MS-DEFCON 1: Don’t patch, don’t use Internet Explorer, and set up an alternate default browser

Topic

New Reply

Microsoft (finally!) divulged some details about that CVE-2019-1367 patch (actually, three bumbling, successive patches, for all versions of Windows).
[See the full post at: MS-DEFCON 1: Don’t patch, don’t use Internet Explorer, and set up an alternate default browser]

2 users thanked author for this post.

abbodi86, fernlady

Reply | Quote

Replies

I am really confused now. I received an email from the AskWoody Plus: ” Prioritize installation of the security update for CVE-2019-1367. The update is automatically deployed as a required update through Microsoft Update and the WSUS catalog. Customers with automatic updates turned on don’t need to take additional action”.

Per the previous advice, I had already paused all automatic updates on my computer. Therefore I went to the “CVE-2019-1367” link to download the file kb452417. However, in the meantime, the AskWoody home page states “Don’t patch, don’t use Internet Explorer, and set up an alternate default browser”.

Should I install Kb452417 or not??

Thank you.

Reply | Quote

If you look at the email, the language you cite is a quote from the Microsoft Windows Defender site, perhaps a rather self serving one. Woody’s advice is quite clear at the moment – Dont patch.

Chris
Win 10 Pro x64 Group A

2 users thanked author for this post.

woody, HE48AEEXX77WEN4Edbtm

Reply | Quote

Believe me, I know it’s confusing.

For folks who have to support IE, it’s both confusing and overwhelming.

Bottom line, though: Delay updates, don’t patch anything until we get to MS-DEFCON 3 or 4, don’t use IE and remove it as the default browser.

I’m really steamed that MS put its real IE zero-day warning behind a $690 paywall.

4 users thanked author for this post.

Lori, rexr, WildBill, Microfix

Reply | Quote

Hey Woody,  I missed the brief Defcon 3 window so have not installed ANY September patches.  If October’s patches are a hot mess I’m guessing the green light may not be until early November,  am i safe to wait it out  or is there any patch from Sept/early Oct that’s o.k or really needed?  Thanks for all you do it’s much appreciated.

Reply | Quote

DEFCON-1 = DON’T PATCH

1 user thanked author for this post.

woody

Reply | Quote

You’re safe. And should feel lucky, actually.

See the Computerworld article.

Reply | Quote

That E5 seat at $690 is per year, after discount for paying an annual commitment.  Not a one time license cost.

~ Group "Weekend" ~

1 user thanked author for this post.

woody

Reply | Quote

I’m just glad that Susan shells out the bucks to keep the E5 subscription.

It’s just unfathomable to me why MS would put detailed exploit information behind a paywall. Unconscionable.

5 users thanked author for this post.

wavy, CADesertRat, SueW, AJNorth, LHiggins

Reply | Quote

I use Quicken 2019 which downloads my financial information via Internet Explorer, only. That is the only time I use IE. My default browser is Firefox but it will not work with Quicken. MS Edge has been disabled and I do not use any of the Apps supported by Win 10.

My current OS is Win 10 1803 and my computer has been patched through September based on the master patch list. Windows update is off. When the October patches come out I intend to hide them utilizing wushowhide. I checked today and the IE patch does not appear.

My computer is running without any problems. I log into Win 10 locally and do not have a MS login account. What risk(s), if any, do I face if I continue to use Quicken?

Reply | Quote

I use Firefox and it is set as the default browser on my computer but some programs default to IE anyway. IIRC Windows Update doesn’t use IE to retrieve updates – and I have noticed WU uses my default browser – so I was wondering if I should set my firewall to block IE from accessing the Internet. Any thoughts?

-firemind.

Reply | Quote

I have on Win8.1 with no ill effects as I use firefox ESR and WU works as intended when/if I need it. You would need to test it, easily undone when/if required anyway. I’m not saying it’s completely blocked off but, I certainly feel better about it as I don’t use it period. YMMV

If debian is good enough for NASA...

Reply | Quote

Minor question: When I finally apply most of the M$ patches, I’m still leaning toward following AKB 2000012 to turn off telemetry at bootup & moving back to Group A. I’ve already turned it off according to AKB 2000007. I won’t ready that until I get ready to apply October patches in November. The only patches that seem basically independent of the rest are the Servicing Stack update & the Security Update for Adobe Flash Player. Should I backup my system & apply those, or just wait until November? BTW, even if I don’t apply any patches this month, I’m going to backup today. My system with all the Defender updates & the new Windows Update pipe will be there if I have to restore between now & November.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Well, I can backup today or tomorrow. Tomorrow if I want to backup the new Windows Updates that drop. BTW, @pkcano keeps saying “FOLLOW MS-DEFCON 1!” Guess I’ll heed his wise advice & leave the Servicing Stack & Flash updates until November too.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

woody

Reply | Quote

“Batten Down the Hatches” sounds like its going to be another rough one, as for IE11, well its been relegated, for some time now, just to a Shortcuts creator on the Desktop as the other Browsers seem to want to put you through hoops to create a simple Desktop Shortcut, whereas IE11 does the same with a single click.
Long since really abandoned IE11 in favour of FireFox Quantum and the occasional use of Edge, well there had to be at least one user out there; 😉
Hopefully “Credge” or “Edgium” may be better although no high hopes here, preferring to wait until “Credge” becomes more main stream and hopefully better integrated, although not holding my breath.

1 user thanked author for this post.

Microfix

Reply | Quote

I’ve long wondered why Ask Woody doesn’t have an OS specific DEFCON, say top row with the Windows OS versions and row underneath with the DEFCON for each version.

Right now, I think that the highest DEFCON is for 1903 (buggiest updates) while 1809 seems a little better off (hard to believe it’s possible). This is important to me as I need to upgrade from 1803 to either 1903 or 1809 before I get stuck with 1903 and the hairiest updates yet. A separate DEFCON might help me. As it is I will take a chance with 1809.

I am definitely confused more and more as the time goes on about all this, despite Woody’s team’s best efforts and me being somewhat of a geek and able to wade through most problems. But I’m getting older, and simpler always seems better now. I suspect like many of you, I only hang onto Windows now because of Stockholm Syndrome.

Reply | Quote

This time, all of the versions from Win7 onward got bit. DEFCON-1 applies to all of them.

Otherwise, Win10 v.1809 has stabilized – that would be the way to go when things settle down. You have 2 months to make the move.

Reply | Quote

DEFCON-1 loud & clear, and I’m happy to continue to wait without installing any of the Win7x64 security monthly rollups for September.

My only confusion is from today’s ComputerWorld article (Woody On Windows): If you followed my instructions about installing last month’s updates as soon as they appeared, you got the first set of September patches installed, and you defended your machine against Microsoft’s second, third and fourth volleys. That, and ensuring IE isn’t your default browser (see preceding section), is the best of all possible worlds.

I have not installed any of the Win7x64 security monthly rollups for September. After WU removed KB 4524157, I have been offered (with checks) security monthly rollup for Win7x64 KB 4516065 and security update for Win7x64 KB 4474419, both of which are dated 9/10/2019. Are these the “first set of September patches” to which Woody refers and, if so, is he recommending they be installed now if all the other conditions in the above statement are met?

Reply | Quote

Right now, the MS-DEFCON 1 applies across the board.

All of my production machines use 1809. But the mess this month clobbered 1809, too.

The problem with individual MS-DEFCON ratings for each version of Windows is… man alive, do you know how many versions of Windows are out there?

2 users thanked author for this post.

JimmyJames, RamRod

Reply | Quote

Five (four soon).

1 user thanked author for this post.

woody

Reply | Quote

Let’s see….

Normal people/client only: Win7, 8.1, Win10 1803, 1809, 1903 and soon 1909 (dropping Win7 and Win10 1803 in the next three months)

Abnormal people: Those five-or-so plus 1507, 1607

Server: 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Arguably, the Security-only Win7 and 8.1 patches, various .NET versions and IE could have their own DEFCON ratings, too. Each has specific considerations.

Oh, and then there’s the Servicing Stack Updates. Did I miss anything significant?

It’s a jungle out there. 🙂

Reply | Quote

I can’t remember the last time I’ve used IE.  It’s become obsolete like Adobe Flash imo

Reply | Quote

Today I received the following Patch information from Susan Bradley:
Windows 7/Server 2008 R2 SP1 (Install only one of these updates.

4524157 – Monthly rollup
4524135 – Internet Explorer cumulative security update

I looked at Windows Update on my computer, and I’m being offered 4524157–BUT it’s not checkmarked. Should I hold off installing it until Microsoft sees fit to checkmark it?

Thank you,

Jo-Anne

Reply | Quote

Microsoft leaves updates unchecked for a reason – so they don’t get installed automatically.
We don’t recommend installing unchecked patches.
Wait till it’s checked.

BTW, the Monthly Rollup contains the IE CU – that’s why you don’t install both

2 users thanked author for this post.

woody, Jo-Anne

Reply | Quote

A few days ago I received KB4524157 (2019-10 Security Monthly Quality Rollup for Windows 7 for x64-based Systems), which Microsoft had not checkmarked. On the advice of PKCano and Woody, I didn’t install that update, waiting instead for Microsoft to checkmark it. Today I got the October Patch Tuesday updates from Microsoft. KB4524157 is no longer listed; in its place is KB4519976, with the same label (other than the KB number). This one is checkmarked. I usually don’t install the monthly patches until the end of the month. Should I hold off on this one too?

Thank you,

Jo-Anne

Reply | Quote

We’re at DEFCON-1, which means WAIT to install. Read Woody’s articles about waiting to patch. including the ones linked on ComputerWorld.

Reply | Quote

So, I’m wondering, o any of the IE 11 patches actually fix the security hole? I installed KB4522007 on 3 Win 7 machines with no problems of any kind, and I’m wondering if I’m safe if I actually need to use IE 11 for something.

Reply | Quote

Presumably they do fix the security hole. If you aren’t seeing any side effects, there’s no pressing need to uninstall them.

1 user thanked author for this post.

DrBonzo

Reply | Quote

[DrBonzo]

For whatever this is worth to anybody, I described the installation of KB4522007 here:

https://www.askwoody.com/forums/topic/ms-defcon-3-get-your-september-patches-installed-but-stick-to-the-mainstream-patches/#post-1971810

At the time, there were no known printer issues so I didn’t comment on printing. But I can report now that printing on all 3 machines is just fine with a Canon MX860 connected with USB cable.

All three machines are working as normal (Dell Inspiron 5th gen core i3 and Dell OptiPlex 9010 3rd gen core i5, both running Win 7 Pro SP1, and my test machine, an old Gateway laptop with an Intel Atom and Win 7 Starter)

Hope this helps somebody.

Edit: well the link above doesn’t go to my post although it goes to the right thread. The post is #1971810

• This reply was modified 5 years, 5 months ago by DrBonzo.

1 user thanked author for this post.

woody

Reply | Quote

Fixed that for you.

1 user thanked author for this post.

DrBonzo

Reply | Quote

Speaking of Chrome browser- funny – today I used the “Youtube” app in the Chrome browser. When the site loaded I received a notification on the “suspicious site reporter” flag. So I clicked it – the report was that “youtube” was a suspicious site that needed to be reported! So I obediently clicked the send report with a screen shot & URL info! Googles gotta keep us safe! 😛

Reply | Quote

Oh my, now I have a notification on the “askwoody” address! woo-hoo, Google has our back when it comes to nefarious and shady websites…

1 user thanked author for this post.

woody

Reply | Quote

IE-related Question:

One of the banks that a client uses requires the Java RTE, which only functions in IE.  With an IE emulator add-on available for Chrome, IE Tab, Java functions and allows full online access with the bank.

Is this IE emulator considered safe?  (Win 7 Pro x64 with KB4522007 and uBlock Origin, NoScript, Privacy Badger & HTTPS Everywhere installed.)

Thank you,

AJN

Reply | Quote

Yeah, Java plugins really got dropped too quickly, they’re still needed in all too many places…

I understand the IE Emulator really pulls the IE rendering engine and uses it, so might have many of its problems too?

Somehow I expect something like Pale Moon – or even Midori 0.5.11 – might well be safer. Then again they probably just won’t do many of the other IE-specific things at all.

1 user thanked author for this post.

AJNorth

Reply | Quote

Thanks for the suggestion.

Pale Moon states that their browser still supports NPAPI plug-ins, specifically listing Java (https://www.palemoon.org/technical.shtml), so I shall test it on that banking site.

Regards,

AJN

Reply | Quote

Have you checked with the bank that it’s really still required?

There used to be a couple of banks in Ireland and Luxembourg that required Java, but that was seven years ago.

In recent years I’ve only found it to be needed for a local land registry legacy system.

Reply | Quote

Yes, I had spoken with their online services last year about the Java RTE being deprecated from virtually every browser except IE and suggested that perhaps they might look into changing to another platform, such as the Adobe AIR (or .NET Framework).  They replied that that was something they were considering, but that there was no timeline (and that .NET was not an option, as it was Windows-specific).

1 user thanked author for this post.

b

Reply | Quote

Just a parenthetic note…

The official Servicing Stack Update list, Software Advisory ADV990001, has been down all weekend.

1 user thanked author for this post.

b

Reply | Quote

well woody it seems Liam Tung of ZDNet has also written a recent article on the recent Windows patches causing “more pain”

https://www.zdnet.com/article/windows-patch-causes-more-pain-start-menu-boot-and-printer-problems-surface/

the recent out-of-band patches that were also supposed to fix the printing problems seem to be doing the opposite – causing them rather than fixing them

1 user thanked author for this post.

woody

Reply | Quote

Just reading through all the comments – no outrage concerning the $690 paywall. I was expecting more angst. We all have a duty (to each other) to not become complacent over this attempt at a ‘new normal’ that Microsoft has embraced. The ‘new normal’ is not normal at all.

So here it is … I see the use of a paywall in this situation as blatant elitism.

1 user thanked author for this post.

woody

Reply | Quote

I wouldn’t call it elitism. I’d call it a stupid, stupid mistake.

Limiting information about security holes to paying Enterprise “E5” level customers must’ve been a mistake. Must have.

Worth nothing: As of this moment, four-or-so days after the details were posted on the paywalled site, Microsoft still hasn’t said anything on the CVE-2019-1367 page.

1 user thanked author for this post.

AJNorth

Reply | Quote

From GW:

I just checked my Notebook and the version is 1809 Build 17763.775. Several times in the last week when I shut it off it said it was updating. However the version is still the same. A bit weird I think. I downloaded the update to 1903 file, Windows10Upgrade9252.exe. but did not run that. Should I? My desk top says it is Version 1903 Build 18362.356. Is that up to date? This is really confusing stuff. Any help will be appreciated.

Reply | Quote