December 2021 Patch Tuesday arrives – say goodbye to 2004

Topic

New Reply

It’s that day of the month again when we turn and look (northward in my case, your location may vary) to Redmond and see what Holiday helpings they ar
[See the full post at: December 2021 Patch Tuesday arrives – say goodbye to 2004]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

jburk07, lmacri, abbodi86

Reply | Quote

Replies

AKB 2000003 has been updated for Group B Win7 (ESU) and Win8.1 on Dec 14, 2021.

There is a Security-only Update for those with Win7 ESU subscriptions.
There was no Dec. IE11 CU  for Win7.

December Rollup KB5008244 Download 32-bit or 64-bit for those with Win7 ESU subscriptions.

You must have at least the August 2020 Servicing Stack KB4570673 previously installed to receive these updates).

There is a October 2021 Servicing Stack KB5006749 – Download 32-bit or 64-bit for those with Win7 ESU subscriptions.

There is a revised Licensing Preparation Package KB4575903 dated 7/29/2020 for Win7 ESU subscriptions, if you need it.

There are no new .NET updates listed for Win7. See #2406293

5 users thanked author for this post.

Steve, jburk07, abbodi86, Alex5723, Microfix

Reply | Quote

KB5001969 resulted in OFS 2016 and 2019 being unable to open shared mdb or accdb files this was confirmed by MS yesterday (22/Dec/2021) … the issue I am having is although my 3 2019 licenses were patched via the link below, I have been unable to patch 7 2016 licenses  because they are missing the Update Button on the Account Screen … the Manual Update location only contains the offending KB without the patch

https://support.microsoft.com/en-us/office/error-in-access-when-opening-a-database-on-a-network-file-share-6cbc1560-62c2-46e7-9980-d079a46f5acc

Can anyone offer a link or a way to turn on the update button in OFS Pro 2016 … the windows 10 group policy and or regedit references I found on the web appear to be for a different version of Windows … the missing button may be because these 7 licenses were purchased under a Volume License 5+2 … can’t understand why this should stop updates from being available

Reply | Quote

Updates are only available for click to run, not for machines that get individual updates. Your only option is to remove the office update.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Databases on network share can’t be accessed by multiple users in Office 2016 (KB4484211) (microsoft.com)

My bad, they just released the fixes.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

W10 21H2 kb5008212 installed on test m/c bringing OS build to 19044.1415 No problems reported via event viewer and system SFC all good. O&Oshutup++ remained the same, no re-introduction of config settings required.

Windows - commercial by definition and now function...

3 users thanked author for this post.

deuxbits, jburk07, Alex5723

Reply | Quote

December 2021 Security Updates
Updates this Month
This release consists of security updates for the following products, features and roles.

Apps
ASP.NET Core & Visual Studio
Azure Bot Framework SDK
BizTalk ESB Toolkit
Internet Storage Name Service
Microsoft Defender for IoT
Microsoft Devices
Microsoft Edge (Chromium-based)
Microsoft Local Security Authority Server (lsasrv)
Microsoft Message Queuing
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft PowerShell
Microsoft Windows Codecs Library
Office Developer Platform
Remote Desktop Client
Role: Windows Fax Service
Role: Windows Hyper-V
Visual Studio Code
Visual Studio Code – WSL Extension
Windows Common Log File System Driver
Windows Digital TV Tuner
Windows DirectX
Windows Encrypting File System (EFS)
Windows Event Tracing
Windows Installer
Windows Kernel
Windows Media
Windows Mobile Device Management
Windows NTFS
Windows Print Spooler Components
Windows Remote Access Connection Manager
Windows Storage
Windows Storage Spaces Controller
Windows SymCrypt
Windows TCP/IP
Windows Update Stack

2 users thanked author for this post.

fk5353, Microfix

Reply | Quote

“Windows Print Spooler Components”

Susan translation:  Ugh we have to keep an eye out for side effects again.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

jburk07

Reply | Quote

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws

Today is Microsoft’s December 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 67 flaws. These updates include a fix for an actively exploited Windows Installer vulnerability used in malware distribution campaigns.

Microsoft has fixed 55 vulnerabilities (not including Microsoft Edge) with today’s update, with seven classified as Critical and 60 as Important.

The number of each type of vulnerability is listed below:

21 Elevation of Privilege Vulnerabilities
26 Remote Code Execution Vulnerabilities
10 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
7 Spoofing Vulnerabilities..

Reply | Quote

On my dual boot daily driver,

Windows 10
KB5008212 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems

Windows 11
KB5008215 Cumulative Update for Windows 11 for x64-based Systems

Microsoft still hasn’t stopped updating my unsupported Windows 11, and there are no hiccups on either side.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

deuxbits

Reply | Quote

PC #2 updated with no problems so far. Macrium Reflect images made before updating, of course.

I’ll connect up PC #1 in the next day or two and update that.

Reply | Quote

PC #1 updated with no problems.

Also updated my little Lenovo laptop with Windows 10 Home. No problems there so far as well.

Macrium images were made before updating, of course.

1 user thanked author for this post.

deuxbits

Reply | Quote

Updated Win11 on ARM Insider Beta from Build 22000.348 to Build 22000.376
Upgraded x4 Win10 from 21H1 Build 19043.1348 to 21H2 Build 19044.1415
Updated x3 Win8.1 from Nov Rollup KB5007236 to Dec Rollup KB5008244

All up and running with no problems.
See #2406425 for list of Apple/Mac updates

Remaining: one Win7 Home and one Win7 Pro

Reply | Quote

December Office Updates: beware!
Office 2016 kb5002099 causing Access dbase editing issues
Office 2013 kb5002104 MAY also be affected? – unconfirmed –
more info over on:
https://borncity.com/win/2021/12/15/patchday-microsoft-office-dezember-2021-updates-14-12-2021-verursacht-access-probleme/

Windows - commercial by definition and now function...

2 users thanked author for this post.

blackbox, deuxbits

Reply | Quote

2021-12 Cumulative Update for Windows 11 for x64-based Systems (KB5008215)

2021-12 .NET 5.0.13 Security Update for x64 Client (KB5009194)

2021-12 .NET Core 3.1.22 Security Update for x64 Client (KB5009193)

Windows Malicious Software Removal Tool x64 – v5.96 (KB890830)

All installed without incident. Windows 11 Pro now 22000.376

--Joe

Reply | Quote

Windows 10 21H2 pro.

KB890830 Windows Malicious Software Removal Tool x64

KB5008212 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems.

Wonder why KB890830 running service takes up to 20% GPU.

All is well.

Reply | Quote

I’m pending reboot on my 20h2 machine.

 

But, let me get this straight.  MS still hasn’t fully patched the vulnerability in the MSI installer system, CVE-2021-41379?

Reply | Quote

That’s only needed (as I understand it) if you did sideloading deployments.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

So CVE-2021-43890 is supposedly a big deal. Problem is that it appears to just offer a manual patch, which does not help business users. The December 2021 monthly does not seem to address it in any way. Am I just blind and missing something?

Reply | Quote

Will Dormann on Twitter: “Note that as of today’s updates (CVE-2021-43890), the ms-appinstaller: URI has been disabled. https://t.co/tk9KpmHCy8” / Twitter

I’m checking to see if we only need to worry about this if we’ve ‘sideloaded’ apps.  Hang loose while I understand more.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

FYI

1) Side Effects from the CVE-2021-43890 – The ms-appinstaller: URI been disabled have been reported:

Tech Community – The ms-appinstaller protocol has been disabled
———————————————–
https://techcommunity.microsoft.com/t5/msix-deployment/the-ms-appinstaller-protocol-has-been-disabled/m-p/3038361

2) For both my Windows 10 21H2 system, the App Installer (Microsoft Corporation) :

https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1?activetab=pivot:overviewtab

were updated to Version 1.16.13405.0 (same version as the Microsoft Desktop Installer 1.16 listed in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890) on 14 Dec 2021 after manually running “Get Update” in Microsoft Store App.

This happened before I patched both systems with 2021-12 patches to OS Build
19044.1415.

HTH

Cheers

Reply | Quote

My installed version :

Windows 10 Pro 21H2 with Dec. updates.

Reply | Quote

Fixed. https://www.helpnetsecurity.com/2021/12/14/cve-2021-43890/

Reply | Quote

It’s not clear how to “patch” this on our own local machines.  It’s not a patch, it’s an installer file.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

I believe this is one of those “they push it silently via the store” and there’s no “patch”.  Now if you block store updating you’ll need to use the group policy.  Now trying to confirm this independently.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I think the fix ‘Windows Installer’ is the one fixing CVE-2021-43890

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43890

..Workarounds

Customers who are unable to install the updates for the Microsoft Desktop Installer can apply the following workarounds to be protected from the vulnerability:..

Reply | Quote

I saw that but it was not clear. So the standalone patch updates the appinstaller.exe which works.

The monthly patch does not immediately patch it after watching the install and reboot on my test machine.

However I noticed my test machine had updated the appinstaller.exe on it’s own when I checked back in a couple of hours. I need to re-test and check the logs to see how fast it does but I believe Susan is correct that it updates itself when the monthly patch is installed.

Reply | Quote

Win 10 21H1 64 bit.  The December CU KB5008212 downloaded and installed by WuMgr OK, and machine is stable for 2 days.

Reply | Quote

I thought I had my pause on longer is my excuse for being hijacked by update. I had just done a thorough clean-up, DISM and all using a fairly robust cleaner. It was after the clean I noticed the ‘update and restart’.   Restore points had been cleaned. Its too late to clone the disk. Click restart and hope.

Update while shutting down seemed on par with normal monthly updates.

When it restarted, it took me a long time to realise the inordinate delay was due to Hello Face not switching on. Windows had the we’re getting things ready screen showing (my guess is a glitch there). Eventually I swapped to PIN and signed in without an issue.

The first task was to check sign-in options. Settings opened and its search box gave me enough focus to type ‘sign’. I saw ‘change the sign in requirements’ and touched it. Nothing happened. I was unable to write anything else in the text box. The settings window would not close. Restart seemed to fix the issue. No other problems experienced so far.

I don’t print from this machine and cannot comment on print spooler.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Will doing a System Restore in Windows 10 revert your Update Pause status back to what it was on the restore-point date (which in my case was December 9)?  Because today Win10 updated despite the Pause I set a few days ago.

I don’t know if it’s Update related, but after the reboot I had no audio.  When I clicked on the audio icon the system assistant asked if it should look into the no-audio situation for me, and I said OK.  After its initial try at a fix failed, it asked if it could try updating the audio driver.  My thought was, “yeah, sure, then I’ll end up with a generic Windows audio driver instead of the correct Synaptics driver.”  Or worse.  So I thought, “how about we just try a reboot.”

So I rebooted, and the audio did come back.  Sheesh, can’t the assistant suggest a simple reboot for something like this before it wants to try a new driver??  I wonder how many people get led astray from the simple solution, and maybe even end up with a more challenging problem.

Anyway, everything seems OK so far.

Does anyone have any thoughts regarding whether System Restore can undo an Update Pause?

Reply | Quote

I have not looked at Windows Update in a while, but had some time this afternoon to think about updates on this old Thinkpad.

WU offers me the following

1. 2012-12 Cumulative Update for 20H2  KB 5008212
2. 2021-10   Update for 20H2  KB 5005463
3. 2021-09   Update for 20H2  KB 4023057

Should I be surprised to see those last two entries?  Would they be included automatically in the 2012-12 Cumulative Update ?  Any risk to just letting WU run as offered ?

(Of course I will back up to external HD before doing anything.)

Thank you.

Happy Holidays and Good Health to All.

 

Reply | Quote

Read Microsoft docs about what KB4023057 does and decide if you want it.
I have never installed it on my computers.

Read Bleepingcomputer about what KB5005463 does and decide if you want it.
Microsoft docs for KB5005463 say this (I didn’t install it either):

Important By default, when you open the PC Health Check application, it will automatically install important application updates when they become available. PC Health Check users will not be able to turn off automatic updates.

You can uninstall PC Health Check by going to Apps > Apps & Features > App list (Windows PC Health Check) > Uninstall.

1 user thanked author for this post.

AlphaCharlie

Reply | Quote