MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off

Topic

New Reply

Last month’s Patch Tuesday (and Monday, Wednesday, Thursday, Friday, Saturday and Sunday) should prove, once again, that knowledgeable Windows users n
[See the full post at: MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off]

5 users thanked author for this post.

Fred, Cascadian, JDeC, Elly, SueW

Reply | Quote

Replies

A mistaken double post? From Da Boss?! Or a not-so-subtle message about MS-DEFCON 2 & to DANG IT, Turn off Automatic Update!? BTW, love this Keystone Kops pic, especially the cross-eyed Chief.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

Cascadian

Reply | Quote

WildBill wrote:

A mistaken double post? From Da Boss?!

My bad. WordPress/bbPress has a weird bug that kicks in if you make two main blog posts with the exact same title. In this case, I posted the MS-DEFCON 2 warning this morning, using exactly the same title as a similar post in June 2015.

As a result of the WordPress/bbPress bug, when you clicked on the link to “Comment on the AskWoody Lounge,” you were sent to the tail end of the June 2015 discussion.

Anyway, I think everything’s OK now. The chief in the Keystone Kops pic? That’s me, right now.

3 users thanked author for this post.

Cascadian, WildBill, Elly

Reply | Quote

Great picture, Woody!

All I can say is, Whew! I got all of my Windows machines and virtual machines updated while we were still at MS-Defcon 3!

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

woody wrote:

… The chief in the Keystone Kops pic? That’s me, right now.

Well, if you choose to run both WordPress and Windows, that’s only a logical consequence!

1 user thanked author for this post.

woody

Reply | Quote

Has anyone tried this tool? https://www.sordum.org/9470/windows-update-blocker-v1-0/comment-page-1/#comments  Any thoughts?

Reply | Quote

anonymous wrote:

Has anyone tried this tool? https://www.sordum.org/9470/windows-update-blocker-v1-0/comment-page-1/#comments Any thoughts?

I mentioned this program at Methods for stopping Windows 10 updates that work on all editions and builds.

Reply | Quote

I have Windows 7 64 bit and am still in Group B.  Can you please tell me how important are .NET Framework updates?  You warned in a recent article about possible problems with them and fortunately for me up until the recent updates I did not have any problems until the last .NET Framework update I did on 2-6-18.  In fact both on my laptop and desktop pc some things went a little haywire although the laptop straightened out somehow and starting working correctly.  However on my desktop pc I had to rollback back to a few days before that .NET Framework update (I think it was KB4033342 that has reappeared) and then it seemed to work OK after that.  As soon as I got through that I ran Windows updates again and had a whole lot more updates to do all published 1-18-18 including a few more .NET Framework updates and a whole bunch more security updates for Microsoft Office only I still have 2007.  Truthfully I’m afraid to download any more .NET Framework updates because I don’t want to go through what I just did last week and cause even more problems on my pc.  Any advice please?

Reply | Quote

Sweety407 wrote:

owever on my desktop pc I had to rollback back to a few days before that .NET Framework update (I think it was KB4033342 that has reappeared) and then it seemed to work OK after that

KB4033342 is the installer for a different version of .NET (to v4.7.1) not a update to one that you had on your computer. It is relatively recent, and it is a good idea to let new versions sit for a while and have the bugs (if any) worked out.

In general, the .NET ROLLUPS are OK to install. They contain updates.

2 users thanked author for this post.

walker, JDeC

Reply | Quote

When you say let the new versions sit for a while are you talking a few weeks, the next month or a few months.  After I did the updates when Woody said it was time, my monitor went completely blank (the pc was still on) and I had to go into safe mode to roll it back a little so I don’t really know what caused that.  I thought it was the .NET Framework update for some reason and maybe it was something else.

Reply | Quote

Thank You

Reply | Quote

Sweety407 said:
I did not have any problems until the last .NET Framework update I did on 2-6-18.  In fact both on my laptop and desktop pc some things went a little haywire. […] However on my desktop pc I had to rollback back to a few days before that .NET Framework update (I think it was KB4033342 that has reappeared)

What issues did you encounter ? Does your PC have the below registry key as required by Jan 2018’s .NET updates ? (The same registry key is still required for the just-released Feb 2018’s .NET updates.)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
=> cadca5fe-87d3-4b96-b7fb-a231484277cc = 0x00000000  [REG_DWORD]

On 07 Feb 2018, a Microsoft Answers forum user reported the following issues after installing Jan 2018’s .NET Security & Quality Rollup (KB 4055532) on Win 7 x64:

several functions are not working, an empty network in explorer is the most glaring, homegroup is now present and cannot be removed.

The best diagnostic information I can find is from a SQL Server plugin that has been installed for about a year. Note the error says “assembly is built by a runtime newer than the currently loaded runtime “. It appears that an obsolete .NET Framework 3.5.1 component made it into this rollup.

Another user reported the below issue at MS Developer Network forum on 16 Jan 2018:

After installing KB4055532, my computer [Win7 Pro] took 30 minutes to start an/or restart (I timed it). I uninstalled this update and my computer now starts/restarts normally.

 

Reply | Quote

I’m no security expert, but in all fairness to them, my experience with my small break and fix shop is that I found the majority of my clients couldn’t grasp the concept of delaying updates for a couple weeks or more. I’ve spent hours explaining how and why, but it just doesn’t click in my average users – young and old.

Just last week I remoted into a client (for another issue) that we had setup to check for updates and notify over a year ago and not 1 update has been applied.

When I asked her why she hadn’t updated she stated she was afraid to. She might be forced into Windows 10 again, she didn’t know when was a good time, it was never convenient.

Found the same thing years ago with XP. At that time I put everyone on automatic until the Win10 fiasco. Now I’m back to setting them up for automatic with the deferral dates set in Win10.

Reply | Quote

Sweety407 wrote:

When you say let the new versions sit for a while are you talking a few weeks, the next month or a few months. After I did the updates when Woody said it was time, my monitor went completely blank (the pc was still on) and I had to go into safe mode to roll it back a little so I don’t really know what caused that. I thought it was the .NET Framework update for some reason and maybe it was something else.

There were a lot of problems with this month’s patches. It may not have been the .NET that got you – more probably the Win Monthly Rollup. Just sit thight and don’t install the Feb patches till DEFCON-3. There may be more problems ahead.

As for new versions – I like to let them sit for several months. .NET is not something most people have to rush. There were problems with Win7 when v4.7 first came out. Let someone else be the Guinea Pig!

4 users thanked author for this post.

walker, SueW, Cascadian, JDeC

Reply | Quote

RE: ” If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why.”
Back on 1/9, no less than Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute, posts, “So better get patching.”
https://isc.sans.edu/forums/diary/Microsoft+January+2018+Patch+Tuesday/23217/

Reply | Quote

I get my FlashPlayer updates at this site, Security Garden, But don’t agree with the Comment #3 at the bottom of this particular page “No, do NOT disable Windows Update as missing critical security updates could indeed have serious repercussions. ” Corrine is a Windows Insider/ MVP so…

https://securitygarden.blogspot.com/search/label/Windows%207

Group B HP Pavilion-dv6 Win7x64 Home Premium-Intel Core i5-3210M CPU

Reply | Quote

Sweety407 wrote:

… Any advice please?

Do not check any boxes that are not preselected by WU, unless you have a specific reason for doing so. Or, do not get items from the catalog that you do not specifically want.

In shorter, older words, do not fix what is not broken.

3 users thanked author for this post.

walker, Elly, JDeC

Reply | Quote

better add: Windows Update is turned off ALL the time on my win7 😉

 

Group B HP Pavilion-dv6 Win7x64 Home Premium-Intel Core i5-3210M CPU

Reply | Quote

Just asking for a quick clarification, since I guess I’ll have to install the January patches this week at least, along with this month’s, since they include RCEs: Is it all right to set the registry entries to disable the Meltdown and Spectre fixes before installing that patch? And will that make those parts of the patch never trigger in the first place, to be sure I won’t have to worry about either conflicts/bugs or slowdown until I see a serious reason to apply them but get the benefit of any other patches in that bundle and avoid issues possibly caused by installing that after some later Group B patches?

Reply | Quote

anonymous wrote:

Is it all right to set the registry entries to disable the Meltdown and Spectre fixes before installing that patch?

Yes. See Q10 at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

Reply | Quote

Are the January patches ever likely to reach defcon 5?

Reply | Quote

anonymous wrote:

Are the January patches ever likely to reach defcon 5?

The DEFCON rating is about whether it is safe to patch and what precautions need to be taken. It is about waiting to see where the problems are with each patch. The DEFCON rating for January was raised to 3 as an indication that the problems with each patch were, for the most part, known and patching could be done considering the cautions and precautions.

The individual patches do not have a DEFCON rating. Once the January DEFCON goes to three, those patches problems are known and they can be always be installed (or not installed) with the known caveats.

1 user thanked author for this post.

Cascadian

Reply | Quote

PKCano, I know that you are very good at repeatably explaining this concept. And I cannot be sure of how many different anonymous voices read your correct answer for the first time.

I hope my contribution may be helpful. As I understand it, the MS-DEFCON # identification system is a playful abbreviation for MicroSoft – DEFenseCONdition followed by a value. My attempt to help is to remind readers that this describes the environment that exists all around us, on the day we view the placard. It attempts to combine into a single value all the environmental conditions of the world-wide-web, wherever you may browse, the current health of an up to date Windows System, and Microsoft’s current offerings to adapt the second to the first.

I am trying to say in a different way, the same as PKCano. The MSDefcon# right now describes now-now, not any one update item. And when it changes in either direction, it is a report on the change in conditions as they exist now.

If the update were a football game (I don’t care what kind), and the conditions are Sunny with a light breeze; you might enjoy either playing or attending the match. If you learned the conditions were Cold with Heavy Rain; you might enjoy it even more, or you might decide to wait until another day more to your liking. MSDefcon is the weather report, not a report on the health of the team. Or any specific KBitem from Microsoft.

If MVP consensus says I’m wide of the mark here, fell free to dispose of this comment.

Reply | Quote

MS patch Tuesday list over at Martin Brinkmanns Ghacks..wow he is quick!

https://www.ghacks.net/2018/02/13/microsoft-security-updates-february-2018-release/

 

Windows - commercial by definition and now function...

2 users thanked author for this post.

AJNorth, MrBrian

Reply | Quote

Microfix wrote:

MS patch Tuesday list over at Martin Brinkmanns Ghacks..wow he is quick!

Perhaps he has a program that does this. There is programmatic access to this info.

1 user thanked author for this post.

AJNorth

Reply | Quote

Regarding recommendations: Swedish cert.se recommends updating “vulnerable systems” ASAP.

Link in swedish but Google translate seems to work fine for this:
https://www.cert.se/2018/02/microsofts-sakerhetsuppdateringar-februari-2018

/D

Reply | Quote

Swedish cert.se recommends updating “vulnerable systems” ASAP.

I didn’t know this, but then again…
I don’t know Didley.
😉

Reply | Quote

All of the operating system patches on Window 7 SP1 64bit for me appear to have been pulled, except for Office 2010 patches, nothing shows up at all.

Reply | Quote

The Patches for Win7 have not been pulled. There are some things you need to check.

Has your anti-virus program set the ALLOW RegKey? It is necessary or you won’t see OS or .NET patches in Windows Update. Here are the instructions to check. If this does not exisst, you may need to update to AV program.

Check your processor. Microsoft was blocking certain AMD processors because of a conflict with the patches. Most have been unblocked, but some may still be.

1 user thanked author for this post.

JDeC

Reply | Quote

@PKCano My antivirus is set and REGKEY is set.  I already have the Meltdown and Spectre patches from January applied, and the February patches showed up initially.  However, they no longer showed up for a period of a day or so.  They are showing up again on my HP machine tonight, when I checked this morning they were not being offered. 

Likewise, with my Dell, Updates were checked at 7AM this morning, and no Window updates were offered, though they had been offered earlier in the week.  Tonight I checked for updates again and they have reappeared. Only Office 2010 updates were showing.  It may have been a temporary thing. 

I have over 35 years experience in IT; I follow everything closely here, and my post about them not showing up was just to provide some data in case others were seeing the same thing.

@PKCano, also, my processors are all Intel.

Reply | Quote

Regarding experts still recommending leaving Windows 10 Automatic Updates turned on:
There are quite a few experts who do recommend this, and they are not all “security experts”:

Don’t tell people to turn off Windows Update, just don’t
https://www.troyhunt.com/dont-tell-people-to-turn-off-windows-update-just-dont/
15 MAY 2017

Should Windows 10 Power Users Shut Off Windows Update?
https://www.extremetech.com/computing/255686-windows-10-power-users-shut-off-windows-update
September 13, 2017
“Let me be clear: It is *generally* a bad idea to turn off security updates.”

How to Turn Off Automatic Windows 10 Updates?
https://ugetfix.com/ask/how-to-turn-off-automatic-windows-10-updates/
2017-04-17 (April 17, 2017)
“…IT specialists highly recommend keeping automatic Windows Update service enabled,…”

Windows 10: The Missing Manual
By David Pogue
p. 498:
“But there’s a pursuasive argument for leaving automatic updates turned on. Microsoft and other security researchers constantly find new security holes — and as soon as they’re found, Microsoft rushes a new patch out the door to fix it.” (He goes on to warn that when Microsoft issues a patch, it alerts hackers to a security flaw, and then the hackers begin to exploit it on unpatched PCs.)

How to use Automatic Updates in Windows 10
http://www.diamondbyte.co.uk/Blogs/files/fa117ef40cbe115972f0b33fd9dfdf6e-47.html
Sept. 14, 2017

For the vast majority of home users, this type of advice is good. They don’t want to or can’t be trusted to keep watching out for when it’s safe to patch, and most would mess up their systems fiercely if they so much as opened Regedit or Group Policies (which they as Home Users don’t have anyway). We are not talking about power users or advanced hobbyists like those of us who frequent this blog/forum. Just average Joes and Janes who want to turn on the PC and get on with their work or play.

On the other hand, I would recommend to anyone who wants to just get on with our play to use a Chromebook, and those with serious work to do, get into Linux ASAP, as in yesterday.

-- rc primak

Reply | Quote