Lots and lots of patches

Topic

New Reply

Martin Brinkmann at gHacks just posted his usual comprehensive list: Windows 7:  9 vulnerabilities of which 2 are rated critical, 7 important Windows
[See the full post at: Lots and lots of patches]

6 users thanked author for this post.

SueW, MrBrian, Microfix, HiFlyer, AJNorth

Reply | Quote

Replies

The SANS ISC InfoSec Forums have revamped their MS Patch Tuesday reference system; here is an excerpt from the introduction to today’s posting:

“When Microsoft changed its update process a few months ago, we were initially no longer able to quickly produce our usual assessment of Microsoft’s patches. Finally, I think we have a way to get at least some of it back, and this is our first take on it. Please let me know if I should change anything.”

August 2017 post: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+August+2017/22694

2 users thanked author for this post.

Microfix, Elly

Reply | Quote

As usual – most secure Windows ever has most vulnerabilities.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

6 users thanked author for this post.

HiFlyer, FakeNinja, Noel Carboni, Seff, Microfix, Charlie

Reply | Quote

Well keep in mind you’re comparing the number of vulnerabilities of Windows 10 to 7 and 8.1 both of which are older so they’ve had more time to have their exploits patched. People seem to forget that. I don’t think you should be comparing the number of exploits of a 2 year old piece of software to a piece of software that’s been getting updates for 8 years.

Reply | Quote

Or, the marketing slogan wasn’t quite appropriate for the continual beta OS? 🙂

If debian is good enough for NASA...

4 users thanked author for this post.

HiFlyer, FakeNinja, radosuaf, Bill C.

Reply | Quote

What I and probably most people expect is that the “state of the art”, “most secure” new O.S. to have the previous six years of updates and patches built in.  Why bother with all the hassle if you’re starting out six years behind?  Doesn’t make sense to me.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

8 users thanked author for this post.

HiFlyer, Microfix, BobbyB, MikeFromMarkham, lizzytish, EstherD, Snowflake Theory, Seff

Reply | Quote

Surely the point is that if you’re going to release a new OS version and claim as a major selling point over the existing versions that it is more secure, then it shouldn’t have more vulnerabilities than the existing versions it’s supposed to be a more secure replacement for!

8 users thanked author for this post.

SueW, HiFlyer, FakeNinja, DeWayne12, Microfix, ryegrass, Noel Carboni, lizzytish

Reply | Quote

True enough.

But this is MICROSOFT, the Not Quite Ready for Prime Time Company, whose corporate motto is effectively, “We truly value our customers’ opinions. If we wish to know them, we will tell you what they are.”

3 users thanked author for this post.

SueW, HiFlyer

Reply | Quote

anonymous wrote:

I don’t think you should be comparing the number of exploits of a 2 year old piece of software to a piece of software that’s been getting updates for 8 years.

Then I don’t think you should call a 2 year old piece of software “most secure Windows ever” :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

3 users thanked author for this post.

HiFlyer, Seff, lizzytish

Reply | Quote

I agree with all of above as well as all the other pointed critical comments made about the way Win10 is being shoveled out to the general user public.

I am going to compare what I think is M$ Win10 strategy with the like of that they had this self interest thought bubble and we will call it the GREATEST EVER O/S rocket ship, christened Win10.

They have managed to get it up in the air and it is sorta of flying as close as they can control, straight and level in a somewhat expected direction. However, when it took off it left a few things behind on the launchpad that were not supposed to be forgotten.

Also overlooking that it might have been a good idea to work out how they can get it to land WITHOUT going in headfirst into the ground BEFORE they pushed the launch button.

My money is on that they have lost (trashed) the experienced personnel to be able to do this, as the lunatics (money motivated executives)  have taken over the asylum, and the inevitable is just a matter of time.

1 user thanked author for this post.

Elly

Reply | Quote

Group B Security-only patches have been updated Aug 8 on AKB2000003

Cumulative updates for IE11 have been updated Aug 8 on Akb2000003.

13 users thanked author for this post.

Steve, Elly, SueW, Oldster, grayslady, HiFlyer, David F, MikeFromMarkham, lizzytish, dhardyindr, Pepsiboy, Microfix

Reply | Quote

Updated 1607 to build 1593, noticed that update history shows no updates installed. Updates are listed in control panel under uninstall updates, but only go back to September 2016, when I installed the anniversary update. Anyone else experiencing this?

Reply | Quote

Yes, your installation is as clean as it is supposed to be.
The history was reset probably by the Servicing Stack Update KB4035631, while the installed updates show only the current ones, not the superseded updates.
The superseded updates are replaced “in place” in most cases in Windows 10, while an inbox/built-in Scheduled Task runs and uninstalls the remaining superseded updates behind the scenes, which is the same action known from Windows 8/8.1 and their server equivalents 2012/2012R2. This is equivalent to running Disk Cleanup manually for Windows Update.
You will still see in the list of installed updates all the Servicing Stack Updates installed on the machine, as they cannot be uninstalled, even if the old ones are inactivated by the more recent SSUs installed.

Reply | Quote

Same here! Happened after I installed kb4034658.

Reply | Quote

And now I know why… WinShowHide shows my hidden updates are all unhidden.

So if you’ve hidden the upgrade (1703), it will appear again. Be careful!

Reply | Quote

After this  happened, all of my hidden updates (Wushowhide) turned out to be unhidden. So if you had hidden the upgrade (1703), it will appear again. So be careful!

Reply | Quote

Which Office lists was wrong?

 

for regular users, just 4 new updates for Office 2016 today, in addition to 9 updates from August 1

Office 2013 still have the same 7 updates from August 1

Office 2010/2007 got zero updates

Reply | Quote

What was originally posted on MS Technet Aug 1 was wrong. See TenForums list – it was original on MS. See ours – I corrected it this morning to match MS listing NOW

2 users thanked author for this post.

HiFlyer, abbodi86

Reply | Quote

No kidding. When I checked Windows Update I haven’t seen any security updates for Microsoft Office 2007.

1 user thanked author for this post.

ch100

Reply | Quote

I’ve received the August updates and the 2007 updates for Office are still listed. These were there from last month (July) and because of reports of ‘bugs’ I haven’t updated as yet. Probably will get round to them shortly or when we’re given the go ahead from Woody. Just mentioning them because some have said they haven’t seen any. Enclosing a screen capture – there are 8 specifically for 2007 and are in Important updates and ticked. My computer is set to “Check for updates but let me decide when to download and install” LT

“Why do we Rest in Peace – why don’t we Live in Peace too?” Anon

Reply | Quote

It’s me again. Never mind. I saw the post on non-security updates for Microsoft Office. -_-; No more updates for MS Office 2007…

Reply | Quote

I don’t see any new updates for Office 2016. Where are they? 🙂

Reply | Quote

Updates for Office

1 user thanked author for this post.

ch100

Reply | Quote

Those released on August,8 are not mainstream patches, which means they are hotfixes for limited release. They are available only for manual download in which case I think they should not even get a mention here.
The updates released on August, 1 are the real regular updates and should be installed at some stage, for most users when MS-DEFCON changes to 3 or above.

3 users thanked author for this post.

Oldster, abbodi86, HiFlyer

Reply | Quote

Corrected list for Aug 1 Office updates is here

3 users thanked author for this post.

Oldster, HiFlyer, ch100

Reply | Quote

They probably will hit MU next week

i actually never use/care/check MU for Office updates, i get them from Download Center as released 😀

1 user thanked author for this post.

ch100

Reply | Quote

abbodi86 wrote:

They probably will hit MU next week i actually never use/care/check MU for Office updates, i get them from Download Center as released 🙂

MU?

Reply | Quote

Microsoft Update (as opposed to Windows Update).

Reply | Quote

abbodi86 wrote:

i actually never use/care/check MU for Office updates, i get them from Download Center as released

Here is not MDL, different target audience ?

1 user thanked author for this post.

abbodi86

Reply | Quote

Group A , Win 7, SP1,X64 Home Premium  installed  KB4034664.  No problems so far. I only use this computer for print, email, internet.

Reply | Quote

I don’t understand, how the most secure browser ever can have 28 vulnerabilities while the old one has “only” 8?

2 users thanked author for this post.

HiFlyer

Reply | Quote

Because it’s the most secure browser ever, done by Micro$oft.

Reply | Quote

Perhaps it’s the new inclusion of ‘new secure technology’ for the purpose of MS and not the end-user which MS is protecting? Who knows, I don’t use it so, cannot say for sure.

If debian is good enough for NASA...

Reply | Quote

Another month where I thank my lucky stars that I’m using Windows 7:  9 vulnerabilities of which 2 are rated critical, 7 important and no Office updates.

If I was running Windows 10 with Edge I would have 42 vulnerabilities of which 26 are rated critical, and 16 important.

2 critical vs 26 critical. I know which I prefer.

Flash is already updated so I shall sit here smugly until Defcon goes up 🙂

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

SueW

Reply | Quote

Maybe they should sell the rights to their old OS to the employees they laid off who worked on XP & 7; since they insist on violating  KISS.  Keep it simple stupid.

2 users thanked author for this post.

HiFlyer, AJNorth

Reply | Quote

From .NET Framework August 2017 Security and Quality Rollup: “Today, we are releasing the August 2017 Security and Quality Rollup Update. This update applies to Windows 10 and Windows Server 2016.”

From Welcome to the .NET Framework 4.7.1 Early Access!: “Today, we are happy to announce an early access build of .NET Framework 4.7.1.”

1 user thanked author for this post.

ch100

Reply | Quote

So the .Net Framework 4.7 thing is the reason why I haven’t seen any security/monthly quality rollup for .Net Framework lately?

I’m not here often so I don’t hear much.

Reply | Quote

I will guess that the Windows 7 LDAP referral chasing issue exists in the Windows 7 August 2017 updates since file WLDAP32.DLL is unchanged from the July 2017 updates.

Reply | Quote

The Windows 7 LDAP referral chasing issue has been added to the documentation for the  August 2017 Windows 7 monthly rollup and security-only update.

Reply | Quote

Hopefully those of you who experienced blue screen of death problems with the July 2017 updates will report your experiences with the August 2017 updates (when the time is right to install them).

1 user thanked author for this post.

lizzytish

Reply | Quote

Forgive my dumb question here, MrBrian….guess you are referring to those who finally got their
updates successfully installed in July, as I was under the impression that those of us who were installing the Security updates only, would have to install the month’s before update before being able to install the next month’s. And so if the previous month (July) Security update created a BSOD and one had to uninstall it to recover, then one would not be able to go ahead with the following months update. Is this right – or have I misjudged ? LT

“When you make a commitment you build hope, when you keep it you build trust.” Anon

1 user thanked author for this post.

HiFlyer

Reply | Quote

You’re right indeed, with regards to the security-only updates. However, maybe somebody who had BSOD issues with the July monthly rollup could report how well the August monthly rollup is working.

2 users thanked author for this post.

HiFlyer, lizzytish

Reply | Quote

Thank you for replying so quickly! I have been mulling over reinstalling that offending update when I have a bit of quiet time….. as I would like to keep this machine updated until I have time (and money) to transition to another OS and finally bid farewell to MS! LT

“In a world where you can be anything – be kind!” – Anon

2 users thanked author for this post.

HiFlyer, MrBrian

Reply | Quote

On second thought, those who had BSOD problems with the July security-only update might wish to (when the time is right) install the August security-only update, and then the July security-only update. The August security-only update might have newer versions of files that don’t cause the BSOD issue anymore.

1 user thanked author for this post.

lizzytish

Reply | Quote

My favorite two sources for Microsoft updates articles: https://www.zerodayinitiative.com/blog/2017/8/8/the-august-2017-security-update-review and http://blog.talosintelligence.com/2017/08/ms-tuesday.html.

3 users thanked author for this post.

Elly, HiFlyer, AJNorth

Reply | Quote

Two other articles that may be worth perusing are the August 2017 Patch Tuesday posts at Krebs on Security: https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-microsoft-2/ and the Qualys Network Security Blog: https://blog.qualys.com/misc/2017/08/08/august-patch-tuesday-25-critical-microsoft-vulnerabilities-43-for-adobe (which Brian Krebs references).

3 users thanked author for this post.

Elly, HiFlyer, MrBrian

Reply | Quote

Windows 8.1 Patch Observations

Enabled and Started the Windows Update service on my Win 8.1 virtual machine and instructed it to check for updates… Windows Update ran for a couple of minutes then reported 3 Important updates detected (total 296.3 MB):

What’s funny is that even though the Windows Update panel shows a percentage rising, the actual network traffic always looks bursty, like this:

Updates went in smoothly, reboot was okay. No new errors or warnings are shown in the System Event Log.

A quick check for system settings changes revealed:

• A new scheduled task: “MicrosoftWindowsShellCreateObjectTask”
• Scheduled task “MicrosoftWindowsTaskSchedulerIdle Maintenance” changed from Disabled to Ready.

I plan to subject this non-critical test system to system tests over the coming days to determine if any functionality I rely upon has been impaired. So far at first glance it seems to have survived the update at least.

-Noel

5 users thanked author for this post.

Elly, HiFlyer, Microfix, radosuaf, MrBrian

Reply | Quote

FYI, all went well with the Win 8.1 testing and because I’m at a good breakpoint with my work I chose to move my Win 8.1 hardware up to the August patches, Group A style, this morning. Benchmarks showed nominal values and so far working with it all day I’ve found nothing wrong. It’s a multi-monitor system by the way.

-Noel

1 user thanked author for this post.

AJNorth

Reply | Quote

Windows 7 Patch Observations:

Enabled and started Windows Update on my Win 7 virtual machine. It ran a couple of minutes and reported 2 important and 2 optional updates available. I chose to hide the recurring optional KB2952664 “telemetry” update again.

The updates went in smoothly, the reboot was clean, no new errors or warnings in the System Event Log.

A check for changes:

• BITS service was changed from DEMAND_START to AUTO_START

Further testing is planned.

-Noel

9 users thanked author for this post.

Steve, Pepsiboy, Elly, SueW, HiFlyer, David F, AJNorth, Microfix, MrBrian

Reply | Quote

Is that BITS change any reason for concern, perhaps in terms of what it may mean down the line?

2 users thanked author for this post.

SueW, HiFlyer

Reply | Quote

No, it’s system behavior when installing updates from WU, even if you disabled BITS, WU would re-enable it

anyway, BITS status should not be a concern on Windows 7/8.1

4 users thanked author for this post.

Elly, Noel Carboni, ch100, SueW

Reply | Quote

Thank you.

Reply | Quote

Noel Carboni wrote:

Windows 7 Patch Observations: Enabled and started Windows Update on my Win 7 virtual machine. It ran a couple of minutes and reported 2 important and 2 optional updates available. I chose to hide the recurring optional KB2952664 “telemetry” update again. The updates went in smoothly, the reboot was clean, no new errors or warnings in the System Event Log. A check for changes:

• BITS service was changed from DEMAND_START to AUTO_START

Further testing is planned. -Noel

 

Noel,

I got stuff like that the other day also.

KB4034679 – Security Update
KB4034733 – IE 11 Update
KB4034664 – Monthly Rollup
KB4035510 – .NET Framework Update
KB4019990 – .NET Framework Update
KB2952664 – Win 7 Update

Of these, I am NOT going to get 2952664 and will hide it AGAIN. I MIGHT get 4035510, but probably will not. The others will get installed when Defcon changes to higher number.

Sorry, no screen shots at this time.

Any thoughts on WHY 2952664 showed up again? Any advice is appreciated.
Thanks, in advance.

Dave

Reply | Quote

FYI, all went well with the testing of the August patches here – for my needs – and I chose to move my Win 7 hardware to the latest, Group A style. So far that’s gone well also.

-Noel

2 users thanked author for this post.

MrBrian, AJNorth

Reply | Quote

Hi. I have Windows 7 x64 and heard something about the .Net Framework security and monthly quality update. For Windows 7 I don’t see any update for x64 version. Is it something that would be placed into Windows Update on its own?

 

Thanks.

Reply | Quote

Not at the moment for any other OS, except for Windows 10 where it is included in the CU.
The most recent update for .NET Framework versions for all other operating systems is released as Preview.

1 user thanked author for this post.

SueW

Reply | Quote

This type of confusion is what i ment earlier
https://www.askwoody.com/forums/topic/did-we-just-get-a-new-cumulative-update-for-win10-1703/#post-127781

Reply | Quote

There was a .NET bugfix, fixing a crash of Windows Presentation Foundation (WPF) applications on touch- or stylus-enabled systems, no security update: https://support.microsoft.com/en-us/help/4035510/update-for-the-net-framework-4-6-4-6-1-4-6-2-and-4-7-on-windows-embedd Manual download only.

1 user thanked author for this post.

plodr

Reply | Quote

Thanks. I wasn’t aware that it was only a bugfix and not a security issue.

Got coffee?

Reply | Quote

Issue and workaround documented for Windows 8.1 August 2017 monthly rollup: “NPS authentication may break, and wireless clients may fail to connect.” The same issue was documented in the Windows 8.1 July 2017 preview monthly rollup.

Reply | Quote

In her Patch Watch column for Windows Secrets (2017.08.10), Susan Bradley has this entry for Windows 7:

“The Windows 7 updates released this month in the form of KB4034664 include security updates for Microsoft JET Database Engine, Common Log File System Driver, Microsoft Windows Search Component, Volume Manager Driver, Internet Explorer, Windows Server, and Windows kernel-mode drivers. No non security updates were released with this update.

At this time I am not tracking any major side effects.”

Can one then infer that KB4034664 is simply a combination of KB4034679 & KB4034733?

(Which is what Martin Brinkmann explicitly states in his column, “Microsoft Security Updates August 2017 release” (though both articles fail to mention KB4034733, which is obviously included in KB4034664):

“KB4034679 — August 8, 2017 Security only update for Windows 7 SP1 and Windows Server 2008 R2 SP1

Security updates to Windows Server, Microsoft JET Database Engine, Windows kernel-mode drivers, Common Log File System Driver, Microsoft Windows Search Component, and Volume Manager Driver.

KB4034664 — August 8, 2017 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1

Same as KB4034679”

https://www.ghacks.net/2017/08/08/microsoft-security-updates-august-2017-release/ .)

Reply | Quote

August 2017 Windows 7 or 8.1 monthly Windows rollup = August 2017 Windows 7 or 8.1 Windows security-only update + August 2017 Internet Explorer cumulative update + other files.

1 user thanked author for this post.

AJNorth

Reply | Quote

Whenever no Preview Rollup precedes the respective Monthly Rollup, no new reliability (non-security) component gets added to the Security Monthly Quality Rollup.

August 2017 Monthly Rollup = July 2017 Monthly Rollup + August 2017 Security Only Quality Update + August 2017 Cumulative Security Update for IE11.

1 user thanked author for this post.

AJNorth

Reply | Quote

I have been noticing something unusual about this month’s Windows 7 x64 updates:

I have Win 7 Pro, and on Tuesday I got a Preview Rollout (which I hid, in case I might need it later), and the “Malicious Software” eliminator, that I installed, as it seems innocuous enough.

And, so far, that has been that. It is late Friday night, close to four days have gone by, and nothing else has showed up here from MS since Tuesday. I have run Windows Update, twice, two days apart, the last time today, an hour ago, and each time it has come up with “Windows is up to date; no updates are available” for my machine.

Occasionally, in he past, it has been one or two days later that I got a “Tuesday” update, but this time it seems to be taking unusually long, thus my posting this message here.

I do know that there are updates, Windows Update not withstanding, and already have downloaded manually, directly from MS, the security one for Windows 7 and the Cumulative one for Explorer 11, both now sitting on my desktop until I figure out that it is OK to install them. So I am not worried about not being able to update and, by so doing, cover the latest holes discovered in the OS. Not so much worried, as puzzled.

Is anyone else having the same experience?
Thanks.

Reply | Quote

Mind posting a screengrab of the “Preview Rollout” hidden last Tuesday?

2 users thanked author for this post.

ch100, abbodi86

Reply | Quote

From Woody: More problems with KB 4034658 August cumulative update for Win10 1607/Server 2016.

Reply | Quote

Volume Z has asked for a “screen grab” of the “Preview Rollout” update I did receive on Tuesday and then hid, in case it might be needed later. (I was just following my usual practice with things dubious, but not obviously evil.)

Not sure what VZ means by that.

In any case: it was the “Preview Quality Rollout for .NET Framework.”

Hard to see what that may have to do with my lack of updates received (and still the case as I write this, Saturday afternoon), but one never knows, does one?

1 user thanked author for this post.

ch100

Reply | Quote

By “screen grab” he meant screen shot (picture) of the Rollup,
He was probably trying to determine the full name of the patch, which includes the month, the .NET versions, and the KB number.

FYI: Preview patches are generally unchecked optional updates which will not be installed (since they are unchecked and in the “Optional updates” list) and do not need to be hidden for that reason.

1 user thanked author for this post.

ch100

Reply | Quote

From .NET Framework Update for AppContext (August 18, 2017):

“A new update for .NET Framework is now available for the AppContext class. The behavior of the AppContext class was recently regressed. The update returns the class to the correct behavior. This update affects the .NET Framework 4.6 and later. The update is not required on Windows 10.

The AppContext class was introduced in the .NET Framework 4.6. It’s primary use is to enable developers to opt into new behavior in the .NET Framework that is not enabled by default. The regression prevents developers from opting into new behavior.

You are only encouraged to install this update if you have used the AppContext class directly and are experiencing problems. Otherwise, you will get this update in one of the regular broader releases over the next one to two months.“

Reply | Quote