Patch Tuesday patches are up

Topic

New Reply

There’s a massive list of updates to Vista, Win7 and 8.1 on the Windows Update page. I don’t see any mention of Security Bulletins, but the Security U
[See the full post at: Patch Tuesday patches are up]

Reply | Quote

Replies

You should make a mention that these are the last updates for Vista. R.I.P. Windows Vista. 2006-2017.

Reply | Quote

Installed, no problems with searching for updates after this (I have a Skylake processor). Interestingly, under knows issues there’s:

“If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.”

Seems the same info is stated under “Security-only”, so there will be no way to avoid CPU block, even when installing security-only updates…

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

About the

If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.

from

https://support.microsoft.com/en-us/help/4015546

it also quotes

Microsoft is working on a resolution and will provide an update in an upcoming release.

So what should be their official position on this one? They say they won’t support it anymore, they claim it will not work, after all in the end it ends up working but they say they will fix it…

Is this some quantum computing under psychedelic drugs? Gosh, what Microsoft has turned itself into…

Reply | Quote

Yes, Security Only updates for Win 7 / 8.1 contain the CPU generation detection = WU block for new processors

1 user thanked author for this post.

woody

Reply | Quote

And somebody blew the detection, finding that a Carrizo DDR4 machine is “7th generation” when it fact it’s sixth.

https://www.askwoody.com/2017/conflict-between-win10-patches-and-carrizo-ddr4-machines/

Reply | Quote

Don’t forget radosuaf’s method!

Reply | Quote

I wonder if that still works?

Reply | Quote

I’m not sure if anybody has posted about trying it, but I believe it should work.

Reply | Quote

Win 10 is now up to 15063.138…

-Noel

Reply | Quote

138? Looks like a MASSIVE update :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Lots of electrons, maybe, but it still doesn’t weigh very much. 🙂

-Noel

1 user thanked author for this post.

BobbyB

Reply | Quote

I for some reason can’t install KB4015550 on my laptop.

Reply | Quote

One thing I’ve concluded after reading the ghacks link: The younger and more modern a Windows system is, the more vulnerabilities it has.

So much for that Microsoft propaganda about newer operating systems being more secure.

Too bad Windows XP updates’ info is not public anymore, I’m dead curious to know how well should it’s security been ironed out for those top notch platinum premium users. Anyone out there spending those gazillions per machine with information to leak out about this? 😉

Reply | Quote

I would argue that it doesn’t matter if Windows 8.1 and Windows 10 have more vulnerabilities as long as they still get updates. If they weren’t supported anymore then yes it would be a problem. But they’re still getting updated and these vulnerabilities are getting fixed. Also keep in mind that Windows 7 has been around longer so it’s had more time for vulnerabilities to be discovered.

Reply | Quote

I’m not sure I understand this argument at all.

“it doesn’t matter if Windows 8.1 and Windows 10 have more vulnerabilities as long as they still get updates.”

So if Windows 10 has 5 critical vulnerabilities and W7 has only 1 and that’s OK because eventually those 5 will get patched? I think I prefer my 1 vulnerability, thanks.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Agreed. Glad I’m using W7…

Windows Vista: 9 vulnerabilities, 1 critical, 8 important
Windows 7: 9 vulnerabilities, 1 critical, 8 important.

Windows 8.1: 23 vulnerabilities, 4 critical, 19 important.
Windows RT 8.1: 11 vulnerabilities, 1 critical, 10 important.
Windows 10 version 1703: 21 vulnerabilities, 5 critical, 16 important.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

2 users thanked author for this post.

JDeC, radosuaf

Reply | Quote

Please convert to text before posting. Thanks

Reply | Quote

I thought I had, having first copied and pasted the text into a Word doc using the Paste option “Keep text only” and then copied that to the post. Is that not sufficient?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

You have to make the Word .doc or .docx a text (.txt) document. Anything else carries HTML code

Reply | Quote

Thanks for explaining. The last hyphenated word in my signature applies!

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Just use Notepad instead of Wordpad. Notepad saves in .txt format, so try typing out your message there instead of using Wordpad.  It’ll never put HTML in there.

2 users thanked author for this post.

samak, SueW

Reply | Quote

Like I said. Windows 7 is older, so more vulnerabilities have had the opportunity to be patched, I don’t think that makes newer versions of Windows bad.

Reply | Quote

What a b***** mess the “Security Updates Guide” is!  Now that Microsoft has decided, in their infinite wisdom, to get rid of MSSB numbers, it has become even more confusing to search for any/all applicable updates for a given operating system or other software product, much less multiples if you are a Systems Administrator type, like me.

Good thing others are taking more time than I have available to flesh these out.  It was bad enough when Microsoft started rolling multiple updates up into one set six months ago, but this is far, far worse, IMHO.

1 user thanked author for this post.

Microfix

Reply | Quote

I entirely agree, it’s an absolute headache to navigate now. How can this possibly be better? I couldn’t find the page for the security only .net framework update, surely it should be linked to on the security and quality rollup page? But no, that would be too easy so i found it on that ghacks page.  The update pages are now also awful, with no links to the individual KB articles, just everything crammed into the opening paragraph. Oh and why do the security only pages list internet explorer yet you have to install the cumulative update anyway?

-T

Reply | Quote

I am having major issues with these patches. I load onto multiple Win 7 Pro machines. On reboot around 50% are hanging at “30% installed”.

It is fixed by switching off machine manually and restarting. Not very useful for remote action

It does not seem to be hardware dependent

Can anyone help with which patch is causing the issue?

Reply | Quote

We’re at Defcon 2.  I don’t see where Woody gave a go ahead to install these.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

1 user thanked author for this post.

JDeC

Reply | Quote

Hm…

From this page we see that there is a Cumulative Security Update for Internet Explorer (KB4014661).

Reading carefully, I found that the description of KB4014661 on this page states (once the “Nonsecurity-related fixes…” section is expanded):

Note You must install this Security Update for Internet Explorer 4014661 to have the option to disable VBScript as document in 4012494 on a computer that does not have Windows 10 Creators Update installed.

I just went through the settings and didn’t find a VBScript as document option in the GUI that I could change. That option sounds like it might be a response to that zero day Office glitch uncovered a few days ago, and the text implies KB4012494 is contained as part of this update, yet there is no visible option.

I followed the instructions in KB4012494 and made the registry change, but I expected to find a GUI option. Am I misinterpreting what it says?

Anyone know more?

-Noel

Reply | Quote

I interpret it that VBScript can be disabled but it has to be the more difficult way via registry for home users or easy with a “fix it” pack, as we don’t have a Group Policy Editor.

Reply | Quote

@Noel:  I think the word “document” should probably be “documented” which would change the context of the whole statement to make a lot more sense.  “You must install this update (4014661) to be able to make the ‘disable VBSript process’ (adding the new URL action into the registry) take full effect.”

 

Leave it to Microsoft to confuse us all further.

Reply | Quote

interesting after installing KB4015217 for anni win10 windows searches for updates after each restart, thats new

Reply | Quote

AKB2000003 Ongoing list of “Group B” monthly updates for Win7/8.1 has been updated.
https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

3 users thanked author for this post.

MrBrian, JDeC, samak

Reply | Quote

I’m more concerned with the Office patches at the moment than anything! My clients aren’t what’s considered “high risk” for that Zero Day Word vulnerability but nonetheless I’d feel better if they were patched.

Does anybody know if this vulnerability in particular was patched with these Office updates?

Reply | Quote

See https://www.askwoody.com/forums/topic/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/#post-107627.

Reply | Quote

April 2017 Office Update Release

Reply | Quote

https://www.catalog.update.microsoft.com/Search.aspx?q=.NET%20April%202017

KB4014985 – April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7, Windows 7 and Windows Server 2008 R2 for x64 (KB4014985)

KB4014987 – April, 2017 Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 8.1,  Windows 8.1 and Windows Server 2012 R2 for x64 (KB4014987)

and more…..

 

Reply | Quote

I saw the ‘show me how to get the creators update’ text after downloading and installing the flash update and the malware scanner in Settings.

Reply | Quote

abbodi86 wrote:

Yes, Security Only updates for Win 7 / 8.1 contain the CPU generation detection = WU block for new processors

Yes the Windows 7 & 8.1 Rollups and Security Only Updates now include processor detection to prevent updates for machines running Gen 7 processors but the block only applies to using Windows/Microsoft Update to search for and install as follows:

(Enabled detection of processor generation and hardware support when PC tries to scan or download updates THROUGH WINDOWS UPDATE)

You cab still search for, download and install updates using the stand alone packages available via the Windows Update Catalog…which you have to use for Security Only Updates anyway.

Reply | Quote

Only question is, how will this work via WSUS? Same detection for processors as via Windows Updates, or will corporates who use WSUS be able to bypass this without the need to patch manually?

 

No matter where you go, there you are.

Reply | Quote

ViperJohn wrote:

You cab still search for, download and install updates using the stand alone packages available via the Windows Update Catalog…which you have to use for Security Only Updates anyway.

I wouldn’t be so sure, see:

“If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.”

It may mean that even if you download from the Catalog, you won’t be able to install.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Unfortunately that is incorrect from my testing. (I have figured out how to spoof a Kaby Lake cpu in a virtual machine.) One cannot install a standalone .MSU update when the latest Windows Update client is installed.

Reply | Quote

The fixes in March 2017’s hotfix KB4016446 for Internet Explorer (https://support.microsoft.com/en-us/help/4016446/forms-in-dynamics-crm-2011-are-not-displayed-correctly-after-kb-401307) have been included in the April 2017 monthly rollups and cumulative update for Internet Explorer.

Source: From https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017:

“Cumulative Security Update for Internet Explorer (KB4014661)

[…]

Supersedes:

• KB4016446 on Windows 8.1, Windows Server 2012 R2, Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2″

2 users thanked author for this post.

samak, PKCano

Reply | Quote

In the past it had been asked if the code in a given month’s preview monthly rollup could be changed in the next month’s monthly rollup, if there wasn’t a security-related change involved in the given code. We have a possible example that the answer could be “yes”: file wuaueng.dll (associated with the Windows Update client) in the Windows 7 March 2017 preview monthly rollup has version 7.6.7601.23714, while file wuaueng.dll in the Windows 7 April 2017 monthly rollup has version 7.6.7601.23735.

Reply | Quote

I would hardly call that a change

besides, i could argue that there it is a security-related change, since the same WUA is included in Security-Only update 😀

Reply | Quote

Critical Word 0-day is only 1 of 3 Microsoft bugs under attack

Reply | Quote

Tip: When browsing Security Update Guide, make sure that you at least once try the checkboxes “Details,” “Severity,” “Impact,” and “Security Only.”

1 user thanked author for this post.

PKCano

Reply | Quote

Another tip: Also try the filter textbox. It’s handy to filter by operating system.

Reply | Quote

Tip: Combine “Details”=checked with filtering by operating system, and you get a list of vulnerabilities fixed for that operating system, each of which you can click on for more info.

Reply | Quote

What is the recommended action for .NET Framework updates for Group B users? Is there anything undesirable in the “quality” portion of the updates?

Reply | Quote

The .NET patches are considered safe for Group B. This may give you a better idea about other Microsoft software like .NET.
https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

Reply | Quote

There are reports of WSUS servers failing to synchronise with the Microsoft servers (can see it on my own server as well).

Reported here https://community.spiceworks.com/topic/1983454-wsus-synchronization-failures

Workaround is to untick the UPGRADES category. Could be the Creator’s Update/Upgrade causing havoc.

(Sorry, posted this to the wrong thread before…)

No matter where you go, there you are.

1 user thanked author for this post.

woody

Reply | Quote

It seems that both the Windows and an Office update are needed to make Office invulnerable to CVE-2017-0199. See https://www.askwoody.com/forums/topic/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/#post-107712 for more details.

1 user thanked author for this post.

woody

Reply | Quote

radosuaf wrote:

138? Looks like a MASSIVE update :).

For x64 systems it’s only 114 mb  🙂

 

Reply | Quote

What about those who do not have IE11 installed?

I want nothing to do with IE. In fact, I’ve searched everything I could related to it, including in the WindowsSxS folder, selected them all and pressed shift + nom nom nom. There!

Question is: even without having IE11 not installed (on Windows 7 it should default back to IE8) and even with (some?) of the left-overs deleted, since IE is so cancered down into the OS, shouldn’t there be some indirect vectors for attack?

I haven’t seen any security updates for IE8, lately. Are there some around I might have missed / hidden by mistake?

Any recommendations for keeping this kind of Windows 7 installations secure? Should I install IE11 and keep it updated or instead try to eradicate every sign of it? Thanks.

Reply | Quote

Install IE11, and keep it up to date.

Reply | Quote

I agree with MrBrian.

IE has a bad reputation but it has a pretty good security model, actually. The rep is because it’s just not configured to be very secure out of the box for some reason.

-Noel

Reply | Quote

I have an Intel processor so I should be able to download the security-only update just fine right?

Reply | Quote

Trying to manually install or find the following lead me down an empty rabbit hole. What am I missing?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security and Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

Additional information about this security update
The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.

4014567 Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
4014555 Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
4014551 Description of the Security and Quality Rollup for the .NET Framework 4.6 and 4.6.1 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
4014546 Description of the Security and Quality Rollup for the .NET Framework 4.6.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

We did not find any results for “4014567”

Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

We did not find any results for “4014555”

Description of the Security and Quality Rollup for the .NET Framework 4.6 and 4.6.1 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

We did not find any results for “4014551”

Description of the Security and Quality Rollup for the .NET Framework 4.6.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

We did not find any results for “4014546”

Microsoft Update Catalog

Reply | Quote

Aaaargh, I just got utterly lost!

This update was slipping under Windows Update’s radar, it was never presented to me, but installed when manually downloaded:

Security Update for Windows (KB4014573)
Security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: April 11, 2017

Update type: Important
Fix for KB4014573
More information: http://support.microsoft.com/?kbid=4014573

BTW, under April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB4014985), there were also these updates:

ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe

ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe

that refused to install – non applicable or locked (two different separate things that can lead you to confusion, as you might dump an important applicable update that refused to install because it might be permanently locked)

.NET: another thing cancered down into Windows.

Reply | Quote

Lot more detail on April updates: https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

Reply | Quote

After todays Windows Updates Microsoft blocks security updates on Windows 7 Pro with Intel Celeron Dual-Core CPU T3000  ….

Reply | Quote

Nice, another one to your list, Woody :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

And this is picture from accident place
https://www.facebook.com/talivaldis.ortlovs/posts/823556334465360

Reply | Quote

Lithuania? 🙂

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Nope. Latvia. 🙂

Reply | Quote

I’m looking for confirmation on that right now. Thanks for the heads-up!

OK. I see the Intel Celeron 3965U listed as a 7th generation chip. That means you’ll only be protected from the update block if you have a machine that’s been explicitly whitelisted by the manufacturer. What machine are you using?

Reply | Quote

I’m confused. Where is the Celeron 3965U mentioned?

Original poster mentioned issues with a Celeron T3000 (screenshot confirms it), which is a Penryn chip released Q2 2009. Intel ARK page: http://ark.intel.com/products/40738/Intel-Celeron-Processor-T3000-1M-Cache-1_80-GHz-800-MHz-FSB

The false positives from this new processor detection code are mounting. How many average Joes will be screwed from an incorrectly detected processor and be unable to get updates on a previously-working install of Win 7/8.1?

Oh wait, let me guess–the solution to fix the issue will be a free upgrade to Windows 10! /cynical

I’m not touching April’s updates with a 10-foot pole until these issues get fixed.

Reply | Quote

I am one of those kludges that bough a windows phone about 2 years ago. It ran Win 8.1.

This week I noticed I could not access my gmail as I was being  looped into entering my Google PW, then an MS PW, with MS requiring blanket authority to access my gmail.

From the blogs it seems the only solution was a full reset, which I did. Doesn’t MS specify that a reset will restore your phone/system OS back to the time of the original purchase?

Now, however, rather than re-installing the original Win 8.1 Mobile [where I had benn able to install Opera & Firefox and other things], the reset has produced Windows 8.1 Update 2.

One is now obliged to use IE, cannot install any other browser, and have Cortana.

There are a bunch of other changes limiting options. The phone now stinks more that it ever did, and I am having a heck of a time trying to get gmail re-installed.

Is this what MS is planning for upcoming  Windows 7 & 8.1 updates….Frankensteinisation?

No more MS and Windows for this just retired victim. Chrome/Android will replace  everything, if, I can get still get some unwitting  MS fan to buy my work systems.

Will be dropping out Woody! Thank much for all your help over the years.

2 users thanked author for this post.

Noel Carboni, woody

Reply | Quote

Woody and fans – Sorry, but I’m confused now.

The first two weeks after Patch Tuesday, I like to install the Security Only updates to my Win 76 Pro 64-bit machines, all of which have IE and some of which have Office.  Then, two weeks later, come back here and see if it’s safe to go back and install all the patches.

This is the place to come for info, but it’s not clear to a non-tech such as myself.

Today, April 12, what exactly ARE the security-only patches for my Win 76 Pro 64-bit machines, IE and Office?  (with links, if possible).

Many thanks!

Reply | Quote

Here is information about Windows patches and updates for other Microsoft software
https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

And the information about Security-only patches for Windows
https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

Reply | Quote

PKCano – Thanks for prompt response.  But your links don’t go to specific links for this week’s security-only updates, at least not that I saw.

Suggestion – this is a great forum for exactly this topic.  May I ask Woody and you to set up a specific forum folder with each month’s new links for Plan B security-only updates for the various OSes, IE, Offices, etc.?

Unless, of course, you’ve already done that and I’m too dumb to find it, which is indeed possible.

Thanks for your patience.

Reply | Quote

The second link goes to the security-only links for WINDOWS. There aren’t security-only links for other MS products. You can get any update for anything else from the MS Update Catalog if you don’t want to use Windows Update, but the rest come through WU by default.

Here is the link for Microsoft Update Catalog http://www.catalog.update.microsoft.com/Home.aspx

Reply | Quote