MS-DEFCON 1: Patches failing at a phenomenal rate

Topic

New Reply

Blue screens, bungled releases, stealthy NET upgrades, CRM blocks and complex manual fixes. It’s shaping up to be one hell of a patch-encumbered month
[See the full post at: MS-DEFCON 1: Patches failing at a phenomenal rate]

8 users thanked author for this post.

fk5353, Ascaris, Noel Carboni, NetDef, JDeC, Elly, AJNorth, FakeNinja

Reply | Quote

Replies

? says:

I hear the sound of Nero fiddling

Reply | Quote

I think the blue screens are related to the delta update package that was mistakenly published to WSUS on Tuesday. It’s gone now as far as I can tell.

Reply | Quote

It’s only gone in the sense that machines updated with the latest WSUS/SCCM fodder won’t bluescreen. Other than that, it’s the blues.

Reply | Quote

Well, I’m a life-long Cubs fan, so I am a certified masochist.  Still, I haven’t applied the patches.  More to the point, it seems very clear that, in particular, Win 10 is actually a Rube Goldberg machine, which MS seems to then apply a new Rube Goldberg machine to when the previous Rube Goldberg machine doesn’t work.  I think it was either Ch100 or Noel, who once commented that, in the past, it has taken a while for a new MS OS to stabilize.  I think that observation is true, although I didn’t have the problems with Vista others did and I found Win 7 stable from the get-go.  In any event, we’re deep enough into this to see there is likely no way out for MS and Win 10 now.  Again, Ch100 and Noel know more about this stuff than I, but with this track record of not fixing things, and often times making matters worse, to ultimately really fix this seems to me to be nearly impossible.

What’s next for MS is unclear, but they’d be completely shortsighted, at this point, to end support for Win 7 in 2020.

 

8 users thanked author for this post.

flackcatcher, johnf, Canadian Tech, fk5353, lurks about, Elly, AJNorth

Reply | Quote

Group A Win 7X64, Home Prenium,  Office 10.  I installed the following.  KB4043766,KB404681,MSRTx64: Kb890830,Office 10: KB2553338.   So far no problems.

Reply | Quote

Geo wrote:

Group A Win 7X64, Home Prenium, Office 10. I installed the following. KB4043766,KB404681,MSRTx64: Kb890830,Office 10: KB2553338. So far no problems.

Almost the same – Grp A W7-64 – as Geo: (6) Importants: KB4041681 Rollup; MSRT;  (2) ’10 OFCE;  ’10 Outlook (Not Inst’d);  (1) ’10 WORD;  (1) ’10 EXCEL;

(1) Recommended: KB4043766 Net Framewk

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

Group B, win7Pro-64_SP1.  I installed all of the MSOffice 2010 patches, the MSRT, and the October .NET rollup.  No issues on either the Lenovo laptop or the Intel i7 desktop.  All went well and no issues after testing.  In my WU, the Outlook 2010 patch was checked this month, unlike the past months.

I did NOT try importing an XLS file into another document.  That was forbidden at work and I never did it at home either (have no need).  I will try it after  I do the group B patches.  I have not yet installed the October Group B Security only IE or Security Only Win7-64 patches.

I have said never Win10, but this month has solidified it unlike any past months.  I was going to update the organizational Win10 laptop, but I will just create my own LTSC (LTSB) by never connecting to the web.  There is no need for that device to connect, and it is still working well.  Maybe that strategy will be Long Term Servicing Celibacy… 🙂  No catching any patch sicknesses.

2 users thanked author for this post.

SueW, AJNorth

Reply | Quote

You’d have to be a certified masochist to install this month’s patches.

… or Equifax.

7 users thanked author for this post.

NetDef, AJNorth, johnf, walker, Elly, woody, BobbyB

Reply | Quote

I thought Equifax didn’t bother patching? Well the Apache critical ones least ways lol 😉

Reply | Quote

Add one more problem patch (possibly).

I have Office 2007 and the final patches for it came out this week. They installed fine on my Vista computer, but KB3213648 is failing on my Windows 7 machine with a Code 57E. Some sort of permissions-related issue; this had never happened before with any Office updates on that PC. Nice parting present for Office 2007. Thanks, MS experts!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Did you resolve the problem? Perhaps a renamed folder????

Reply | Quote

I had to resort to rebooting the computer, and then the patch installed properly. Good thing I have some experience with this kind of situation; I can only wonder what sorts of contortions I would have gone into (fiddling with permissions, etc.) if I didn’t.

“When in doubt, first reboot and see what happens.”  [grin]

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

So there we have it, Microsoft tells the world about six critical security vulnerabilities in Windows then promptly bungles the patch release that is supposed to fix them. Oh how very nice indeed! Another parachute jump with a moth ridden patched parachute. I guess I’ll just stick with the known bug set for now. Perhaps it’ll make more sense to jump to FCU a few weeks after it comes out rather than staying with the leaky CU ship.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

Reply | Quote

Well this is the first Anniversary of the Win7-8.1 Cummulative/roll up updates.

Congratulations it M$ it seems your celebrating in style, with a “bang” so to speak.  😉

5 users thanked author for this post.

AJNorth, GoneToPlaid, SueW, radosuaf, Elly

Reply | Quote

There are strange occurrences. We installed Office 2013 security patches and MSRT on a Windows 8.1 computer and the “Home Group” icon appeared on the desktop. This is not a new problem but is mentioned that it did happen today.  A google search of the problem lead to an answer (from the windowsclub).  Going to control panel, folder options, view, and uncheck and apply sharing Wizard, then re-checking Sharing Wizard and apply, made it go away.

http://www.thewindowsclub.com/remove-homegroup-icon-windows-8-desktop

Reply | Quote

Windows updates is like playing Russian Roulette.  Never know when that bullet will strike your PC down.

Reply | Quote

In regards to patching M$ appears to have adopted literally, that famous saying in the movie Forrest Gump.

“Life is like a box of chocolates YOU NEVER KNOW WHAT YOU ARE GONNA GET”

lol.

 

1 user thanked author for this post.

AJNorth

Reply | Quote

Alas, with M$, we know that it won’t be chocolate (nor anything even remotely like it). Sigh.

Reply | Quote

I have KB4041678 and KB4040685 (security only and IE11) patches installed on one Windows 7 Pro x64 machine for the past 3 days with no problems so far.  Group B: P8P67 Pro, I7-2600K, Radeon HD 6850.

Edit to remove HTML
Please convert to plain text (.txt) before copy/paste

3 users thanked author for this post.

AJNorth, SueW, JDeC

Reply | Quote

Copy/paste was in plain text which is why I was surprised at text info (HTML code appearing) in the comment.

2 users thanked author for this post.

SueW, Sparky

Reply | Quote

Reply not working? I tried to submit a reply but it did not show in the thread. I tried twice, this will be #4 with no success. “Houston, We have a problem”

Dell, W10 Professional, 64-bit, Intel Core i7 Quad, Group A

HP, W7 Home Premium, 64-bit, AMD Phenom II, Group A

Reply | Quote

Your replies got in the spamfilter. I retrieved them

2 users thanked author for this post.

AJNorth, walker

Reply | Quote

This is not directly related to this topic but I think it is important.

Equifax has announced that due to another hack, tyeir web site has put onto visitors computers a bogus Adobe Flash update download screen. I can verify this. I have encountered this repeatedly. Anyone know how to delete this?

= Ax Kramer

Reply | Quote

I don’t trust it either when a adobe update pop’s up on my screen. I don’t click on it, I go direct to adobe and check to see if it’s real.  I got the pop up screen yesterday  the 12th. Went to Adobe and they had an update.

3 users thanked author for this post.

AJNorth, derzeitgeist, SueW

Reply | Quote

It appears that TransUnion is also redirecting visitors to fake Adobe Flash updates (though in Central America).

Ars Technica Article: https://arstechnica.com/information-technology/2017/10/equifax-rival-transunion-also-sends-site-visitors-to-malicious-pages/

3 users thanked author for this post.

AJNorth, derzeitgeist, woody

Reply | Quote

Even the app stores aren’t immune from fake issues, such as the Edge app found in Google Play recently:

WARNING!!! There's a fake/scam Edge app in the Google Play Store. This is NOT from Microsoft.
Use this direct link: https://t.co/pYecSTdzyj pic.twitter.com/hKqcHQgaiM

— Nick Landry (@ActiveNick) 12 October 2017

 
And on the subject of fake Flash Player installations:

Equifax rival TransUnion also sends site visitors to malicious pages
People visiting TransUnion’s Central American site redirected to potpourri of badness.
Dan Goodin | October 13, 2017

Equifax isn’t the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, is also sending visitors to the fraudulent updates and other types of malicious pages.
Read the full article here

4 users thanked author for this post.

walker, AJNorth, derzeitgeist, woody

Reply | Quote

Well, its good for business if consumer’s computers get hacked by third party advertisements which serve up malware. Consumer identities get stolen, then the consumers end up paying for the credit monitoring services which are offered by all of the big three credit reporting agencies.

Reply | Quote

Hello @ax kramer,

For those who may have inadvertently been infected with the adware contained in that hijack (known as Adware.EoRezo) the easiest approach for the non-technical would be to install, update and run a scan with Malwarebytes (installing it as the free version); links for the application’s download and a tutorial at site (from BLEEPINGCOMPUTER).

If that does not thoroughly clean the system, then try the Norton Power Eraser (read through the page fully before starting, and keep in mind that this utility tends to be rather aggressive; that is, it may generate false positives).

(For a more technical and detailed set of procedures, please see Remove “Update Flash Player” or “Update Java” fake alerts (Help Guide) (from MALWARETIPS); again, several of the other applications mentioned can be quite aggressive.)

Hope this is useful.

AJN

2 users thanked author for this post.

SueW, Kirsty

Reply | Quote

It’s probably worth mentioning that if you are just seeing the popup, you are most likely not infected.  Just don’t click on it.  That is just the Javascript from the 3rd party connection working as it should.  Unless you disable Javascript completely (not recommended), or use a script blocking plugin, you are at the mercy of the website.

But if you have already clicked on it… yup, follow the advice given above…

Windows 10 Pro 22H2

1 user thanked author for this post.

AJNorth

Reply | Quote

Patch Tuesday needs a new baby brother… 3 1/2 weeks later, “Safe patch Monday” has a nice ring to it.

12 users thanked author for this post.

GoneToPlaid, JDeC, flackcatcher, AJNorth, BobbyB, johnf, derzeitgeist, SueW, dononline, JohnW, woody, Cybertooth

Reply | Quote

Hello 02-. Good point! We all look to Woody for help and it is great to have Him and many here to help.  My rule is to wait a week minimum. If Woody thinks it is OK then I will update. Usually it is longer.  If several are yelling, and Woody still says wait, then I will wait another few days. It is hard to go 3 1/2 weeks before updating because it or we may become a target.

Reply | Quote

Patching early is always an option, but…

Recommended process:

Take a current system disk image first, to a secondary drive location.

Patch.

Test.

If problems with patches, restore image, wait 3.5 more weeks.

Else keep on running and wait for the fun to begin again the following month.

Repeat.

Windows 10 Pro 22H2

Reply | Quote

I’m Win7 Group B. With all the .Net information this month, I finally verified that I have version .Net 4.6   Per your Computerworld Woody on Windows article, you recommend either installing version 4.7 itself or installing .Net 4.5.2   Could you please give instructions (Novice version) on how to do this & which version might be best?  I think I recall reading that different versions can co-exist , so would I need to delete .Net 4.6 only if I choose to install 4.5.2?  Thx

Reply | Quote

I am in the same postion and wanted to ask this very question. Which would be the lesser evil: to upgrade to .Net 4.7 or downgrade to .Net 4.5? If the latter, how do I go about it? Many thanks!

Reply | Quote

As far as I can see the updates for NET 4.5.2. and NET 4.7 are in the same rollup. See KB4043766 and KB4043767.

So what’s the point in up- or downgrading from NET 4.6?

Reply | Quote

Because Woody explains in his Computerworld article that if you install the rollup, you will be effectively upgrading to .Net 4.7, and .Net 4.7 causes problems on Windows 7 machines – or so we have been advised on this site. That’s the point.

3 users thanked author for this post.

JDeC, walker, AJNorth

Reply | Quote

Not just the patches failing at a phenomenal rate Woody..Confidence, Integrity and Trust are just a few things….

I’ve found in GNU Linux after 5 years of use.

Windows - commercial by definition and now function...

1 user thanked author for this post.

johnf

Reply | Quote

I have a friend that lives linux and hates MS. I ALWAYS hear him (actually there were 2 linux users) complain about having a problems with their computers. One said more than once, a linux (mint) update ruined his Home Directory and he had to reinstall. I feel there are bugs and problems with all OSs. Whatever OS you use, keep it updated to stay safe, or use a very good 3rd party firewall that show OUTBOUND connections.

2 users thanked author for this post.

AJNorth, Microfix

Reply | Quote

Reply:

Linux Mint Update has 5 Levels, ie Level 1 to 5. The default setting only installs Level 1 to 3 updates.

Smart users will choose to only install Level 1 & 2 updates and then peruse Level 3 updates before installing them because a certain few Level 3 updates may be problematic.
… Some Level 4 & 5 updates will often bork the Linux system, especially Linux kernel updates on older computers.

I have been updating my LM 17.3 Cinnamon computer for more than a year without any problem. If done properly, updating LM is like drinking Cinnamon Tea = calming effects, unlike Windows Update post-Oct 2016 = difficult, confusing and stressful.

2 users thanked author for this post.

johnf, AJNorth

Reply | Quote

The good thing about Linux Mint is that they don’t automatically force updates. They also rank the updates from 1 (safe) to 5 (do at your own risk), unlike Ubuntu, which wants you to install all their updates.

What’s not mentioned here is if the affected computers above were running dual boot (which may or may not be stable, based on what MS does), or if they were running PPA’s (software installed outside of the repositories). Usually, the software in the repositories are vetted by the developers, while PPA’s tend to be less stable.

As always, backups are vital, and good sense (turning on firewalls, doing updates) is good practice. Even in Linux, though, it’s always good to wait a bit to see if the updates are stable.

 

1 user thanked author for this post.

AJNorth

Reply | Quote

I used to think a firewall with outbound connection control was important.  I still use one, but I realize it is not really going to stop smart malware.  Just use it to keep a few things from phoning home.

Too much stuff can just hop onto Windows Service Host today, and you can’t block that in your firewall that without breaking a lot.

It’s better to know every executable that you have running on your PC is signed and trusted.  If not, why are you running it?  If it’s trusted, is it really going to matter if it uses the network?

Windows 10 Pro 22H2

1 user thanked author for this post.

AlexEiffel

Reply | Quote

It is going to matter if you just don’t want it to call home. Or you want to monitor active connections, no matter how trusted.

And firewalls are seriously lacking on Linux. (Going the way of the dodo on Windows too, sadly.)

But yep, liked Mint’s updating system when I used it for a couple of weeks last year.

Reply | Quote

If it’s security or privacy that is the concern, then they are two separate issues.  Don’t conflate the two.  Each one requires a different approach.

Windows 10 Pro 22H2

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Hello,  JohnW has a good point. I have seen adobe reader updated via the SVhost when the abobe updater was blocked in the firewall. So yes it can happen. But so can getting a virus even though one has an antivirus. Should one stop using the AV?  No. The 3rd party firewall will show outbound connections for far more things that most people do not know about. I have seen “signed approved products” try to go out, even though “check for updates” was not checked. So it is a good idea to have a 3rd party firewall as an added protection. We have “Little Snitch” on our MAC as well as our Windows PCs. It works very well and is an eye opener for outbound connections. People here at woody’s are a little more technical, and I assure you that the average user does not even know what a signed exe file is. We must do the best we can to protect ourselves and others (clients, relatives, etc) with the tools out there and with Woody’s (and other vetted peoples here) advice.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I want to confirm johnf’s points.

And as long as we’re being anecdotal <g>, I switched an XP system to Ubuntu in Oct 2010, decided I didn’t like the direction Canonical was going and switched to (and have stayed with) Linux Mint since Oct 2010. There is an emphasis on usability and stability that is refreshing. When a new version is released, they will caution against upgrading (if it ain’t broke…) and that the previous version is still supported. I have found the patching system rock solid; so much so that I will install updates the day they are released and — real shocker — not bother to back up first (as long as I have backed up in the past 2 weeks).

(versus waiting 3-4 weeks on MS patches and never, ever, installing a MS patch unless I have created a system image first)

as always YMMV,

anon

3 users thanked author for this post.

AlexEiffel, johnf, Jan K.

Reply | Quote

Perhaps we Windows 7 users should just jump forward to January 2020 and put our Windows Update days well and truly behind us. Personally, I can’t wait!

Thanks as always, Woody and friends.

Reply | Quote

Unfortunately, you can’t. There are key security patches, such as MS17-010, that you absolutely have to install.

5 users thanked author for this post.

Elly, SueW, walker, AJNorth

Reply | Quote

Oh I know, I was just dreaming. Meanwhile the threat from MS is very likely much greater in practice than from anyone else, but so be it!

As for what to do come 2020, there’s still no indication that upgrading to Windows 10 will be any wiser than continuing with Windows 7 beyond that point given the present mess with that system’s vulnerabilities and updates. Unfortunately, Linux isn’t a viable alternative for many of us. All we can hope is that somehow against all the odds MS get their house in order over the next couple of years.

8 users thanked author for this post.

ryegrass, JDeC, flackcatcher, Elly, JohnW, AJNorth, SueW, Raptor007

Reply | Quote

Hopefully Linux distro developers are aware that they could easily gain massive marketshare in the coming years if they take advantage of the upcoming opportunity when the coming Windows exodus occurs (Looking at you Mint and Ubuntu).

3 users thanked author for this post.

flackcatcher, Elly, AJNorth

Reply | Quote

To echo — and build upon — your hope (which, it should be safe to say, is shared by countless millions around the world), let us also hope that the software vendors are paying attention, and have the forward thinking to create Linux versions their products, both popular home (such as for multimedia) and professional applications (accounting, law and medicine, to mention but three areas).

To quote [what is often cited as] an ancient Chinese curse, May you live in interesting times.  (Not to digress, but it is neither ancient nor Chinese: https://quoteinvestigator.com/2015/12/18/live/ .)

As I have muttered before, on more than one occasion, Who’s on first? (http://www.baseball-almanac.com/humor4.shtml).

3 users thanked author for this post.

Seff, flackcatcher, Elly

Reply | Quote

Hear hear!

Reply | Quote

Your hopes are good ones, but as AJ’s comments reflect, it is really up to the application developers to make this happen.  Lately I have become aware of a few small multimedia companies releasing cross platform versions of their applications.  Here is one example:  https://www.tracktion.com/products/t6-daw and the latest version even runs on a Raspberry Pi!

The Linux distro creators do not control what applications are written as cross platform.  They have merely provided the OS and tools to enable it.

Anyway, there is not really any revenue to be made in releasing a Linux distro, since it is free and open source.  There are a few commercial companies that have been successful with monetizing Linux, by packaging a free OS with some value adds, and selling support contracts to businesses.

Windows 10 Pro 22H2

1 user thanked author for this post.

AJNorth

Reply | Quote

Group C, Anyone?? It sure looks like a safer place.

CT

3 users thanked author for this post.

walker, JDeC, AJNorth

Reply | Quote

@Canadian Tech:  Agree, however isn’t the Group C, the one that doesn’t do “any” updates, or does it only do those which are “critical” to securing your computer.   It’s been a while since we’ve seen you here.    Welcome back!   🙂

1 user thanked author for this post.

AJNorth

Reply | Quote

I can’t begin to describe how happy I am since I put Windows in the rear-view mirror and installed Linux.

I no longer have to wend my way through a minefield of defective updates every month while hoping that MS will eventually get it right.

Clearly the inmates are running the asylum in Redmond.

5 users thanked author for this post.

Bill C., Elly, johnf, Microfix, AJNorth

Reply | Quote

I’m glad that is an option for some.  I use both, because I need Windows applications that only run on real Windows.

If I could run everything on Linux, I would, but that is not possible or practical for me yet.  I would like to see the day that everything runs native on Linux.  I have tried Wine, but have only had luck with a few apps, and that is always with a lot of fiddling and crashes.  Not wasting my time with that stuff anymore.  Native Linux only!

If I only used web, email, office, and development apps, the solution would be easy.  Linux has great replacement apps for those use cases.

But commercial applications for content creators seem to only support Windows and/or Mac.  I use Photoshop, so don’t even get me started on Gimp, LOL!

Windows 10 Pro 22H2

3 users thanked author for this post.

Bill C., AJNorth, ryegrass

Reply | Quote

Anyone at MS know what they are doing?

Reply | Quote

Ah, today’s Trick Question.

3 users thanked author for this post.

Elly, johnf, Kirsty

Reply | Quote

I’ve read extensively on this site and the articles on Computerworld about holding off on patching.

On Win 1703 here. Both feature and quality updates are deferred for at least 30 days. Group Policy set to advise of available downloads but not to download them and certainly not install them automatically.

I know about and have used wushowhide

With quality/feature updates turned off in settings wushowhide returns no results for pending updates so I can’t hide them. I have to enable updates in settings before running wushowhide.

Not that long ago after enabling updates but before running wushowhide to hide an update for office, I hit “check for updates”. Once you do this, your goose is cooked as any pending updates will be downloaded and then installed with no further user action required. I tried to stop this from happening by rebooting…didn’t work, just kept coming, by turning off the update service, fine but windows eventually turns it back on and the updates keep coming. There seems to be no way to tell Windows to “just stop and forget I ever asked.”

I have seen reference in some articles of being able to select the wanted updates to be installed from some sort of a displayed list of available updates, I haven’t seen that since like windows 7 I think.

I’m pretty on the ball if I choose to accept nothing, or the reverse, if I choose to get everything, but I am still confused and struggling to manage installing selective patches.

Another issue, at some point in the past I turned off getting drivers automatically from update. Now I can’t remember how I turned that off in case I want to turn it on again. wushowhide shows several available drivers that do not show in windows update.

I’ve played with Linux and I don’t like it. But I may just give up on the dream of a familiar environment that I delude myself into thinking I understand and just jump ship altogether.

Would some kind soul offer some assistance in clarifying where I am going wrong when trying to manage windows updates? Specifically, how to I select only one of several pending updates to be installed and the rest ignored. Every time I toggle updates back on prior to running wushowhide, I swear windows picks up on the change and it is race against the clock to see whether I or the computer will finish searching for updates first. Once windows identifies and available update and queues it, it seems d***** near impossible to get it ignored again

Thx.

Reply | Quote

“wushowhide shows several available drivers that do not show in windows update.”

Windows 10 doesn’t show updates of type Recommended or Optional

Windows 10 driver management

1 user thanked author for this post.

woody

Reply | Quote

None-the-less wushowhide displays what are clearly 5 drivers, one for my printer, 2 Android ADB interface, 1 kdb composite interface and 1 qualcomm incorporated usb

Another windows mystery.

Reply | Quote

Those drivers are apparently Optional updates. Windows Update in Window 10 doesn’t show Optional updates, but wushowhide does. It is confusing indeed :(.

3 users thanked author for this post.

dph853, JohnW, woody

Reply | Quote

I’ve mentioned this before here, but this is why my clients use modified WSUS settings and sync schedules.  Not sure what group this places us in though . . .

After WSUS has been configured via the Wizards (recommended) we go in and turn off the nightly sync.  We set automatic rules to approve only critical patches.

A scheduled sync is set for Friday night at 9 PM.  This way Critical patches get installed typically 3 days after patches are posted by MS to WSUS.  We find that problematic patches almost always get pulled by MS from WSUS within this time frame – and this has saved us much grief.

The following week after the next Friday sync (10 days after patches are published) we review the remaining patches requiring acceptance – the non-critical Important and Rollup plus optional etc.  By now some will have been pulled by MS, some have been re-released/superseded, the rest we review for approval at that time, or we may wait based on what others have been sharing about the patch quality that month . . . (thanks Woody!)

Keep in mind that WSUS allows you to UNinstall and block a patch across your organization – which happens a couple of times a year for us.

My stance with all this remains:  I would rather take the pain of removing/revoking an installed patch, than skipping them all and getting ransomed.

~ Group "Weekend" ~

2 users thanked author for this post.

AJNorth, MrBrian

Reply | Quote

We auto-release to our alpha group. Our Alpha group is comprised of half VM’s and the other half is random people in IT, in this building, where the users can easily receive help. A week later we release to beta, which is a cross section of random people from different departments, although it’s still weighted heavily on IT. Then we have a Level 1, Level 2, Level 3, and Level 4 group. Depending on how alpha and beta went we may released to 1-4 on alternating business days or it could be 1 level per week.

Servers are handled by a different WSUS and they also auto-release to an alpha group. General deployment doesn’t take place until about a month after Microsoft releases patches, unless there is an active threat like WannaCry. Each server is put in a AD security group that determines the patching cycle. The requirements vary so much from server to server that we have about 20 different schedules.

Now we are also on migrating away from WSUS and towards an SCCM SUP, which still utilizes WSUS on the back-end. The goal is eventually to get to the point where we do montly patching of 3rd party products and get to the point where we have automated patch compliance reporting. Unfortunately we’re not quite at the same level of sophistication as we were at my last job, but there is a lot of support for the direction we are going in.

2 users thanked author for this post.

flackcatcher, Jan K.

Reply | Quote

It is becoming more and more evident as time goes by, that the biggest security threat to your operating system is Micro$oft. I worry more about what they’re going to do my system month to month more than any other threat out there. That’s a sad state of affairs. Just my opinion.

8 users thanked author for this post.

Seff, JDeC, Elly, ryegrass, johnf, AJNorth, Canadian Tech, Cybertooth

Reply | Quote

Image.  Image. Image.

Preferably that is daily, weekly, monthly…

Windows 10 Pro 22H2

Reply | Quote

Both my systems were updated without issue.

However, I manually downloaded them from the MS Update Catalog.

Whether that had anything to do with it, I don’t know.

Whatever, I’m grateful that I have two working systems, as I speak.

Fingers AND toes are crossed !

Reply | Quote

Hello Geoff King.  What OS was it your updated and is it still performing OK?

Reply | Quote

Well, I was a bit terrified when 2 machines were updated today, one w10 pro (desktop) and the other MSI gamer laptop, w10 family. Via MS update.   Everything went quickly, no problem. I was so relieved!

Those 2 machines, owned by my daughter, are essential to work,  3d artist course,  all loaded with fancy 3d softwares.  No backup for now… she lives dangerously…  Still need to update 2  w7 laptop  but I don’t use them so much, so I don’t bother about any crash.  My personal computer is a iMac… I started to hate w10 when the fury began on w7… It was so agressive. I had nightmares for week LOL.  But this site gave me the strength and the tools to avoid w10…

Thanks Woody for the good work!  Good luck all for your updates!

 

Fingers crossed as well!!!

Reply | Quote

anonymous wrote:

Hello Geoff King. What OS was it your updated and is it still performing OK?

Hi, anon. Win 10 Home 64 bit, and working fine on 15063.674

Reply | Quote

That’s the first time in months I haven’t touched my personal PC (too busy at work) for a week or so , so didn’t patch it. Lucky me :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Unfortunately, I didn’t see the defcon in time, and strangely, Windows update turned itself back on, so I ended up getting the updates. Thankfully, I’ve had none of the problems anyone else got. Guess I got extremely lucky!

Reply | Quote

The “Inaccessible boot device” (blue screen) issue was bad enough. Thankfully our testing process worked as intended and it didn’t make it into the full production environment.

However, I must say that I’m SUPER UPSET about this CRM thing. The bug they caused a couple of months ago affected over 3,000 systems here and it was just after Microsoft [mess]ed up the previous month of patching (in a year where basically every month has been filled with missteps). Now I’m reluctant to push any patches this month.

Our main response to the lack of a proper Microsoft QA process has been to drastically extend our roll-out cycle. It’s a fine line though because you don’t want the next WannaCry malware to be the one that finally takes down the entire environment.

Even when Microsoft had a proper QA process, bugs would slip through. Yet generally if you followed best practices you wouldn’t be burned too badly. Unfortunately, since they disposed of their QA team and especially since they’ve started transitioning to this cumulative approach to patching, the act of patching has become more like a game of Russian roulette.

What I’m most afraid of is that Microsoft doesn’t understand that business and government only moves so quick. All the wishing, pushing, and prodding that Microsoft can do will NOT change that. A lot of organizations have spent serious amounts of money to get their software capabilities and business processes to align – therefore it becomes extremely frustrating for their largest customers when they break things without understanding the real world ramifications of their decision making process.

It’s fine and dandy that they want to evolve. What they have is a failure to communicate.

Using the example of their last CRM fiasco:

If there are serious problems in CRM and the fixes that they want to do to CSS in IE will break customization’s that organizations have made then the solution shouldn’t be to break everything and ask for forgiveness latter. They should offer the patch as optional instead of critical or a security update. Then communicate about the types of things that will need to be addressed before the patch can be rolled out everywhere. Even if they don’t want to do it exactly that way, there is some variation that could work.

When Microsoft becomes more of a problem than a solution, that’s when people start to look for other solutions. Maybe they can’t be replaced on the desktop OS level yet, but there are plenty of areas where we can kick Microsoft out the door and adjust (down) our licensing with them.

8 users thanked author for this post.

JDeC, walker, flackcatcher, Elly, ryegrass, AJNorth, woody, MrBrian

Reply | Quote

In the words of David das Neve, the WaaS evangelist “We are the last ones to move onto this kind of model”.

The assumption here is that this kind of model is suitable for every scenario. Microsoft doesn’t compete on innovation on the OS level, at least not anymore. They need rock solid stability, support, good performance, not VR and ads for businesses. One could argue they add more security, but the OS itself hasn’t been built for security from the start so great to have tools to catch up to a less risky OS. Anyone would dare say Windows is more secure than IOS or MacOS, built on one of the most secure Unix, BSD?

And for people at home, although Windows can be tweaked pretty good, most do not know how to do it and they end up with a horrible user experience with unwanted software on their system, things they don’t know if they should remove or not, productivity hindering things all over the place, viruses. So, guess what, when faced with other options, it might suit them better and it is fine. Some might buy the marketing gimmicks. I know people who wants the latest OS because they can talk about having it, but they don’t have a clue about the differences. It is getting less common today, but it still exists, this inflatable neighbor syndrome with computers, although they are getting so common it is less palpable.

So, when you still own 90%+ of the desktop market and everybody supposedly have moved to a different development model, you think you are wrong and should do like others? Then, you better be sure what you want to do won’t break what has worked and still works for you to have that much exceptional presence in the market. If you don’t understand that, and you insist on pushing valueless upgrades with added costs to own, you are just opening the door for a smart company to step in and kick you out of the business market.

Who in their right mind would use Microsoft everywhere to manage server farms of web sites instead of Linux ? Microsoft have shown its incompetence with their IIS solution a long time ago. I guess they really try hard to convince businesses that they can’t be trusted for business no more too by blaming the users for not wanting their unwanted product, regardless of how they develop it. Basic strategic mistake: if you have the wrong product-market fit, it doens’t matter how you execute it. When you fail, I already hear you saying it is all your clients fault for not doing what you wanted them to do.

 

4 users thanked author for this post.

flackcatcher, Elly, Cybertooth, derzeitgeist

Reply | Quote

Hello, derzeitgeist. Well put. Businesses must have stability to keep their computers running. When computers go down, money is lost. This is a fine line to patching. There is a responsibility to the customer and even world that patches be applied, or a business could be hacked. But technicians also need to slowly push patches out after they have been tested on a few computers to see if anything breaks. It sounds like you have a handle on the situation. These common sense posts, and Woody’s advice are much needed and welcomed.

Reply | Quote

I’ve noticed Wifi losing internet connection but still connected locally. Never had issues until update. Checked my network and is still connected to internet every time. Also noticed after my wife’s laptop updated she lost IPv6 internet but not Ipv4. Reboot always fixed it though.  My Ubuntu desktop never loses any connection and neither does my iPhone’s or iPad.

Reply | Quote

Ironically, before I accidentally updated I was losing my wifi every morning at 11 am, but since I accidentally updated, it works again. Just hoping I don’t get any BSODs.

Reply | Quote

Ok, now I have another Win Server that behaves badly since the automatic patching. Same version, Windows Server 2012 R2.

Now what happens is we can’t remote desktop on it no more, nor can we ping it. However, when I look at it, I can ping the stations that can’t ping it from it just fine. It looks like a Windows Firewall issue, like if the network was assigned to Public instead of Domain, similar to the other issue I had with the other server. Unfortunately, disabling then reenabling the network card doesn’t fix it this time. Plus, it is written the network card is assigned to the domain, not like the other issue where it had become public. I tried rebooting, doing the diagnose option on the network card. Nothing works.

Those servers do not do anything on the Internet except patching. I renewed them last year. Prior to that, I had the accounting package and Windows server completely off the grid for 6 years with no issue at all. This time, I thought, well, I will let them patch only, because there’s a lot of more scary things out there like the SMB vulnerability. Well, now I loose time managing uselessly those things that should just provide access to the accounting package and do backups. I’m about to pull the plug on the patches. I wouldn’t have expected that on a static Windows Server 2012 like that. We are not talking about an OS that keeps changing like Windows 10 here!

Reply | Quote

Canadian Tech wrote:

Group C, Anyone?? It sure looks like a safer place.

Canadian Tech
I just posted in the Windows 7 forum what happened with me.
2 weeks after I applied the Sept. patches (group b), my computer had huge problems.
After a lot of attempts at everything, (read my post in Windows 7 forum) I deceided to try one more thing.  I removed Sept. IE11 patch kb4036586.  That’s when the computer turned the corner.
So, almost 2 weeks before it was a problem.
The security patch was not removed.

5 users thanked author for this post.

JDeC, SueW, walker, AJNorth, Elly

Reply | Quote

Talk about total BAD Luck for Updates this month-Friday the 13th’s bad luck curse is spreading to even Windows updates.

Once the chaos settles I’ll update my computer when it’s back to level 3. Which won’t be til the first week or before the next patch tuesday.

Reply | Quote

First take, it appears many of the issues are related to W7 and W10 although I am aware of known bugs in the October W8.1 Cumulative Update. We all know that the MS pre-release QA testing for updates is less than robust but this monthly fusillade of update issues is exacting reputational damage to MS and its products. I view W10 as little more than a slow moving train wreck and will resists using that OS until all viable options become exhausted. That’s a pity as I had high hopes for W10 until MS ingested all of the crazy pills.

1 user thanked author for this post.

AJNorth

Reply | Quote

Group B: KB4041678 and KB4040685 patches installed on Windows 7 Ultimate x64 with no earthquakes or aftershocks after 2 days of fairly heavy use.

3 users thanked author for this post.

JDeC, glnz, AJNorth

Reply | Quote

Woody, it is interesting to learn that installing the .Net Rollups starting from July 2017 will “transform” .Net 4.6.x to 4.7 under the hood.

I don’t install any of these rollups. Instead I adopt the “Full” Group B approach by installing only the Security Only .Net Updates, the last of which was in May 2017. I am aware that there is a Security Only .Net Update released in September, but I have not installed it yet on my systems running Windows 7 and 8.1. I have .Net 4.6.2 installed on Windows 8.1.

Will installing only these Security Only Updates now and in the future still “convert” .Net 4.6.x into 4.7?

Hope for the best. Prepare for the worst.

2 users thanked author for this post.

SueW, AJNorth

Reply | Quote

“I don’t install any of these rollups. Instead I adopt the “Full” Group B approach by installing only the Security Only .Net Updates…”

I also employ the Group B approach.  And though “rollup” is a dirty word for us, it has an entirely different meaning in .Net Framework, as explained here:

https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/

Security and Quality Rollup
The Security and Quality Rollup is recommended for consumer and developer machines. It includes both security and quality improvements and is cumulative, meaning that it contains all of the updates from previous rollups. This makes it easy to catch up if you have missed any of the previous updates. The Security and Quality Rollup update will be made available on Windows Update and Windows Update Catalog.

Security Only Update
The Security Only Update is recommended for production machines. It contains only the security updates that are new for that month. This enables you to fine-tune the security updates that are applied. If you have installed the Security and Quality Rollup for the month, then you are up to date and do not need to install the Security Only Update. The Security Only Update will be made available on Windows Server Update Services and Microsoft Update Catalog.

So although I wasn’t initially sure which mode of .Net Framework to install, I’ve been installing the cumulative ‘Security and Quality Rollup’ mode (I have both 3.5.1 and 4.6.1 on my system).  So far, so good . . .

Now, as far as “transforming” .Net 4.6.x to 4.7 under the hood, I’ll also be interested in knowing the answer.

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

1 user thanked author for this post.

AJNorth

Reply | Quote

Microsoft Dynamics 365 for Outlook is unable to render webpages after installing the October 2017 Microsoft Outlook security update (found this article via these Microsoft Excel macros)

Reply | Quote

I have installed, same as others posting here, this month’s Windows 7 Security only and IE11 Cumulative updates, so far with nothing going amiss (that I have noticed). If something nasty turns up, I shall post a note describing the problem.

On the other hand, I am, for now, holding off on installing the MS Office patches in both my Windows PC and my Mac, as well as the .Net one in the former,  until some time goes by, in case several users, somewhere online, e.g. in “Ask Woody”, start reporting, consistently, on some awful things that happened to them as a result of doing that.

Since I’ve never have used, nor I see any reason why I’ll ever use, Outlook, I am excluding that piece of MS Office from this comment.

P.S.: I am posting anonymously here because, once upon a time, I subscribed to “Woody”, and got instantly flooded with emails with postings that I can just as well read online by visiting this site, so I cancelled my subscription.

If there were a way to post here without that (to me) undesirable side effect, I’d love then to subscribe and post as a user (and be able, among other things, to “thank” others for postings that I see as particularly useful and informative.)

 

1 user thanked author for this post.

AJNorth

Reply | Quote

There is a difference between “Register” and “Subscribe.”

You can register – create an ID and password, receive a confirmation email, and you’re in.

If you “Subscribe” to a topic by clicking the link on the right side of the gray bar at the top of the topic, or checking the box  ” Notify me of follow-up replies via email” at the bottom of a post/reply, you are requesting emails when people reply to the topic or post. So if you stay away from those two things, you should be fine as a registered member.

3 users thanked author for this post.

SueW, JDeC, AJNorth

Reply | Quote

JohnW wrote:

Patching early is always an option, but… Recommended process: Take a current system disk image first, to a secondary drive location. Patch. Test. If problems with patches, restore image, wait 3.5 more weeks. Else keep on running and wait for the fun to begin again the following month. Repeat.

Yep, that pretty much sums up my pre-patch procedure. Nearly a year ago, I learned to quickly perform an incremental backup of the Windows OS partitions on my computers before installing Windows Updates. Why? Because I have encountered a couple of them which either can not be uninstalled, or which do not properly uninstall — no matter what.

1 user thanked author for this post.

JohnW

Reply | Quote

Hello to everyone,

Piriform’s Speccy utility does correctly show what versions of .Net are installed on your computer, including the latest installed service pack for the given installed .Net version.

Yes, .Net 4.6.2 and above does indeed remove the 260 character path limit under Windows 7, and this is indeed a nice feature to have on your Windows 7 computers. On the other hand and with only .Net 4.5.X installed, I have occasionally encountered issues with path limits which have more than 240 characters. Why is that? Because it depends on how long your computer name is, when syncing files across your local network.

Note that since .Net 4.6.2 and above must inherently have direct low level access to the NTFS on every hard drive within your computer via the Windows kernel, in order to implement the removal of the 260 character path limit, all versions of .Net higher than 4.5.X represent an obvious additional direct attack vector on your computer.

One has to ask, why did Microsoft decide to “fix” the 260 character path limit issue via .Net, instead of fixing Windows itself?

All .Net Framework versions above .Net 4.5.X also include baked in telemetry capabilities for installed programs which are written to explicitly gather such telemetry, and also may be required to be installed if you want to run programs which were designed to run under Win8 or Win10.

Rule 1: If a program, which you install on your Windows 7 computer, also installs a .Net version which is greater than .Net 4.5.X, then most likely the program author desires to gather telemetry regarding the use of said program, and more.

Rule 2: All versions of .Net above 4.5.X, for Windows 7 computers, include baked in telemetry capabilities.

Rule 3: If you want to uninstall, on your Windows 7 computer, versions of .Net which are greater than 4.5.X, then the uninstall utility will show you a list of what installed programs “could” potentially be affected, since there is a difference between “desired” and “required”.

Rule 4: If you uninstall .Net Framework versions on your Windows 7 computers which are greater than .Net version 4.5.X, and if you subsequently encounter an issue with an installed program which does not start correctly, then the installed program, upon startup, will  show an error message which indicates that you must install a later version of .Net Framework.

The upshot is that .Net version 4.5.X is the last baseline requirement for programs which were designed to inherently run on Windows 7 computers, and I might add — without gathering any telemetry.

All versions of .Net above 4.5.X have baked in capabilities, should the program author with to use such capabilities, to gather telemetry with regards to their program, and more.

So, hopefully now you all will now see WHY the latest .Net updates specifically split out how the update is applied. Yes, this is related to CONSENT. The latest .Net updates, if only .Net 4.5.X and no higher is installed, will merely update .Net 4.5.X. The latest .Net updates, if .Net versions are installed which are greater than .Net 4.5.X, WILL upgrade the .Net 4.6.X branch to the latest .Net 4.7.X branch.

Oh, did you expect to get any sort of popup message about the revised .Net EULAs which could and should inform you about the gathering of telemetry? Uh, no, because you unknowingly CONSENTED to the .Net update when you ALLOWED Windows Update to download and install it. You can imagine how it would take YEARS for this to wrangle through the US court system — and Microsoft knows this. Microsoft has its legal bean counters, just like pharmaceutical companies.

Similar issues apply to the VisualC++ redistributables as well, but that would be an entirely separate topic. For example, the VisualC++ 2013 and above redistributables install telemetry. The VisualC++ 2015 also installs KB2999226 which is a known update that installs deep telemetry.

Microsoft = NSA

Many years ago, Microsoft jumped onto the bandwagon, in cahoots with the NSA, to gather all possible telemetry. It started with PRISM. The NSA wins since this is what the NSA wants. Microsoft perceives that it will also win since Microsoft had, and still has, the delusional idea of overthrowing Google’s reign of being the most powerful advertiser on the Internet. Ask yourself, has Microsoft ever published a “canary” on any of its web domains? Of course not. Windows 8 and Windows 10 are in fact based on Microsoft’s delusional idea that Microsoft could, years late, force their way into the mobile marketplace. It is what it is.

Do you ever check to see what goes out of your computer, and to what IP addresses? Most likely, you do not. Backdoors. IP connections which, under Windows and using various utilities, you might not know about. Yet your home router’s logs will show you what actually went out, and to where.

Best regards to all,

GoneToPlaid

 

4 users thanked author for this post.

Elly, SueW, AJNorth, ryegrass

Reply | Quote

From What we’ve learned from .NET Core SDK Telemetry: “.NET Core has two primary distributions: the .NET Core SDK for development and build scenarios and the .NET Core Runtime for running apps in production. The .NET Core SDK collects usage data while the .NET Core Runtime does not.”

.NET Core is different from .NET Framework.

Reply | Quote

GoneToPlaid,

Thank you again for your post. KB2999226 had indeed insidiously snuck on to several of my computers. I guess I’ll have to check my entire list of telemetry/tracking updates once again to see if any others got by.

Reply | Quote

KB2999226 had indeed insidiously snuck on to several of my computers. I guess I’ll have to check my entire list of telemetry/tracking updates once again to see if any others got by. – ryegrass.

I checked and KB2999226 was installed on my Win 7 x64 computer on 9/24/2016. So it’s been on my computer for over a year now. Should I uninstall it? And if so, will any issues/problems be created in the process?

Reply | Quote

Each system is different, but I uninstalled KB2999226 last night (along with Microsoft Visual C++ 2013 and Microsoft Visual C++ 2015) and have had no problems so far. Be sure and make a backup before proceeding, if for some reason things don’t go well.

1 user thanked author for this post.

AJNorth

Reply | Quote

Each system is different, but I uninstalled KB2999226 last night (along with Microsoft Visual C++ 2013 and Microsoft Visual C++ 2015) and have had no problems so far. Be sure and make a backup before proceeding, if for some reason things don’t go well. – ryegrass

I don’t have the comfort level to start uninstalling things indiscriminately without a better understanding of the benefits and risks. I did install and run TCPView – for some reason I had downloaded it years ago, but never installed it on this computer until now.

I see that a connection is established from Avast service which doesn’t surprise me. I also see that Dell’s Backup and Recovery Toaster has a connection established which does surprise me. But I don’t see any other surprises going on.

Reply | Quote

Hi alpha128,

I may have made it seem as though I’m a bit cavalier in removing updates, but I rarely change any software on this Windows 7 Professional installation so it is essentially the same system as it has been over the past several years with the exception of Windows security updates and I felt quite confident that in my case at least that since it worked well prior to KB999226 , it would work equally as well once the update was removed. On the outside chance that there were unforeseen interactions, I had a current system backup ready. Of course in the case of your installation, I can see having an abundance of caution so as to not unnecessarily change a working installation.

Reply | Quote

Hi everyone,

Note that you can not get rid of KB2999226 if you also have Office 365 installed. It also depends on how KB2999226 got installed in the first place — either via Windows Update or via Office 365.

I am knee deep in alligators at work. Thus I won’t be able to provide the full details until this weekend. For the time being, people should not uninstall KB2999226 since it could result, for virtually program which you launch and including Office 365, the following error message:

“The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer.”

Yet there is a way to rip KB299226 from monitoring every program which you run on your computer. I will post this weekend about how to deal with this nasty update.

2 users thanked author for this post.

alpha128, ryegrass

Reply | Quote

Note that you can not get rid of KB2999226 if you also have Office 365 installed. It also depends on how KB2999226 got installed in the first place — either via Windows Update or via Office 365.

I am knee deep in alligators at work. Thus I won’t be able to provide the full details until this weekend. For the time being, people should not uninstall KB2999226 since it could result, for virtually program which you launch and including Office 365, the following error message:

“The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer.”

Yet there is a way to rip KB299226 from monitoring every program which you run on your computer. I will post this weekend about how to deal with this nasty update. – GoneToPlaid

I’m glad I wasn’t hasty about removing KB2999226. When I read your post, I remembered how KB2999226 got on my system – I installed it myself!

I remember now there was a time when that exact error message was being displayed by Paint.NET, and there was a post by Rick Brewster to install KB2999226 to fix the issue. The KB2999226 standalone installer is still sitting in my Downloads folder.

So I will be very interested in reading your instructions on how to stop the monitoring.

Thanks!

Reply | Quote

Yes, it is true that NET has “telemetry”, but not in the way depicted here. NET 4.6+ has a telemetry API that programmers can choose to use in their applications. The framework by itself does not collect telemetry, nor does it send stuff to Microsoft.

I’m a real tin-foil guy and the presence of the telemetry API doesn’t concern me. Even if the API didn’t exist, it’s trivial to collect anyway. Of course, before installing a 3rd party NET application, I check the privacy statement and EULA. After install, I monitor the system in real time for awhile to make sure their are no hidden surprises.

Reply | Quote

Adobe have issued another update for their Flash Player, version 27.0.0.170.  As they have not yet released a changelog nor Security Bulletin, it is unclear whether this is a security update; however, since this follows so closely on the heel of 27.0.0.159, it is not unlikely.

For those who manually update it, here are the direct download links for the off-line (full) installers for version 27.0.0.170, as well as the Uninstaller, all “clean” — (right-click; select Save Link As):

NPAPI for Firefox, Safari, Opera: https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe | 19.8 MB
AX for Internet Explorer: https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe | 19.3 MB
PPAPI for Opera and Chromium-based browsers: https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe | 19.7 MB
Adobe Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe | 1.25 MB

1 user thanked author for this post.

SueW

Reply | Quote

Adobe have released the Security Bulletin for their out-of-band patch for Flash Player (see post above):

APSB17-32 Security updates available for Adobe Flash Player – 10/16/2017

 

Vulnerability:  Remote Code Execution

Severity:  Critical

CVE Number:  CVE-2017-11292

2 users thanked author for this post.

NetDef, MrBrian

Reply | Quote

My Google Chrome says that it is up to date, and checking the Flash version shows it at 27.0.0.170.  Autopilot update!  🙂

It’s at times like this that I am glad I do not have Flash installed in any other browsers…

Windows 10 Pro 22H2

Reply | Quote

JohnW  hear, hear!!  I have been “flash free” for a year and a half. If the site won’t play I move on to another site or read the article instead of watch it. The world should be using HTML5 by now. Flash is too dangerous.

Reply | Quote

Totally agree!!!  I have banished web plugins or extensions for Flash (except for the Chrome browser), Java, Silverlight, Quicktime, etc.

Chrome is not my default browser, so I only use Chrome to open Flash based sites if absolutely necessary, and only if Chrome is up to date (with Flash).

HTML5 is the future, and if site admins are too lazy to update, then sorry…  🙁

Windows 10 Pro 22H2

Reply | Quote

Today Microsoft added issues to many Windows knowledge base articles. Here are some involving recent Windows updates:

https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681

https://support.microsoft.com/en-us/help/4041678/windows-7-update-kb4041678

https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693

https://support.microsoft.com/en-us/help/4041687/windows-81-update-kb4041687

https://support.microsoft.com/en-us/help/4042895

https://support.microsoft.com/en-us/help/4041689/windows-10-update-kb4041689

https://support.microsoft.com/en-us/help/4041691/windows-10-update-kb4041691

https://support.microsoft.com/en-us/help/4041676/windows-10-update-kb4041676

4 users thanked author for this post.

HiFlyer, alpha128, AJNorth, Woody posting as an MVP

Reply | Quote

Holy cow!

Reply | Quote

For those who still require the Jave Runtime Environment (JRE), Oracle have issued an update, version 8u151: “This Critical Patch Update contains 22 new security fixes for Oracle Java SE.  20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.”

The full 2017.10 Critical Patch Update Advisory is at http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html . Java can be manually updated through its Control Panel (if not set to do so automatically) or the off-line (full) installer may be downloaded at http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html (enterprise version; clean).

Reply | Quote

I have noticed that Java is a topic that confuses many casual users.  Many think that just having the JRE installed leaves them open to security issues.  But that issue is actually all about the browser plugin.  There is no good reason to still be running the Java browser plugin in 2017.  Oracle has deprecated that with Java JDK and JRE v9.

The plugin is what exposes you to exploits in the wild.

I use a couple of local applications that require Java (JRE) to be installed.  That just enables the runtime that allows Java programs (that you trust) to execute on the local PC.  It really has nothing specifically to do with the web.  It would be recommended to run the latest patched JRE if you can.  Browser plugins are another story entirely, and I got rid of mine a long time ago… So your best bet is to remove it from your browsers, if you still have it.

See this article: Oracle’s finally killing its terrible Java browser plugin

https://www.theverge.com/2016/1/28/10858250/oracle-java-plugin-deprecation-jdk-9

And this from Krebs: Good Riddance to Oracle’s Java Plugin

https://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/

Windows 10 Pro 22H2

2 users thanked author for this post.

Kirsty, MrBrian

Reply | Quote

I think it’s a good idea to update Java even if one has disabled it in browsers. Example: Researchers: Serious flaw in Java Runtime Environment for desktops, servers.

Reply | Quote

I agree regarding Java updates, and even said so in my post.

That said, JRE is probably not normally an issue for the end user if you only run signed code from a trusted vendor.   Such as with a commercial or enterprise application.

But running random stuff you downloaded from the web is always risky, Java or not.

Windows 10 Pro 22H2

Reply | Quote

You did say that indeed :). (I missed it the first time I read your post.)

Reply | Quote

SueW wrote:

“I don’t install any of these rollups. Instead I adopt the “Full” Group B approach by installing only the Security Only .Net Updates…” . So although

I wasn’t initially sure which mode of .Net Framework to install, I’ve been installing the cumulative ‘Security and Quality Rollup’ mode (I have both 3.5.1 and 4.6.1 on my system). So far, so good . . .

Now, as far as “transforming” .Net 4.6.x to 4.7 under the hood, I’ll also be interested in knowing the answer.

https://www.ghacks.net/2017/10/18/microsoft-releases-net-framework-4-7-1/

ghacks.net has revealed Net Frmwk 4.7.1 Released TODAY (10/18)

Woody (PKC, etc.)…… when able please address (here OR separate Thread) the Logic of going from 4.6 to 4.7.1   ( for Sue W ) – AND – to continue the trend IF you updated to 4.7 ALREADY without Issues.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

Yes, this is my quandary too, running a Windows 7 SP1 PC – I have to date avoided upgrading from .Net 4.6.1 to 4.7 for fear of issues, but it is clearly becoming more difficult to duck the step. Does anyone know whether it is likely to be safe to for Win. 7 users to upgrade to .Net 4.7.1 and (the key question) how long should one wait to find out? With many thanks for any advice.

Reply | Quote

I have installed .NET4.7 on my Win7 without any problems.

You will need the D3D Compiler KB4019990 first.
I you are in Group A, you already have it.
If you are in Group B, you will have to download and install it manually.

Reply | Quote

Thanks so much. Have downloaded and saved the compiler. I have a nasty feeling I hid the update for .Net 4.7, so I shall have to go in and un-hide it next time I turn my Windows Update on. But I’ll take the plunge now.

Reply | Quote

It seems that a Microsoft patch for the WPA-2 WiFi KRACK vulnerability is buried in the October updates…

CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

Windows 10 Pro 22H2

Reply | Quote

PKCano wrote:

I have installed .NET4.7 on my Win7 without any problems. You will need the D3D Compiler KB4019990 first. I you are in Group A, you already have it. If you are in Group B, you will have to download and install it manually.

4.7.1 NOW a separate Thread per …….

https://askwoody.com/forums/topic/now-available-net-4-7-1/

I think I will Install it today (after lengthy prayer, meditation, and 4 yoga positions) and Report Back here & There since 4.7 for me has produced No Issue.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

I know nothing of .NET4.7.1 – would avoid it until it has time to shake out.

Reply | Quote

PKCano wrote:

I know nothing of .NET4.7.1 – would avoid it until it has time to shake out.

PKC, Always appreciate your guidance – BUT – with nothing but time and multi-Macrium Images I just Installed 4.7.1 with no issues yet via Browsing & Office use.

Being Win7-64 does limit the magnitude of this experience, but it’s a start for other W7 users.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote