Details about new cumulative update model for Win7 and 8.1

Topic

New Reply

I don’t like it. You don’t like it. But that’s what we get. From MSFT Field Engineer (and highly regarded former MVP) Paul Bergson. TechNet
[See the full post at: Details about new cumulative update model for Win7 and 8.1]

Reply | Quote

Replies

Looks like just another reason for me to get another computer JUST for use on the internet and keep the one I’m using now completely OFF the internet. At least I will have 1 that will never be monitored or hacked.

Dave

Reply | Quote

Well, if MS manage to make a complete mess of this like they’ve been doing with Windows 10 updates lately I’ll be disconnecting Windows 7 permanently from the Internet.

Same applies if they try sneaking in telemetry or other unwanted patches. I have a dual boot with Linux Mint 17.3 anyway so it’s no big deal for me to keep W7 offline after October.

So, it looks like we’ll be waiting at least a week or two after Patch Tuesday from October onwards to see what happens with these monthly rollups.

And, I’ll be keeping an eye on the monthly Simplix update pack to see if they find a way to incorporate security and important updates only. If not, then, as I’ve said, W7 will stay offline for good.

Reply | Quote

Typically I run a 2-4 weeks behind at home, just like we do in our domain; I let the dust settle on patch Tuesday.

The way I look at this is, we have a new place we have to get the updates from (Update Catalog), and there’s just 1 update. Yes we cannot pick and choose, but by the time I apply updates, the good ones are all that’s left anyway and any bad ones have been pulled or fixed.

Of course this is all likely to change when they start putting in more GWX type stuff but if that happens, I’ll just stay updated to that point. MS has incinerated every shred of trust that I have in them, so there’s nowhere to go from here but ‘up’. If we don’t go ‘up’, I’m comfortable enough staying unpatched and would probably at that point switch over to a full time guest VM of Ubuntu for anything that isn’t Steam/DirectX required and leave my 7 machines like they are with no direct web traffic other than Steam.

Eventually when more games are ported to Ubuntu/SteamOS, I can get rid of Windows completely. The only thing keeping me, really, is DX11.

Reply | Quote

FWIW, I (aka Linus) left Mr Bergson the following comment:
This may make sense huddled over your Surfaces in Redmond, but how does this new Windows-as-a-service/cumulative-update approach do anything but put pre-W10 users at risk of partial or complete bricking of their systems if they can’t delay/uninstall individual KBs if they are proven to cause widespread problems? Seriously, do you guys not monitor the impact your botched updates are having on us your customers/clients/guinea pigs/muppets (delete as appropriate)?
I would expect that those who purchased W7, like me, were hoping they had bought an OS that would remain as safe and stable as possible until the stated contractual end-of-support deadline, however, this new approach is steamrollering us into owning a pseudo-W10 OS. I didn’t want it when it was free during your GWX blitzkreig campaign, and I don’t want it now. Please leave me with the system I bought!!

PS. I’m going to leave the undesired telemetry/spyware/bloatware implications of this to someone else to explain, but I expect you know this already, right?

–A purely cathartic exercise on my part, but what the hey

Reply | Quote

I really have to thank Microsoft for it’s efforts. Windows 10 itself, and the new patching schemes have really motivated me.

I now have a copy of Linus Mint running at home, and over time will be converting three other machines to Linux. At work, I have my first RedHat workstation set up, along with a server that will probably end up as a repo server. Eventually, my whole infrastructure will be changed over.

Without Microsoft, all this would have been in a planning stage yet, with no plans for a permanent changeover.

Reply | Quote

At least they are offering a Security-Only Update. That seems the minimum one can get away with. How often do security updates break Windows 7?
If that isn’t viable, it is dual boot Linux, with Windows offline for me.

Win7 Pro x64, Office 2007. Been with MS all the way from DOS3.

Reply | Quote

I have a question/concern that I haven’t seen addressed. If these cumulative updates include all previous update, won’t they, over time, grow to be large, voracious bandwidth consuming hogs that take a long time to download and install?

This may be a dumb question but could become a major concern with metered connections. And if you’re using the metered connection trick to block updates, will they eventually be forced through or will you remain unpatched forever, thus defeating the entire purpose of the cumulative updates?

Reply | Quote

Just another reason to work out moving from Windows to Mac/Linux

Reply | Quote

Unless your needs require specialized third party software, seems like there has never been a better time to try to get familiar with Linux and/or Chrome OS/Android options. Apple too.
All this may not have been too bad if Microsoft’s updates were reasonably reliable, but as things are its not worth the risk.

Reply | Quote

For me, I will probably download from the Catalog and install the security rollup each month.

But the question arises:
Suppose a security patch (like 3177725) breaks something (like printing) and the only fix is a non-security patch (like KB3187022). I assume the fix will not be offered/available as a stand-alone patch, but will be included in the next rollup.
THEN what do you do?

Since GWX has been over, I have (guiltily) been putting my “technically challenged” clients back on Automatic Windows Updates – basically putting them at the mercy of Microsoft – because they are not capable of handling manual updates much less culling patches. Now, there is no culling to be done, and there is no difference between recommended and important updates for the average User. ONE doesn’t give you many choices, does it?
So maybe I wasn’t so far off base after all.

Reply | Quote

“Since both the security-only update and the monthly rollup will contain the same new security fixes each month they will both also have the same security ratings each month. The customer can choose whichever one they prefer to deploy to stay compliant.”

COMPLIANT = Sit! Stay! Silence!

Reply | Quote

The big question for all of us is whether the risk of installing these blanket/concealed updates will pose a greater or lesser risk than forgoing the security updates altogether and leaving our machines as they are for the next 3 or 4 years? It’s increasingly tempting to have nothing more to do with Windows Updates.

Reply | Quote

+1

Reply | Quote

Fortunately, cumulative updates in Win10 (and likely in Win7 and 8.1) are “push the delta” updates. Only the new stuff gets sent to your PC.

Reply | Quote

Windows security updates frequently break Windows.

Reply | Quote

“Hopefully this information has helped and we encourage you to read all the linked documentation and share it with your staff as you prepare for the upcoming changes.”

Yes, it has helped. It has helped me to decide to begin the process of moving away from Windows and to Linux.

I like the two graphics they put — the “fragmented OS” and the “Fully patched” OS. It’s so nice to know that Microsoft knows better than me which of their patches I need.

A little history: In 2004 there was a Windows patch which broke the accounting program in my company. I blocked that patch, and there were no further problems with our accounting program. Blocking the offending patch was the only option; there was no way to quickly move to another accounting program.

Now that we will be force-fed all-or-nothing patches, I wonder how many companies will have critical programs broken by a Windows rollup patch? And I wonder how many of them will abandon Windows in favor of some other OS?

Mark this date on your calendar: I, Jim, predict that within a couple of years, Microsoft will lose their absolute dominance on the corporate desktop, and it will be because of the force-fed patches.

Ubuntu? Red Hat? Are you listening? Here is your chance to get onto the corporate desktop.

Reply | Quote

I wonder if all 4 of the categories (Security-Only Update, Cumulative Update, .Net Framework Security-Only and .Net Framework Rollup) will appear in Windows Update, or if they will appear only in the MS Catalog. In WU would be nicer, but I doubt MS want to do anything except discourage (read break) Win7/8.1 usage, so they will make informed users work a bit harder.

Time will tell. I have reverted to Never Update on my Win7 game rig and my primary laptop. I will handle updates manually (and check here in advance – Thanks for all you do!) with the MS catalog to preserve my must work PCs and peripherals. The rest (3 laptops, one desktop) are all now Ubuntu Linux 16.04 LTS or it’s derivatives which work with existing printers, NAS and scanners.

Just last night I installed Ubuntu 16.04 LTS for my wife (she hates Windows since Vista) on a refurbished laptop using a new SSD, after updating the OEM Windows 7 Pro-64 on the original spinning HDD. From start to finish the software install (including all updates and setting up the Thunderbird and transferring user profiles) took under an hour.

Reply | Quote

The TechNet article isn’t clear to me on whether there will be one update per month covering all categories or potentially four updates in these categories:
. Security-Only Update
. Cumulative Update
. Net Framework Security-Only Update
. Net Framework Rollup *1
Woody, I guess we will still wait for a Defcon rating on these updates as well? If one or more prove to harm a Win 7 machine, the alternative is to go unpatched? Isn’t that just great.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

I’ve long said it’s the Aching Achilles’ Heel of Windows 10. Microsoft insists on patching Windows 10 like a phone. Ain’t gonna work.

Reply | Quote

> But the question
> arises: Suppose a
> security patch (like
> 3177725) breaks
> something (like
> printing) and the only
> fix is a non-security
> patch (like B3187022).
> I assume the fix will
> not be offered/available
> as a stand-alone patch,
> but will be included in
> the next rollup.
> THEN what do you do?

Just speaking for myself, and YMMV, I’m going to keep on treating updates the same way I have for 15-odd years, namely by making “before” images of my C: drives before making any changes, then apply the updates and look carefully for anything that broke, as well as keeping the ear to the grapevine. If there does turn out to be some screaming need to wish I had never applied the updates I can just restore the “before” image and poof, updates gone. It does seem as if they’re taking away my ability to cherry-pick the updates I want from the ones I don’t. But as for the ability to drop my machines back to their pre-update state, as the old song says, they can’t take that away from me. -Jim

Reply | Quote

The result of this for most common folk who are not corporate or IT people will be that Windows Update gets turned off and never used. All things considered, that may not be so bad.

I expect that for most of my clients, the September Windows Update will be their last.

The bottom line for most people who think about it, is that this is more pain than they want to contemplate. Essentially, it means ceding your data and hardware investment over to MS, and its “partners.”

That is more of a threat than most of the bad stuff on the web, which most people believe they are well protected from by their antivirus software — even though they may not be.

Doing a Windows Update will mean an uncertain future every month. Who knows what won’t work afterwards? When it will get fixed and even whether it gets fixed?

We bought computers with software (OS) that we could control and keep private. That was the “contract” so to speak. In effect, MS has unilaterally changed the contract to — we will change your OS in ways we deem to suit our and your needs, and will not cede any control over this to you.

It is the unilaterally changing the contract that has so many people so angry.

There is huge opportunity out there for someone to offer an alternative.

CT

Reply | Quote

Yep, that’s my intent. I have no idea how this will really shake out.

Reply | Quote

So if i choose ‘never check for updates’ , have a decent AV , Malwarebytes Pro , a two-way firewall , WOT , and updated browser etc , and think before I ‘Click’ , I would be pretty safe for the next couple of years , right ?

Reply | Quote

Security-Only will be available only through MU Catalog
it’s state clearly in this article and the annoucement before

Reply | Quote

1 update for each category
Cumulative Update + Net Framework Rollup -> WU, WSUS, Catalog
Security-Only Update + Net Framework Security-Only Update -> Catalog

Reply | Quote

If you find that a cumulative update broke your machine, and you then restore your last image, that will be the point in time you will need to stop doing updates, in order to not get broken each time.

Reply | Quote

Yeah, I agree with Seff, at this point, and with M$’s track record of ‘pointless’ updates that don’t work right, the one that screwed up printers being a prime example, It’s getting to be the point in time where we HAVE to rely on av and firewalls instead of M$’s patches, because it’s only a matter of time till they put a borked patch in the ‘rollup’ that results in bricked computers, all because we have no ‘choice’ which patches in the ‘rollup’ we want or don’t want, which will result in those with bricked computers having to wait till M$ gets around to fixing it… Oh wait, what am I saying, it’s impossible to fix a bricked laptop, well it is possible, but you’d have to replace the hard drive & start all over, for businesses that’s a major blow, and even then, there’s no guarantee that the new hard drive will not install the ‘borked rollup’ patch when first starting up…

Reply | Quote

Nope, the IE cumulative security patches would have to be applied, supposedly.

Reply | Quote

You’d think they would have learned from the ‘win8/8.1 our computers are not smartphones/touchscreen phones’ debacle.

Reply | Quote

@PKCano Don’t feel guilty, you have done the right thing for your clients given the practical conditions. If they are not able to select among patches, then they are exactly the target audience for Microsoft’s new approach started with Windows 10 and very likely not to realise even when minor problems like the one related to printing arise. Let’s not forget that the recent printing issue affects a very limited number of users in very specific conditions and it is extremely likely that the developers of the affected software missed the fine print in using Microsoft’s prescribed practices. Like Intel reluctantly admitting that their Bluetooth driver was not written according to the specification and now fixing it.
This leaves the end users with 2 choices:
1. Staying unpatched – how risky it really is for regular users in the short term? Woody says that there is no urgency to patch July and August until further details are made available and I completely agree (this is for end-users).
2. Patching while taking a reasonable risk that either Microsoft or another company has developed buggy software. In general people affected by the last are those who know what to do (although still wasting time which ideally should not be required) and are users of more evolved software. Most of the people in this category are aware of delaying patch installation techniques.

Reply | Quote

Woody, I think this was the main problem with Windows 8 and higher. Treating desktops like phones. I still don’t see Windows 7 in the same class with roll-ups or without and it will not be, unless a “Feature Pack” completely changes Windows 7. My prediction is that soon we will see the Convenience Update https://support.microsoft.com/en-au/kb/3125574 on Windows Update.

Reply | Quote

Easy solution — Google Chrome

CT

Reply | Quote

+1!

I have had separate Internet and off-web desktop computers for over twenty years, so it’s not a big leap **conceptually** to convert the Internet to as a specialized machine running Linux. Just a lot of unnecessary work.

I am so retro that I think MS Office 2003 was the best version (for getting work done with minimum distraction) and that everything since has been bells and whistles, if that. Even some of my relatives differ on that.

I’ll try the Update Catalog for the security updates first, to see if I can make that work. Woody: We need your detailed advice on this as the situation evolves. I note that Bergson said nothing new on how it would be accessed or who could access it.

I was struck by the 98% similarity between the reasons offered by Bergson for the rollup and the reasoning offered by our colleague @ch100. Which should not be surprising in that the latter has expressed his enthusiasm for the rollup approach.

Reply | Quote

I actually believe that several investment analysts have been floating the idea that Apple should consider opening up OSX through licensing the OS to system builders. I also suspect there is concern about Windows at Intel as they are licensing the IP to produce ARM based chips. In many ways, the signs are suggesting that MS’s, our way or the highway, approach is stressing out the old Windows ecosystem. MS has become a “hedge fund” stock and Nadella is doing anything needed to keep the balls in the air.

Reply | Quote

well it is as i,and one or two others in here, have feared one bad update and thats it “game over.” I am sitting here with my laptop at my side downloading another huge windows 10 1607 update (kb3176938) which made me laugh as he mentions sites with limited bandwidth right at the end well i make that about 3/4gb in updates for the 1607 update this month. so when ever those systems ever get good bandwidth or get back to civilisation they are going to be mightly busy (as we do deploy to remote locations this may mean using courier services with USBs or DVDs should the need arise) so much for progress. luckily we havent any short to medium term plans to deploy 1607 out there yet. on a lighter note i loved the web page it really has ramped up the “fear factor” for those of us who subscribe to conspiracy theories, i immediatly saw the diagram and thought “oh oh heavily redacted!” the truth is out there and all that nonsense. or another school of thought “nice picture shame about the message” or even “look at the image ignore the important stuff” but my own favourite is Paul is pining for the days when he used to watch the old style defrag do its thing on windoze 9x. dark days ahead i fear.

Reply | Quote

Did I miss something? As far as I can tell, none of the MS articles on the subject address the question, what happens if I miss one or more months of security-only updates from the catalog? Can you skip months and then resume leaving a gap, or will you first have to go back and install security-only updates for the missed months?

Gaps would mean MS fails to reach the stated goal of eliminating patch fragmentation. Forced updates mean that I might have to accept something obnoxious (telemetry, gwx, …) that they push out in a security-only update if I want future security updates.

Reply | Quote

Approximately six hundred and fifty million users (46% on W7 and 15% on W8) will be affected by this change. Not all are aware of it and not all care about it. However, those who have chosen to use the ancient, poorly maintained MS Update Catalog site and not Windows Update for their patch Tuesday fix, may not be happy with the quality of service after October 2016. MS has probably not anticipated or planned for any significant increase in traffic and service requests for that site, so who knows what they will do if it grinds to a halt.

Reply | Quote

It’s an excellent question – and another one with no answers!

Reply | Quote

It may well be rolled into a “non-security” cumulative update.

Reply | Quote

I thank Paul Bergson for his detailed explanation of what MS is planning to do.

I have been with MS through dozens of computers from the early PC with twin 5 1/4″ floppies through Win 7. One of my computers (Win 7 Ult 64 bit) updated itself to WX (no action on my part except allowing WU to work) which messed up the log in and gave me multiple BSODs over several weeks. I decided the Win 7 Ult, but Win 7 refused to boot. After many attempts, I swapped the HD for a new V-NAND SSD and loaded Win 7 Ult from scratch. This literally took a week to finish the updates. I my registry set up on all the computers to not allow WX in again.

Needless to say, at this point I, like so many other posters, have lost all (100+%) trust in MS. Since I will need to move to a new OS in the next few years, it is going to be Linux or the Mac OS. I have not decided which, however I can say with certainty, it will NOT be a MS OS. Microsoft has obliterated my 35 year long PC loyalty.

Reply | Quote

Another thought just occurred to me. The only reason I would stop using Windows 7 come January 2020 would be that there would be no more security updates.

If I opt to ignore all future security updates, Jan 2020 becomes a meaningless date. At that point, the only thing that would force me to give it up would be issues around machine longevity.

CT

Reply | Quote

Security-only updates are not cumulative, you need each month’s update, unless it’s superseded later

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-11955

Reply | Quote

Yes, but ie is needed to even access the internet.

Reply | Quote

That doesn’t answer my question.

It’s clear that each monthly security-only update will contain patches for that month only. What isn’t clear is what happens if you skip one or more months. Will you be able to resume with a gap, or not?

Reply | Quote

Unlikely, but we won’t know for sure unless Microsoft says something — and right now, they’re full of theory, very short on hard details.

Reply | Quote

Cool. Thanks Woody.

Reply | Quote

> If you find that a cumulative update broke your machine,
> and you then restore your last image, that will be the
> point in time you will need to stop doing updates, in
> order to not get broken each time.

You’re right, that may be the way this all works out. But there are some mighty smart people out there and I don’t at all think it’s unrealistic to hope that one of these will find a way to unpack the monthly rollups so we can have our update cherry-picking back.

Just to tempt the devil, though, I’ve still got an XP box running. It has the RyanVM homebuilt “XP SP4” rollup. It has the registry hack that causes it to report itself to MS Update as XP Embedded for point of sale systems, which is still supported. It has up-to-date AV, intrusion protection, ad blocker and firewall, all of which you can still get for XP. It gets frequent manual scans by Malwarebytes for a second opinion. Firefox has the NoScript and HTTPSeverywhere plugins. The whole box runs behind a NAT router. Network traffic gets inspected regularly using Wireshark to see if there’s any conversation going on that I don’t recognize. Etc. etc.

I remember very well when official XP support was about to run out in April of 2014 and Redmond was saying “Don’t dare run XP after this date, the damage will be instant and terrible!” Well, um, nope. If there’s really bad aliens out there who want to do terrible damage to my XP honeypot they better get a move on. It’s way too late for “instant.”

The moral I take from this is, updates or no updates, they’ll take my Win7 when they pry it from my cold dead fingers.

Reply | Quote

Heh heh heh. That’s the American way, dammit!

Reply | Quote

Seems more folks considering Linux to escape the M$FT spying and update-torture chambers.

Here’s a couple of worthwhile articles.

Ubuntu ‘Spyware’ Will Be Disabled In Ubuntu 16.04 LTS Controversial feature scaled back to help boost Ubuntu’s privacy credentials

“Boiling over since 2012, the open-source community was quick to express concerns about user privacy in the wake of Ubuntu Amazon integration. Concerns continued with the rollout of the comprehensive ‘Smart Scopes Service’ a year later.

The furore was so big it led free software stalwart Richard Stallman to call Ubuntu ‘spyware’.

The Electronic Frontier Foundation also shared its concerns in a series of blog posts and suggested that Canonical make the feature opt-in. Privacy International went further than most by awarding Ubuntu’s makers a ‘Big Brother award‘ for work on, quote: “invading personal privacy”.

http://www.omgubuntu.co.uk/2016/01/ubuntu-online-search-feature-disabled-16-04

=============================================

The Ubuntu Conspiracy

” recent rumor has sparked waves of fear and outrage throughout the Linux community. The word is that Microsoft is in secret negotiations to purchase Canonical, the Ubuntu company.”

“…Microsoft makes more money from Android today than it does from Windows. It gets an average of $15 in license fees for each Android device sold, thanks to its portfolio of software patents.”

https://www.linuxjournal.com/content/ubuntu-conspiracy

“A citizenry that is aware of always being watched quickly becomes a compliant and fearful one” Glenn Greenwald in his book ‘No place to Hide.’

Reply | Quote

I stand in admiration of your achievement but have no desire to attempt to climb the learning curve that I would need to climb to duplicate it. I too have an XP machine, completely off-web, assigned to run a scanner.

Reply | Quote

Hi Woody,

Just wanted to get clarification, this doesn’t start until the October updates, is that correct?

After you give the okay to install the August patches, will September work the same way with individual patches offered?

To address the long scan times for updates, I have just been using the method of manually downloading/installing the monthly kernal whatchamacallit update each month that seems to fix that slow scan, high CPU issue. In theory, if individual patches are still going to be offered for September, should that usual update/fix be offered for September?

Thanks, Woody!

Reply | Quote

That’s correct, the big change is coming in October. But it has ramifications now – our future is murky indeed.

Very likely September will be a rerun of August – but we won’t know until Patch Tuesday.

Reply | Quote

Nathan Mercer’s reply to my query indicates that you’ll be able to skip months:

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-12155

Reply | Quote

Yeah, I’ve been trying to read between the lines on that one. Good question. I’m not quite sure of the answer.

Reply | Quote

What worries me is the size of these rollups, if what Mr Bergson says is true, that each rollup will contain everything from the previous rollups in it.
“Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current”
This could very quickly blow out into a gigabyte update every month (similar to the Windows 10 Updates), making life for home users (and anyone on a metered connection) very difficult.

Reply | Quote

“This could very quickly blow out into a gigabyte update every month (similar to the Windows 10 Updates), making life for home users (and anyone on a metered connection) very difficult.”

Not if you use Windows Update which installs based on the Express method (using “delta” updates).

Reply | Quote

I was just read Woody’s Infoworld article on the decline (I’m tempted to say ‘demise’ of Microsoft browsers) and wouldn’t be surprised if this new one-size-fits-all update policy is going to cause Microsoft stock to plummet especially if it can be shown that the first rollup contains a large batch of telemetry updates.

Microsoft may well run roughshod over consumers without a too much hue and cry, but businesses aren’t going to be dictated to so easily especially if an update causes company wide crashes and uninstalling it puts a business at risk by introducing security vulnerabilities.

Let’s hope the security-only rollups remain that way and won’t contain a mix of other dubious patches which nobody except Microsoft wants you to have.

Reply | Quote

Here, here. Detailed post on this topic coming up momentarily, on InfoWorld.

Reply | Quote

I find it absolutely hilarious how M$ thinks our ‘fragmented’ hard disk drives are the result of us missing patches… No M$ it’s not cause we are missing patches, it’s because those patches we skip, either don’t work, are useless, or are so freaking buggy an e-flyswatter won’t even work.

Seriously, M$ needs a wake-up call. I see why people are going to linux & Mac, it’s because M$ is getting senile, that or demented.

Reply | Quote

Excellent timing. I just posted this:

http://www.infoworld.com/article/3115766/microsoft-windows/blame-microsoft-not-users-for-fragmented-patching-in-windows-7-and-81.html

“So go ahead, Microsoft, bring on the new world of Win7 and 8.1 cumulative updates. But don’t blame it on fragmentation. Don’t blame it on folks who were trying to protect themselves from the likes of Get Windows 10 and the Diagnostic and Telemetry tracking service.”

Reply | Quote

Okey-doke. Will you or someone be able to post to direct link to the monthly kernal update that seems to take care of the high CPU lengthy checking for updates issue for many of us? (I can’t remember the name of the poster who usually does that.)

And I guess sometime before the October change happens (after September patches are given the all clear by you to install), it would be good to switch from “check for updates but let me choose what to install” to “never check for updates”?

Thanks again!

Reply | Quote

I’ll have all those instructions and much more when I post the MS-DEFCON 3 notes. Should be this weekend.

Reply | Quote

Very well done Woody. But in all honesty, if M$ keeps this up, we may have to go with the ‘Avoid all updates’ path. Sure we would be ‘vulnerable’ but then again, with decent av and firewall that is kept up to date, along with a little ol’ common sense, the updates M$ throws at us can, pardon the language, go rot in heck.

I mean sure, keeping IE patched is all well and good, but come on, a majority of the intrusions these days are gotten from hacked websites, which nowadays most browsers detect problems with sites, like say a site gets hijacked, the browser stops the page from loading or blocks the user from going to the site. And if that fails, if the av, is set right, which doesn’t take rocket science to do, would block anything coming from the site.

Besides, in this day and age, most people using the internet have an av, firewall, as well as a malware detector, in short, most people have their computers locked down like fort knox when it comes to letting stuff through.

Reply | Quote

Excellent article Woody.

I must admit I’m rather amused by the term “Net Framework reliability updates”. After all, Microsoft still maintains the Microsoft .NET Framework Repair Tool with the description: “This tool detects and tries to fix some frequently occurring issues with the setup of Microsoft .NET Framework or with updates to the Microsoft .NET Framework.” https://www.microsoft.com/en-gb/download/details.aspx?id=30135

Wot? Frequently occurring issues? Why are they occurring frequently? They shouldn’t be occurring at all I would have thought. And will we still need the repair tool after installing a Net Framework reliability update I wonder.

I really don’t like Microsoft’s patronizing attitude. I paid for an OS software licence as part of the deal when I bought my laptop. I expect Microsoft to stick to their side of the bargain by providing security patches to address vulnerabilities which arise, but I don’t want to have to install software to introduce ‘new features’. What new features? What do they do? What do they look like? Where can I find information about them so that I can decide whether to install them or not?

It’s my equipment and I decide what gets installed on it, not the arrogant little cretins in Redmond.

Reply | Quote

@ Frahaleah,

The only problem there is that the browser won’t block the user from going to a compromised site if the digital certificate has been revoked, but the user hasn’t installed the update which includes the revocation. Here’s a typical example: https://nakedsecurity.sophos.com/2013/01/04/turkish-certificate-authority-screwup-leads-to-attempted-google-impersonation/

Theoretically, this would fall under the heading of a security update which we can install instead of the full rollup, but you never know with Microsoft.

As a precaution, I’d advise you to switch to either Firefox or Google Chrome rather than sticking with IE.

Reply | Quote

Wow. When someone with the expertise, longstanding Windows-related career, and optimistic attitude that Woody has
signals agreement with a statement like that, it’s confirmation that we are in a new, sad, dark era.

Reply | Quote

Don’t worry, I use Chrome. That was my fault, when I meant browsers blocking bad sites, I was referring to chrome and similar browsers, not IE.

Reply | Quote

For the last few months, the image that I have seen in my mind’s eye of the near-term future for us Windows 7/8 folks
is akin to the situation that the residents of Cuba have had with their ‘antique’ American cars they acquired in the time period prior to the US embargo — still running them decades later as best as they could, fashioning unorthodox fixes/parts for them out of creativity and desperation.

—–
Way less knowledgeable than many participants here, I have already reached the limits of my ability and of my interest for tinkering with this computer %$*&^# (malarkey).

There is no less-than-really-difficult, less-than-quite-expensive, less-than-awfully-time-consuming alternative path that I can go down now for my personal computing/paperwork files/working setup/routine. I am just so aggrieved by all this.

For those of us who have been dragged into handling this nasty situation only for ourselves and our families, it’s hard because many of us don’t have the technical background, the ready funds, or the free time to make sudden changes to our computer setup/routine/equipment.

On the wider scale, I can’t imagine what it must be like for decent, diligent, clear-minded IT professionals who manage organizations’ computer networks, whose jobs, budgets, reputations, etc. are on the line over this crazy stuff that couldn’t have been foreseen, can’t be ignored, and doesn’t have an easy solution.

It’s not like MS is offering a future that is terribly unpleasant and not what anyone would wish for, but is AT LEAST SECURE and CAN BE COUNTED ON: the future they are consigning everyone to seems to be risky, untested, littered with pitfalls (even if you do everything they want you to do).

They are destabilizing everyone, changing the ‘contracts’ they have agreed to, forcing us to make big changes (no matter if you have chosen to fight them or to acquiece/comply) at an unexpected time.

As Noel (Carboni, I presume) wrote on the discussion Woody linked to in his blogpost, “It’s surprisingly difficult to leave behind an entire lifetime of trusting Microsoft to take care of you… but think critically, folks. These are not the same people.”
What a shame.

Reply | Quote

@Michael,
the way I understand it, when one connects one’s computer to the Windows Update service, Microsoft will be able to see what your computer has and doesn’t have, and they will only install the missing stuff at that time.

The stuff your computer doesn’t yet have is what people here are calling the “delta” stuff. The word “delta” has several complex meanings – https://en.wikipedia.org/wiki/Delta – but it appears that in I.T. terms, it can be thought of in this situation as “change” or “difference” — they will only install from the huge monthly rollup the little sections of that rollup that your particular computer is not yet up-to-date with… any changes or differences that the Microsoft server sees that your computer is out-of-step/out-of-date on.

Reply | Quote

I don’t often muse about computery topics because I’m not very interested (though I’m respectful and grateful for the technology, and I can see why other people find it compelling and fascinating),

but this incredible, unpredicted, unprecedented, accelerating destruction

of a brand,
of customer trust,
of people’s and organizations’ countless investments and plans,
of a string of operating systems,
of what is almost a life “given” — a basic, fundamental technology and infrastructure for the business world, academia, government, personal lives (so much so that it’s really a kind of “utility” like electricity, water, gas, sewage, or a required pillar for our “way of life” like fire department, police, ambulance, hospital emergency treatment, etc.)

leads me to contemplate how really awesome, mindboggling and fantastic Microsoft’s accomplishments up to the present time have been. How they were able to change so much of our world, create terms and concepts and pathways of thinking and ways of working that billions of people adopted… How they kept everything straight as well as they did, how they coped with the complexity and mountains of data and millions of small things they had to manage… coming from so little a few decades ago, just 2 young guys in a garage (I think it was) — well, how brilliant was that.

I appreciate all they’ve done up to now, they certainly helped my life in many ways.

I wish they weren’t imploding now, and screwing around so much with my time, hardware/software investment, future, etc., but I did want to take a step back and salute the ones who constructed such an elaborate, beautiful technological structure/system, who seemed to be doing it with relatively good intentions and a modicum of responsibility.

Reply | Quote

I say this because of this claim:
“Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date.”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Now the 1 million dollar question is: what determines the baseline? Is it the latest Service Pack, the latest Convenience Update or what else?

Reply | Quote

Sorry to disagree with Chrome. It may be an easy and convenient to use browser, but this is exactly due to it being less secure than any other browser.
There is a good reason why Firefox ESR with few add-ons is the baseline for TOR browser.

Reply | Quote

I could not agree more. I posit that M$ should not be legally able to use this basic human utility as a means towards improving profits and strategic position, in a way that is totally self-controlled by M$, regardless of the implications on world-wide society.

CT

Reply | Quote

New and useful features:

KB2852386 – Disk Cleanup Wizard addon lets users delete outdated Windows updates on Windows 7 SP1 or Windows Server 2008 R2 SP1

These 3 are somehow related (first is pre-requisite to the other 2):
KB2574819 – An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1
KB2592687 – Remote Desktop Protocol (RDP) 8.0 update for Windows 7 and Windows Server 2008 R2
KB2830477 – Remote Desktop Connection 8.1 client update

KB2901907 – .NET Framework 4.5.2

Reply | Quote

I don’t think they are imploding. They are going through a major transition with inherent hiccups. Windows Desktop OS as we know it may be imploding, but there is more to Microsoft than Windows 3.1/95/98/Me/2000/XP/7/8/8.1/10.
They recently released SQL Server 2016 which has a buggy setup due to another Microsoft component which is buggy, i.e. Visual C++ Runtime 2013. They keep releasing dynamic updates for the SQL Server 2016 Setup to fix it. Most recent was on 31/08/2016. You don’t hear much about it. Same thing with Exchange 2013 which was buggy from the very beginning, 3 years ago, causing a lot of trouble in Enterprises until it was incrementally fixed. You don’t hear much about this either. Their UAG acquisition was a failure and subsequently discontinued. A good product in the series, Microsoft TMG (formerly ISA Server) was discontinued as it did not bring enough revenue. This fact alone causes issues in Enterprise as it was widely implemented when it was in fashion.
Has Microsoft stopped selling to large Enterprises due to those failures?
I suspect that Windows Desktop OS is more or less neglected/not prioritised internally at Microsoft for the same very reason and may eventually get discontinued if it will not prove profitable any longer.
Times are changing…

Reply | Quote

It does now, but we still don’t have the full detail. What are the odds there won’t be an “anniversary”-like mega update to get everyone onto a single baseline? Until we see the new regime in action, we can’t be sure what we’ll be presented with.
And if Windows Update DOES check what your computer does and doesn’t have, how will that improve the checking/patching time from the old method?
I wait to be surprised, but my home computer will be set to no updates for a while after September until it becomes clear what we are facing.

Reply | Quote

Hi Woody,

Is now a good time to remind EVERYONE to create/maintain System Images prior to the October Update Big Bang.

MS History tells us that NO major new change rolls out smoothly. Ok – many will just switch off WU, but for those who don’t what will happen if? should? when? their system implodes?

If planning for a clean install, keep a list of all your current installed updates & download them now via MS Catalogue. That’s if you don’t know how to take control and copy the Cat/MuM files from WindowsServicingPackages

Be quick – I notice some of the earlier SP1 pre-requisite Updates have disappeared from MS Catalogue, so future clean installs may be difficult. My advice – Daily System Images.

Thanks Woody for your continuing support

Reply | Quote

Good advice, as always!

Reply | Quote

You may be correct in regards to the catch-up mega-update, before reverting to the deltas.
The improvement from the old method is supposed to happen because there will be no supersedence of patches to be calculated (after the full catch-up).
Right now, there is no reason other than a broken system for those who are fully patched (and I mean it literally, everything except for Drivers updates and Language Packs) to experience more than 5-10 minutes for a scan, depending on the CPU performance of the PC and less important, the network performance.
Most people who experience scanning delays have systems who are not fully patched for various reasons and in such a case the results are difficult to predict. I am only replying to your question here, not discussing if the new method serves an alternative hidden purpose, which seems to be suggested by a large number of those posting here.

Reply | Quote

It is correct, by “delta” in this case, the meaning is the difference between what exists and what is available. It can be named “differential” update, as this term has a well-known meaning when it is related to backup procedures. In fact not all updates are designed to provide deltas and sometimes when the procedure is not reliable, the updates are designed to fall back to full install of the update. This was common few years ago with Office Updates, I don’t know if still happens because I haven’t noticed this behaviour recently.

Reply | Quote

For Windows 7, that’s likely to be SP1 I would imagine.

For 8.1, probably KB2919355 a.k.a. Windows 8.1 Update.

And “all of the patches we have shipped in the past” is obviously going to include all the telemetry updates. So both OS’s are beginning to look like Windows 10 in all but name.

I shall just download the security-only update every month after Woody has dissected it and recommended whatever he thinks is appropriate.

Reply | Quote

Hi,

Here is Nathan Mercer reply:

August 26, 2016 at 8:37 am

“for Windows 7, once the Monthly Rollup goes cumulative, the baseline will be SP1”

and from me – I notice that the timescale to cumulatively apply ALL updates back to this baseline is now 6 to 7 months as per Paul Bergson, and not the “within a year” earlier quote from Nathan.

Reply | Quote

Re: ch100

https://www.askwoody.com/2016/details-about-new-cumulative-update-model-for-win7-and-8-1/comment-page-2/#comment-97325

“I suspect that Windows Desktop OS is more or less neglected/not prioritised internally at Microsoft for the same very reason and may eventually get discontinued if it will not prove profitable any longer.
Times are changing…”

Windows doesn’t pay them enough anymore. They’ve got their money upfront from Win7/8/8.1 buyers. Now they’re weaseling out of their support commitments.

Reply | Quote

But I’m running Win 8.1

Disk Cleanup Wizard has been around since Win XP days though. Just type: CLEANMGR in the Run command and it’ll popup straight away. No need for additional software.

I’m still running NET Framework 4.5 and haven’t come across any issues which would be solved by upgrading to 4.6.1 or 2.

Reply | Quote

We do indeed live in turbulent times.

But France has taken the first steps to bring about a change in Microsoft’s unilateral behaviour concerning data collection without user permission. I’m deadly curious to see what the outcome of that is going to be come October: https://www.theguardian.com/technology/2016/jul/20/france-microsoft-user-data-collection-privacy

Reply | Quote

He either mis-understood your query is he’s mistaken
if a Security-only for certain month is not superseded, you can’t skip it

Reply | Quote

It would appear that you can according to a later post on September 6, quote: “Security-only are just that months patches, not prior months like Monthly rollup”. You can read it here: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-12575

So I assume that if you skipped a month or two, you’d just be missing out on that month’s upates. Presumably those will remain available for download from the MUC site should you wish to install them at a later date.

Reply | Quote

That’s what it looks like… but it makes me wonder about precedence.

Reply | Quote

What @aboddi86 says is that you can’t skip it not in the literal sense, you can actually skip it, but you would not be protected from the security hole which that security update which was skipped is trying to protect you.

Reply | Quote

@poohsticks:

Thank you for all of the very knowledgeable comments you have made. I wonder how many of us realize that the regular user (not networked, etc). will not have the ability to use WSUS as the IT people can. Therefore we have no choice but to opt for Group A, which I detest doing.

I’ve read and re-read so much information, and this is the conclusion I have reached. If I must bite the bullet I start immediately to work on the hidden updates. I can’t waste anymore time trying to make sense out of it all.

Thank you once again for everything you have shared with us all.

Reply | Quote

As far as I could make out what he was saying in his Q&A, Mercer appeared to say a bit about precedence —
He wrote that the new rollup system will not serve a computer any patch in a rollup that requires a pre-req, but instead the rollup will skip that patch and just install the other patches the rollup contains that the computer is fully ready for.
He said that customers should read the written documentation that will come with each rollup to see if their computer has all the pre-reqs the rollup would require to give it its full whack of patches.

My interpretation is that people choosing to use one or both of the two non-cumulative rollups each month, the 2nd Tuesday non-cumulative security rollup and/or the 3rd Tuesday non-cumulative non-security rollup, will be allowed to skip various months as they see fit,
but, over time, as more and more patches start to have pre-reqs and to have have new versions issued, the new rollups will contain more and more updates that they won’t be able to apply to a computer that has only sporadically received non-cumulative rollups in prior months.
And in order to get those pre-reqs installed on the computer, the customer will have to go back and install one or more prior months’ rollups (if the previous non-cumulative monthly rollups will remain available to be installed separately in the future) or perhaps the customer will not have a choice of installing prior months’ standalone rollups and will be forced to install the current cumulative Monthly Rollup in order to grab a pre-req that their computer needs (if Microsoft wants to make life extra hard for Group B followers, and that does seem to be one of their top goals).
=Fragmentation City.

Reply | Quote

I see that there’s now a different type of update which will be released on the 3rd Tuesday of every month and will be known as the Monthly Rollup Preview.

It’s mentioned in a question to Nathan Mercer by a user called Old Dog here: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-12285

I can’t quite imagine how that will work. I mean surely M$ will publish details somewhere concerning what a Rollup is going to contain so why would users have to install a Preview in order to get that same info?

Reply | Quote

My understanding of it after delving into it a little deeper is that the 3rd Tuesday update is just a preview of the forthcoming monthly rollup containing both security and non-security i.e. reliability updates.

Whether you would need to uninstall it afterwards is as clear as mud at the moment.

All we do know is that the monthly full blown rollups are cumulative. So if the user skips one or two months rollups because he’s not experiencing any issues the non-security patches address, he’ll still get them anyway at a later date.

This is the Windows 10 module in all but name. Microsoft is forcing users to swallow everything they dish out in order to get just the one patch that they need to fix a problem.

Reply | Quote

@ Frahaleah,

I don’t understand why you think you need IE to access the Internet?

I haven’t used it this year yet even and I’m the Web every day of the week. Firefox delivers everything I need in a browser and there are a myriad of free extensions to add to your piece of mind: https://www.mozilla.org/en-GB/firefox/desktop/trust/

Extensions can be found here: https://addons.mozilla.org/en-US/firefox/

Firefox doesn’t support Microsoft’s ActiveX controls which are a major attack vector making it an extremely safe browser to use.

Firefox also has its own support forum at: https://support.mozilla.org/en-US/products/firefox

The browser also supports other devices such as iOS and Android: https://support.mozilla.org/en-US/

What more could you want?

Reply | Quote

@ ch100,

Well there’s one good piece of news on the horizon as far as ‘new features’ are concerned. Neither Window 7 or 8.1 will be getting any according to Nathan Mercer.

The question was posed by a user called Marc St-Georges: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-10835

Reply | Quote

@ Anonymous,

We’ll have to wait and see if Microsoft sneeks a non-security patch into the mix which enables Windows update to employ the torrent model like Windows 10 does. That uses your spare upload bandwith to provide WU patches on your machine to other users located close to you.

Reply | Quote

> Whether you would need to uninstall it afterwards is as clear as mud at the moment.

Yep. That’s precisely the problem.

Reply | Quote

I think this was expected because Windows 7 is in the Extended Support phase. However, you could count .NET Framework 4.6.1 as a new feature and it is possible that you may see .NET Framework 4.6.2 pushed on Windows Update at some stage.
I actually did a test in a VM with Windows 7 Pro SP1 64-bit, where I installed only the patches until the official end of mainstream support, which was January 13, 2015. The last major feature until that date was .NET Framework 4.5.2 released on Windows Update on January 14, 2015, Australian Eastern Time, the timing is debatable as it may have been 1 day before in US, which is January 13, 2015.

The servicing stack patch KB3020369 which is a hugely important patch was released in April 2015 and IE11 was made mandatory later, although it was originally released in 2014.
This is an inconsistent approach with the timeline published for Windows 7 support, so you may always expect few changes at any time.

Reply | Quote

Which means I should be offered a job with Microsoft I am actually comfortable where I am and I don’t need it, although it is within reach.

Reply | Quote

“MS History tells us that NO major new change rolls out smoothly”

Only look at how easy ride is implementing Windows 10, which otherwise is not so bad, if they filter out the major annoyances of which we are all aware.

Reply | Quote

@Xircal I think you are missing few details, discussing only about Windows 7.
– Disk Cleanup Wizard was available before, but the cleanup functionality for Windows Update which is the one of interest to us was not available until KB2852386 in Windows 7. That one alone is extremely useful and I realised it only after reading a post here few months ago and testing. Windows 8.1 has a disk cleanup task although somehow incomplete and light (but good enough) as a scheduled task during maintenance, so this may not affect you. As a side note, the full functionality for disk cleanup in Windows 8.1 is achieved by running dism.exe from the command line.
– The .NET Framework version required for an application is the one set by the developer when writing the application and has nothing to do with the end-user. There are not many applications yet being locked down to .NET Framework 4.6.x, but this will happen eventually.

Reply | Quote

This looks more like a religion – do not use IE, do not use Flash, do not use Java. While none of them should be preferred in 2016, there is a use case for all of them. Common sense has to be applied though when browsing while not taking unnecessary risks.
Few examples. IE works better in general on Microsoft sites and Active X is required still for browsing Microsoft Catalog. The other method of browsing the Catalog by using RSS is just a hack, is not guaranteed to last and creates too much overhead for the regular user who only wants to use their computer. What is the security risk involved in using a Microsoft Active X Control on a Microsoft site? That Active X Control does not even work on other sites than the Catalog in the default configuration.
Flash is still in wide use on mainstream sites like http://www.bbc.com. Not using Flash on such sites just based on principle, limits the user in browsing the web and having access to information without good reason. Even InfoWorld http://www.infoworld.com/author/Woody-Leonhard/ where Woody published very useful and interesting articles uses Flash.
Java is still in use and only few days ago I encountered such an instance on one of the sites of the Western Australian Government https://www.wa.gov.au/. There are many people who use that site for business related tasks.

Reply | Quote

I absolutely agree with “plenty of system images” as the best fall-back position.

May I remark that, in my experience (with a controlled experiment to verify): placing system images from two or more different Win7 machines onto the same external HD seems to be safe (touch wood) and they can be retrieved separately; but placing system images from a Win7 and a Win10 machine onto the same HD is disastrous — both backups say “Completed successfully”, but neither backup can be restored onto their original machines.

Reply | Quote

Exactly
thanks @ch100

Reply | Quote

I spent the day yesterday creating Windows 7 install disks for 32 and 64 bit Home and Pro installs. They are SP1 + April 2016 rollups slip streamed in. So, I can now re-install Win7 with all updates to 4-16 and quite possibly never use WU again.

I read a report that listed the specific KBs included in the rollup. The preparer of that report said there were no GWX or telemetry KBs in the roll-up.

The future for WU is bleak and quite unknown to me at this point. To me, it is clear that I do not want Win10 and what goes with it. I am quite uncertain what the future holds.

However, I can now rest assured that I can protect my clients from it quite well.

My expectation is that the danger to systems that run well is greater from M$ attempts to take over systems or make them unstable or even unusable, than hackers who might be thwarted by the patches that M$ has to offer.

Not patching assures that updates will not make drivers unusable causing unstable systems. A situation that could get impossible if we are to keep our Win7 systems running soundly. It is quite possible that patching could lead to needs for driver updates that are not available.

Our Win7 systems run very well and we depend on them. We want to keep it that way.

CT

Reply | Quote

I’m embarrassed that InfoWorld has (had?) Flash.

Reply | Quote

@ Canadian Tech,

Sincerely hope that the April Rollup you talk of is NOT KB3125574, although this is the patch number given by MS to the April Rollup.

The following Patches inside KB3125574 are all Telemetry:

KB2882822, KB3068708, KB3075249, KB3080149, KB3081954,

Additionally, you might reconsider using the following patches also inside KB3125574

KB2999226 – Enables Win 10 CRT apps on Win 7
KB3118401 – Lets Win 10 Universal Time apps run on Win 7
KB3138378 – Replaces Win 7 Journal app with Win 10 version

If I then include the 50 other patches inside the Rollup which have in the main been superceded (mainly by Security updates) or never offered to MY machine (Win 7 SP1 64bit Home Premium), you can understand why I chose not to install KB3125574.

I should add that I have only added 8 non-security patches since 2014 – always having first endeavoured to satisfy myself that they are “friendly” – up to the end 2014, patches were usually “well meant).

Finally, I checked out the list of minimal updates for Win 7 proposed by ch100. I cannot disagree, – as long as you stop installing other updates AFTER installing Disk Cleanup Patch KB2852386

https://www.askwoody.com/2016/a-new-list-of-minimal-updates-for-windows-7/

Reply | Quote

It was indeed that patch. Thank you for that information. I will make note to remove those updates after any install, along with a longer list of others that I always remove.

CT

Reply | Quote

It seems to me that I will just need the security-only updates come October and beyond. I will not let Microsoft install “all the previous updates” from Windows Update.

Meaning that Windows Update is no longer useful after September and I will probably disable it then.

I will just get the updates from the Catalog and install them myself once it is clear the updates won’t cause problems.

Hope for the best. Prepare for the worst.

Reply | Quote

@Walker,

Please don’t give up yet and decide to be in Group A (if you’d rather be in Group B)!

As far as it looks, we “normal” folks WILL have an option to be in Group B.

The non-techie people in Group B (who will not have access to WSUS) will be using something called the Microsoft ***Update Catalog***.

Woody will explain in October to the Group B crowd how to use the Update Catalog, step-by-step.

This is the plan, at least for now. Microsoft seems to be putting this whole program together on the fly, so nothing is guaranteed!

But this is what Woody is planning on, for anyone who wants to be in Group B to use the Update Catalog. So don’t give up now, wait and see how that works out for you.

Here is a statement that Woody made today to another forum contributor on this issue:
“The Update Catalog is a pain in the neck, but accessible from IE and any other browser ifyou know the tricks.
Right now, don’t worry about it.
When the time comes and we have some information, I’ll get very straightforward instructions out….”
https://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-4/#comment-98103

Reply | Quote

@Xircal,

I’ve seen numerous times on Woody’s forum here where people (including Woody) have said that even if you don’t use Internet Explorer as your internet browser, if you have Windows 7 or 8, you must keep your Windows version of IE updated, because the entire operating system somehow needs to have the latest updates to IE patched, even if you personally use a non-Microsoft browser and never open up the I.E. program itself on your computer.

That requirement for everyone who has Windows 7/8 to have IE continuously patched is probably what Frahaleah was talking about above.

Reply | Quote

@Xircal,

2 questions:

1. Where have you seen the information that “the 3rd Tuesday update is just a preview of the forthcoming monthly rollup containing both security and non-security i.e. reliability updates”?

As far as I know, Microsoft’s Nathan Mercer made it pretty clear (saying it several times) in his Q&A that the 3rd Tuesday update rollup is going to be a preview of non-security patches _only_.

On Woody’s site here, I quoted what Mercer said about this topic a few days ago, and I could grab those quotes for you.

—-
2. Why would you think that the non-cumulative, non-security-only 3rd Tuesday’s Preview rollup might need to be uninstalled before the three-weeks-later 2nd Tuesday’s cumulative, security-and-non-security Monthly rollup is installed?

Is that how Windows 10 updating currently works? (I have never used Windows 10.)

Reply | Quote

I’m so utterly confused by Mercer’s comments that I’m just going to wait and see what happens on the third Tuesday in October.

I bet we’re all underwhelmed….

Reply | Quote

@ ch100,

How many times a day d’you have to go to a Microsoft site? In any event Firefox can handle anything which appears on there.

Same goes for Java. I haven’t used that for ages, but it didn’t prevent me from browsing the wa.gov.au site you mentioned. I even took a screenshot of the page to prove it! https://postimg.org/image/6yxeyx4lh/

As for Flash, there’s nothing to prevent users from installing the plugin.

Reply | Quote

@ poohsticks,

I think you’ve misinterpreted what I was referring to. I meant the monthly all in one rollup containing both flavours of updates. I worded it the way I did to make it clearer, but it seems to have had the opposite affect

@ Woody, the “Reply” button seems to be up to its old tricks again and seems to be missing below poohstick’s post.

Reply | Quote

@ poohsticks,

No offence intended but I consider that observation to be a load of old codswallop.

My own installation of IE is missing one security patch which is the one which included the Update to Windows 10 nagware on a new tab which I first learned about from Woody on Infoworld.com

That in itself is reason enough for me not to use it anymore. Regardless of that fact though I don’t have a problem loading any sites with Firefox.

Reply | Quote

@ James Bond 007,

Yes, that’s my thinking too.

I simply don’t trust Microsoft anymore. I chose not to sign up to the Customer Experience Program when I installed 8.1 and assumed M$ would respect my wishes.

But from reading a number of blogs around the Web it quickly became obvious that my wishes were being ignored and my personal data was being collected surreptitiously and uploaded to Microsoft without my consent.

And then we had to contend with the Windows 10 fiasco which put the final nail in the coffin for me. Once the wheels fall off my current laptop, I won’t be buying another Windows machine ever again.

Reply | Quote

I’ve maxed out – WordPress can’t go any higher than a 10-deep reply chain….

Reply | Quote

I understand that your reference is made about Windows System Images. But there are other third-party tools which can be safely used and in most cases are more intuitive than Microsoft’s own tool.

Reply | Quote

Just for advertisements and they are those which seem to cause very slow loading of the pages.

Reply | Quote

Try this one
https://www0.landgate.wa.gov.au/maps-and-imagery/interactive-maps/map-viewer

Reply | Quote

I think you are right about Frahaleah’s post. In addition, as I mentioned in my post, there are few situations in which the user is better off by using IE instead of a different browser.
Avoiding software for no good reason is only limiting that user from having a better experience.

Reply | Quote

Well, that’s one agency’s lookup tool within the govt…
I’m more worried about the main site’s openssl vulnerability.

Reply | Quote

@ ch100,

But there are reasons not to use IE and good ones too: http://www.makeuseof.com/tag/6-reasons-why-firefox-is-safer-than-internet-explorer/

It’s a fairly old assessment admittedly, but still valid today in my opinion. Microsoft seldom patches IE out of band. That means that if a vulnerability in IE arises a couple of days after the last Patch Tuesday, users will have to wait until the following month for an update since all updates are released on a schedule.

Since Microsoft wants to push Edge forward as the default browser (for which you need Win 10 of course) it’s likely they will spend even less time to address vulnerabilities discovered in IE.

Firefox and Google Chrome for that matter are patched within 24 hours. Mozilla also publishes a list of vulnerabilities which were fixed unlike M$: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

There are hundreds of free extensions which can be installed on Firefox like Adblockers for example. Users who use IE just don’t seem to realise that when the browser is having to pull in ads from different servers scattered all over the Web it’s going to contribute to your data usage. Users on metered plans are wasting their data allowance just to download ads. It also slows down page loading.

Similarly, Firefox users can block trackers with extensions such as Privacy Badger https://www.eff.org/privacybadger

IE offers none of these things.

Reply | Quote

@ ch100,

That map viewer requires Java.

In order to view the map in IE users will have to install the Java plugin: https://techhelpkb.com/disable-java-in-internet-explorer/

Since Java isn’t integrated in IE, it doesn’t provide a good reason to stick with Internet Explorer.

Reply | Quote

Open Office Writer 4.0 requires a Java Runtime Environment (whatever that is — but I don’t have it) to provide some Help facilities.

Reply | Quote

@Xircal I use Firefox as my prefered browser. The second preferred one is by far IE as I don’t rate Chrome as high. Another good one and possible the best of all is Opera which unfortunately has a very low rate of adoption.
Your analysis is correct entirely and the links provided are as relevant today as they were in the past.
Edge apparently is the same Trident engine like IE only pretending to be a different thing. Being less bloated, makes Edge at the same time non-functional and not a serious contender, at least not at the moment.
What I actually say is that computers are made to be used and not to be kept somewhere locked and secure and non-functional at the same time. The zero day attacks are of concern mostly to high-profile targets and less to regular users. There are millions of users not using antivirus products, firewalls or UAC enabled and not patching who were never infected. It is certainly not good practice, but a fact of life.
Now to claim that because a certain zero-day attack not published widely exists and IE is patched after one month instead of every 24 hours makes it non-secure, I think this is an exaggeration seen in the context.
In addition, how many normal end-users do you think are interested in all the add-ons for Firefox which are available mostly for the geeks use?

Reply | Quote

@Xircal,

“@poohsticks… I consider that observation to be a load of old codswallop.”

Which observation are you talking about?

My pointing out that Woody’s advice has been that we should keep IE updated, as patches are released for it by Microsoft, because that is integral to having a properly-protected Windows 7/8, whether or not the customer uses IE as an internet browser?

I don’t claim to be a technical expert — I was just parroting the real experts on that, so if you have an argument about the importance to Win 7/8 of keeping IE patched even if IE is not deliberately used by the computer operator as an internet browser, it’s with them, not me —

Or my pointing out what contributor @Frahaleah had meant in his/her posts, and that you had misunderstood what he/she was saying?

Reply | Quote

Yes, it is disconcerting when the reply button stops being offered at a certain extended point in the posting hierarchy… but honestly that constraint probably helps Woody keep his discussions trimmer than they would otherwise be, if some of us (including myself) could ramble on unimpeded, ha ha.

Reply | Quote

@ Hugh McFarlane,

Open Office Writer doesn’t appear to be a Firefox extension so I don’t understand the point you’re trying to make.

Reply | Quote

@ ch100,

The reply button is missing below your post so I can’t insert this response in the correct place I’m afraid.

Anyway, in what way are you required to be a geek in order to install any Firefox extension? All you have to do is to click Install after which you’re required to approve the installation and then Firefox does it’s thing.

In some cases a Firefox restart is required to complete the installation, but it NEVER requires the whole computer to be rebooted.

If what I’ve written here still isn’t enough for you, there are plenty of illustrated guides available on the web such as this one: https://www.accessfirefox.org/Addons_Installation_Guide.php

As regards the subject of zero-days I really can’t believe that you’re actually asserting that IE is still safe to use after a vulnerability has been discovered. What usually happens is that IE users have to hang around twiddling their thumbs while M$ takes its time to fix it: http://blog.vectranetworks.com/blog/microsoft-internet-explorer-11-zero-day

At least Firefox and Google Chrome can be relied upon to patch vulnerabilities within 24 hours.

Reply | Quote

@ ch100,

Here’s a nice juicy IE vulnerability: http://www.securitytracker.com/id/1036743

As you can see it was discovered on September 8. We’re now on September 13. Let’s see how long it takes Microsoft to fix it. Don’t be surprised if IE users have to wait until October 16.

Reply | Quote

It’ll also be interesting to see which versions of Windows get the fix and when.

Wonder which versions of IE are vulnerable?

Reply | Quote

WordPress only allows nesting up to 10 deep. Don’t know why there’s a limitation but, yes, it definitely helps keep the conversations trimmed.

Reply | Quote

My point is only that an otherwise well-respected third-party software product (OOW) still needs Java for my use of its help system. Perhaps I have attached my reply to the wrong sub-sub-sub-thread.

Reply | Quote

I would imagine all of them. To be fair though Firefox is also vulnerable and Mozilla hasn’t patch the browser yet either.

But the big advantage with Firefox and Google Chrome is that users can block ads using an extension like Adblock Plus or uBlock. The exploit uses a Javascript file hidden in an ad to trigger its payload.

Arstechnica has an article on the subject: http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/

Reply | Quote

@ poohsticks,

Dear oh dear, users who can’t recall what they’ve written and then complain they don’t understand the criticism they receive.

I refuse point blank to install a security patch for IE if it includes something which going to used to display ads. Since I didn’t, using IE now would make my system vulnerable to whatever exploit that security patch was intended to address.

But not having it installed doesn’t in my opinion make my system any more vulnerable to attack since I don’t use IE. Hence the ‘codswallop’.

Got it now?

Reply | Quote

Of course Adblock Plus is about to make themselves redundant when they start serving their own ads.

Reply | Quote

@poohsticks:

Please accept my sincere apology for being so far behind in reading all of the information. Being “under the weather” has caused me to just now have the opportunity to read the excellent information you posted. You possess a wealth of knowledge, and your empathy and understanding towards others is deeply appreciated.

I always read all of your comments, and you provide outstanding guidance and advice. I now feel much more comfortable opting for Group B. I hope and pray that we, who wish to be in this group, will be successful in becoming members without any problems.

Thank you once again for your many contributions to the discussions.

Reply | Quote