April Patch Tuesday Windows and Office patches are out

Topic

New Reply

Stay tuned while we pull in the pieces….
[See the full post at: April Patch Tuesday Windows and Office patches are out]

7 users thanked author for this post.

deanwmn, abbodi86, Myst, GreatAndPowerfulTech, Elly, seamonkey420, Microfix

Reply | Quote

Replies

Group B Security-only patches and the IE11 Cumulative Update have been updated AKB2000003 on 4/9/2019.

11 users thanked author for this post.

LH, deanwmn, David F, SueW, abbodi86, lanceboil, GoneToPlaid, samak, Elly, woody, Microfix

Reply | Quote

Martin Brinkmann has his links updated, wow that was quick..ghacks.net
Taken from Ghacks:

Windows 8.1
Monthly rollups won’t include PciClearStaleCache.exe anymore starting with this update

Sounds like W8.1 may encounter similar NIC issues as Win7 has from march 2018..
Think I’ll hang off updating for a while

Windows - commercial by definition and now function...

Reply | Quote

It’s applies only to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1. Windows 8.1 and Server 2012R2 free from NIC issues.

Reply | Quote

The blog correction has been made
Still not updating

Windows - commercial by definition and now function...

Reply | Quote

The pciclear executable has only been bundled with the Win7 Rollups in the past, not the Win8.1.

1 user thanked author for this post.

ch100

Reply | Quote

400 bad request when clicking on the Zero Day Initiative link, due to a trailing apostrophe in the link.

1 user thanked author for this post.

woody

Reply | Quote

Sorry about that. Link fixed.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Thanks for the  Adobe flash mention.  It was faster to manual download then waiting for the auto-update.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

I have had auto update issues for Adobe Flash on two different occasions. In both cases, I had to uninstall Flash and then install the latest manually downloaded update. One has to wonder if Adobe now is also using artificial intelligence, like Microsoft, to see if their updates “appear” to be good to go.

Reply | Quote

Hmm, and you all do know that flashplayer32_xa_install.exe version 2.0.0.332, which was released in around the middle of March 2019, may have been infected? I got several hits for it on VirusTotal, and the intermediate release after it inexplicably would not install on a couple of my computers. I had to uninstall Flash, and then install the subsequently released version.

So to anyone who can’t get a Flash update to install, uninstall Flash, reboot, and then download and install the latest version.

Final note: I just downloaded and successfully installed the latest Flash version via the Flash update utility on two of my computers. No issues.

1 user thanked author for this post.

SueW

Reply | Quote

Interestingly, for the first time ever as far as I can recall, Comodo failed to recognize the Flash updater when it triggered today, said unrecognized and on top of asking whether I wanted to allow it to connect, which always happens since I have it set to always prompt on new connection attempts, the HIPS also asked whether I wanted to allow it to do what it wanted to.
It’s like the file wasn’t signed. And not like I could check it after it was done, since it gets deleted. The actual files seem signed just fine though.

Reply | Quote

(Instead of editing) Ah, just checked again, seems like Adobe changed the name for the certificate and it’s just Adobe Inc. now? That probably confused it, and I see that 1h after the update it filed some other Flash files as untrusted, then added Adobe Inc. as trusted vendor and reassessed one more hour later.

I see that the company name had been changed back in October, but maybe it took this long for them to change it in file signatures too?

1 user thanked author for this post.

woody

Reply | Quote

We just noticed a newly published Feature Update to Windows 10 in WSUS from 3/28/19.

• Feature update to Windows 10 (business editions), verison 1809 x64 2019-03B, en-us
• Feature update to Windows 10 (business editions), verison 1809 x86 2019-03B, en-u

If you click link in WSUS for info, it will bring you to the 1803 update history page of course.  Is this an updated 1809 feature update or a possibly mislabed update? We have declined in our WSUS since we are in the middle of rolling out 1809 feature updatse to all of our 1607 clients and don’t want to change the criteria that we have tested with.

Anyone else noticing this or know what this is?  TIA!

Reply | Quote

1809 was recently declared ready for business (SAC that is not SAC anymore ) Perhaps that is why you are seeing it.

As to the labeling mixup, who knows. The Windows Software Distribution Update History page shows the CU for 1607 KB4493470 as being for 1803. MS documentation is not necessarily the best.

3 users thanked author for this post.

ch100, abbodi86, seamonkey420

Reply | Quote

we have been using the 1809 update in wsus that did have the same name except the ending 2019-03B since early Jan (after they re-released it after issues w/user profile and data deletion).  Nonetheless, will wait to hear from others but until then we are declining it and using the one we’ve been using the last two months

thanks for the reply!

Reply | Quote

It’s just refreshed installation media with March 2019 updates, B stands for second update tuesday (aka patch tuesday)

4 users thanked author for this post.

ch100, seamonkey420, Microfix, woody

Reply | Quote

Successful Install of KB4493509 Cum Update 1809 / KB4493478 Adobe Flash/ KB890839 MSRT + C2R Std-Hm Office ’16.

Although a willing early Update Test-er, with a new HP W10 desktop using mostly Firefox & Office ( & Macrium) I’m too simple a setup to be a real test for many of your multi-layered systems. Loving the speed of SSD + HDD and haven’t missed Win 7 at all.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

I’ve seem somewhere in this website that Group B’s patches should be installed in chronological order because they are not cumulative.

Question: What happens if you install them randomly? Will they fail to install? Will they BSOD your system? Will they need the other patches as a base for installing? (shouldn’t supercedence take care of this mess?)

Thanks.

Reply | Quote

Supercedence should work.

But there is that word “should” again.

Reply | Quote

PKCano is correct that supersedence should work (it always has for me, so far). On the other hand, there are a few circumstances in which you will want to install some Group B updates out of order, and specifically in order to allow supersedence to get around issues which were present in one or more earlier updates which could block updates for specific CPUs. The latter is a really fun thing to try to resolve since performing a System Restore won’t fix the issue.

In the two attached GIF images, I have renamed the downloaded Windows Updates for Group B such that each update’s name starts with the desired installation order, followed by the date of the updates’ release by Microsoft, and followed by the update’s description and KB number to which I added info about the update. All of the Reboot.txt listings are zero length text files which simply tell you when you need to reboot after installing either an individual update or after having installed several updates listed after the previous Reboot.txt file entry.

Yeah, the above (and as shown in the two attached GIF images) would be a pain to manually perform. This is why I would like to call upon the expertise of any an all here to create a script which does the following for a given flavor of Windows 7:

1. Download all Group B Windows Updates for a given flavor of Windows 7, as described above, and and save the updates to a given folder.

2. The script should then appropriately rename the updates using the nomenclature which I described in the second paragraph, above, and similarly as shown in my two attached GIF images.

The slick thing about renaming the downloaded updates, similar to what is shown in my attached GIF images, is that one could rename each update to start with an underscore character after the user has installed each update. In this way, the user can keep track of their progress in terms of installing all Group B updates in the proper order.

The upshot is that all of this is “food for thought” in terms of how I have successfully remained on Group B, and in terms of how I have avoided various pitfalls by using supersedence when updating.

 

Reply | Quote

Interesting….. many of the vulnerabilities that were fixed are all in the same component — the filesystem driver for UAC File Virtualization.  All those vulnerabilities would’ve been introduced when Vista was being developed — and this is a security component!

Just goes to show that even with the best of intentions, writing secure code is hard.

There’s a whole bunch of new Jet Database Engine remote code execution vulnerabilities too.  Hopefully they won’t cause a lot of disruption like the last time around.

1 user thanked author for this post.

woody

Reply | Quote

Microsoft fully intended to lock down Vista Unix style. Yet the AV software vendors threatened to sue since Microsoft wanted to remove all hooks into the kernel. And thus secret deals were made.

2 users thanked author for this post.

woody, abbodi86

Reply | Quote

My machine succesfully feature updated to Win 10 x64 H 1809 17763.437 on 3 Oct 2018.

Then cumulatively updated to KB4490481 on 4 Apr 2019

At my request, 30 min. ago (10 Apr 2019), Windows cumulatively updated to KB4493509.

I then ran CCleaner (v5.56.7144).

So far I found no issues. Everything works fine.

Clevo portable, motherboard 32 GB RAM, dual monitor
Intel(R) Core(TM) i7-4810MQ
NVIDIA GeForce GTX 970M
500 GB SSD
1 TB HDD
7 external USB 3.0 HDDs, 17 TB in total
Windows 10 x64 Home (configured to look like Windows 95)

1 Desktop Win 11
1 Laptop Win 10
Both tweaked to look, behave and feel like Windows 95
(except for the marine blue desktop, rgb(0, 3, 98)

Reply | Quote

I cannot update my phone with the latest update, first I got the 0x80070002 error, now downloading is stuck at 0%…

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

W7 – 64. 2 Updates. Grp – B. Downloaded / Installed. Apparently. OK.

Reply | Quote

I just installed the two updates to Windows Defender and another monthly one.  But in addition to those I unchecked and hid (the Win 7 Preview rollups of Security, etc) there was one I hadn’t seen before – a Win 7 Service Stack Update. I hid it too – but what is it?

Reply | Quote

You need to install the Servicing Stack. It is the update for the Windows Update mechanism.

1 user thanked author for this post.

deanwmn

Reply | Quote

As @PKCano has posted, you NEED the Servicing Stack KB4490628 and the SHA-2 update KB4474419.
These will be required for use with WU insothat WU works as intended in the future.

Windows - commercial by definition and now function...

2 users thanked author for this post.

Morty, deanwmn

Reply | Quote

Just got this from a reader:

I think I mistakenly clicked checked updates and I can’t enable the pause button. Now they want to update to April. I’d prefer to wait until you give the all clear; anything I can do other than keep setting specific times a few days ahead? My restart only has restart with update options.

You’ve mentioned before that clicking to update windows is a bad thing within the current scheme of things so once having done that is there a way to get the pause button back and running without doing the current patch? and will that revert once I do the latest patch? My scheduled update is now set to April 16 but the restarts stills include updates.

1 user thanked author for this post.

dmbyer

Reply | Quote

You should be able to delete all the downloaded update files. See Martin’s explanation:

https://www.ghacks.net/2017/11/16/how-to-delete-downloaded-windows-update-files/

Once deleted, you should be able to reboot and go back to avoiding “Check for updates”!

2 users thanked author for this post.

Elly, Lars220

Reply | Quote

Sharing two more links concerning deleting Windows 10 updates cache que folder, it may be a good idea to just re-name the folder ‘SoftwareDistributionOLD’ as mentioned at the Major Geeks link. A while back I deleted the cache, and it removes your history from the Settings app, but Control Panel Installed Updates still showed some, but not all. Anyway, 2 links may be helpful for others, the intowindows com link has lots of pictures for more hand holding how to, and the Major Geeks link has a video for  more information. HTH

https://www.intowindows.com/how-to-clear-windows-update-cache-in-windows-10/

https://www.majorgeeks.com/content/page/how_to_delete_pending_windows_updates.html

 

1 user thanked author for this post.

Elly

Reply | Quote

I found new retro-numbered “important” 2010 Excel and 2010 Office (32-bit) security patches waiting for me in Windows Update on my Windows 7 rig. Couldn’t find them on this website or in the downloadable Excel file of patches:

Excel 2010 KB4462230

Office 2010 KB4462223

Office 2010 KB4464520

Safe to install?

1 user thanked author for this post.

dmbyer

Reply | Quote

KB4462230 Security Update for Excel 2010
KB4462223 Security Update for Office 2010
KB4464520 Security Update for Office 2010

These are all April updates for Office 2010 released on 4/9. We are on DEFCON-2 for April patching. Hold for a while until DEFCON 3 or above.

2 users thanked author for this post.

AlphaCharlie, woody

Reply | Quote

Thank you, will do.

Reply | Quote

Win 10 1709 64 bit.  Installed April delta update, stable for 3 days.  Blocked KB4346085 Intel microcode and 1809 upgrades.

Reply | Quote

v1709 just went EOL (aka “out of support) on April 9, 2019. you need to upgrade to at least v1803

1 user thanked author for this post.

Microfix

Reply | Quote

Correct – this is the last month of supported 1709.  Next month, we’ll upgrade from 1709 to 1803 by installation from previously obtained 1803 optical media, and then apply May 1803 cumulative update if it appears to be stable.

Reply | Quote

Since I have my Quality Updates deferred for 5 days, I just got the Windows 10 Pro v1803 Updates for April KB4493464, Adobe, and MSRT.

I also checked wushowhide and have re-issue KB4346084 awaiting download.  A seach indicates that this is a Micosoft Microcode Update. It apparently also replaces KB4100347 which I had previously hidden and is now gone.

I’m going to hide this pending more information, but per Born City this now covers: Spectre Variant 2, 3a, 4, and L1TF.

At what point should we take these Microcode updates seriously and install?

Windows 11 Pro v24H2 and Windows 10 Pro x64 v22H2

2 users thanked author for this post.

Bob Blumenfeld, Lars220

Reply | Quote

As yet, there are no exploits in the wild. Personally, I would hold off on the microcode updates

2 users thanked author for this post.

Bob Blumenfeld, Lars220

Reply | Quote

I had hidden KB4100347 after updating from v1709 to v1803 (Home). It was staying hidden up until yesterday (hide/metered connection as per PK instructions). Today, I get a notification that it is ready to install! I’ve stopped it by delaying the restart, but it is already downloaded and shows up as an update in Settings>Windows Update>View Update History. I went to the Control Panel>Programs>…>Installed Updates to see when it was ‘installed’ and there is no date. I assume that is because the restart is what really ‘installs’ it.
Question 1: I notice in the above thread that there is another KB (KB4346084) that replaced it. So why isn’t that one being installed?
Question 2: Should I remove it? If so can I remove it before the restart, or do I have to let it install and then remove it?

Reply | Quote

the KB4346084 update for v1803 is a Catalog only update – only obtainable thru the MS Update Catalog; usually never pushed thru Windows Update

you can just manually download & install KB4346084 on top of KB4100347 as it is not necessary to remove that one. be sure to restart the computer after installing the KB4346084 update

Reply | Quote

Thanks for clarifying my first question about the difference between the two KBs. My 2nd question was whether to remove KB 4100347 and before or after restart? I get the impression
that it should NOT be installed given comments from PKCano and others.

Reply | Quote

EP wrote:

the KB4346084 update for v1803 is a Catalog only update – only obtainable thru the MS Update Catalog; usually never pushed thru Windows Update

Unless I’m the exception, per my post, KB4346084 was in my Windows Update queue to be downloaded. I caught it and it is currently hidden via my wushowhide.

PKCano currently does not recommend installing either of these KB’s. Others who know more than me can chime in, but from what you are saying, it seems you are beyond being able to stop the installation of KB4100347. If it installs, check to see if it can be uninstalled then make your decision. You do not have to seek out or accept KB4346084 regardless.

Windows 11 Pro v24H2 and Windows 10 Pro x64 v22H2

Reply | Quote

Sorry – missed your second paragraph. I was hoping to find out IF I really should be installing either of them at all, and if not, do I have to let the restart finish the install and then remove?

Reply | Quote

Thanks for clarifying. And yes, the KB 4100347 already installed. Things seem to be working fine, but I’ll see if I can remove it using the Control Panel Uninstall, since it is showing up there. Although I’m not really sure why people are objecting to it, maybe that was in another post?

Reply | Quote