 hidden thru wushowhide tool.

I’ll keep 3150513 hidden…..wondering about 4023834 Servicing Stack & 3186568 Framework 4.7 ?

Reply | Quote

You definitely need the Servicing Stack, and I think .NET 4.7 is OK for Win10 – when the DEFCON number is 3-5

1 user thanked author for this post.

bjm

Reply | Quote

PKCano wrote:

You definitely need the Servicing Stack, and I think .NET 4.7 is OK for Win10 – when the DEFCON number is 3-5

Okay, @DEFCON 3:  just installed 4023834 Servicing Stack, 3186568 NET 4.7, 4022715 Cumulative 1607 & 4022730 Flash Player.
> Care to comment re hidden updates
W10 Home 1607 (14393.1358)

Reply | Quote

An issue has been added to the knowledge base article for June 2017 Windows 7 security-only update:

‘After you install this update, you may experience behavior that resembles that of Microsoft Security Bulletin MS16-087. For more information, see the “Known issues” section of the following Microsoft Knowledge Base article:

3170005 MS16-087: Security update for Windows print spooler components: July 12, 2016’

1 user thanked author for this post.

AJNorth

Reply | Quote