The full story on the Nov 23 re-issue of KB 3197873, 3197874, 3197876, 3197877, 3193479, 3200970

Topic

New Reply

Looks like they were all pulled, then re-issued, to minimize the impact on Lenovo servers. If you got yours installed, no need to do anything. InfoWor
[See the full post at: The full story on the Nov 23 re-issue of KB 3197873, 3197874, 3197876, 3197877, 3193479, 3200970]

Reply | Quote

Replies

Thanks Woody. Does this also include KB 3197868? Or was that pulled for a different reason?

Reply | Quote

Abbodi conjectures that one was replaced accidentally. Go figure.

Bottom line is the same – no need to do anything, unless you missed it on the afternoon of Nov. 23. If you did, just install it the same way you install anything else.

Reply | Quote

I wasn’t planning on doing anything thanks Woody, the original version of KB 3197868 installed ok and I’ve had no problems since. Nothing else is being offered at the moment so Microsoft and I are at peace with one another until next patch day :)!

Reply | Quote

Woody, sorry for my ignorance, but I am not sure I understand what happens if a patch gets pulled then reissued. If I installed a patch like 3197867 then it got pulled then reissued, do I need to reinstall it again because it changed?

And how can you know if that happened at all? It is not like you go to the Microsoft Update Catalog and find there is a new version of the patch announced to you like you do on your site? So what, are we forced to read your blog forever, then? Not that I don’t like it, but it is a bit scary to run an OS for which you can’t easily know what is patched properly and what is missing. Fragmentation seems much more easy to happen for group B than in the era before this new way of patching.

Reply | Quote

In this case, no, the re-issued patch is identical to the original patch. All that changed (we subsequently found out) is the installation detection logic.

Yep, this site keeps on top of the details. If you don’t want to deal with the details, just watch for the MS-DEFCON rating and follow the instructions.

You’re right. All sorts of things were easier before the patchocalypse.

Reply | Quote

@AlexEiffel,

Re: “what happens if a patch gets pulled then reissued. …do I need to reinstall it again because it changed?”

It is my understanding that yes, sometimes you will want to uninstall a patch that has been pulled after you had initially installed it, and then install the reissued version of the patch.

In this particular case, the old patch is not different to new patch, so the old patch can stay on the system and you don’t have to take any action. I am not an expert, but I am guessing that this will not always be the way it works, unfortunately.

I think that I am correct in saying that even with the former Windows 7/8 updating system, sometimes, rarely, there was a patch or a hotfix that required some manual intervention on the part of the computer owner to get *exactly right*, despite all the automatic patching that the computer owner was allowing MS to do on his/her computer.

And Microsoft’s announcements of this kind of thing were not widespread and often would not be known about by most ordinary computer owners. There were times I stumbled across such advice when I was looking up an unrelated computer question online. (This was before I was forced to become a regular visitor to sites such as Wilders Security Forum, SevenForums, GHacks, Susan Bradley’s, Woody’s, others.)

—
Re: “And how can you know if that happened at all? …are we forced to read your blog forever, then? […] Fragmentation seems much more easy to happen for group B….”

I don’t think that ordinary computer owners are going to know that this sort of thing has happened, unless they keep abreast of Windows news in general, or regularly follow at least one good, focused website, like AskWoody.com is.

The Group B path is quite risky in some ways. It’s only “meant” for IT professionals to follow on behalf of their firms.
And even for those seasoned people, they probably are pretty nervous about it because it’s an unknown, untested path and Microsoft is sometimes so slap-dash about things, especially things that they wish didn’t exist in the first place.

Path A is pushed so, so strongly by AskWoody.com contributor CH100 in part because he is understandably really worried about people getting locked into a continuous (checking in every few weeks, at a minimum) reliance on Woody’s voluntary help in guiding them precisely in how to navigate path B.

If, for any reason, the Group B people who are ordinary home computer owners reached a point where they were no longer able to get careful, constant, high-quality help from Woody (or someone similar – and there isn’t anyone similar!), they are going to have to know what to do on their own, and they might wish at that time to move to Group A or C rather than deal with the complications.

This is such a tough decision to make, because every conceivable path forward has some big downsides and risks.

The fact that some IT-industry people (current and retired) are choosing Path C
(= to accept no Windows updates at all, despite the many security dangers there are out in the world… just read a week’s worth of a site like krebsonsecurity.com and it will be clear what sort of dangers that good people are up against, and it’s getting worse all the time)
for themselves and the people they care about indicates how bad some aspects of Path A and B must be.

The fact that some individuals, including IT experts, who are seriously privacy-conscious and anti-Microsoft’s-heavyhandedness are choosing Path A because everything else is so darn complicated and risky indicates how bad Path B and C could get.

Path A is no walk in the park — it is going to have problems itself, just like regular Windows patching did in the past, and probably moreso, because of the unwieldy nature of the cumulative Rollup concept.
And just due to the MS slap-dash approach to some of these things.

If you go with Path A, you won’t have to follow Woody’s posts as closely as you will have to if you choose Path B, but you will still need to follow Windows news and at least one good blogger/journalist such as Woody.

If you go with Path C, you will be more independent (and more vulnerable), but if you are going to operate a computer that is connected to the internet, you’ll still need to be aware of the major happenings in the Windows world as relates to security threats, and you’ll need to be extra careful about your internet activities, your ad and tracker blocking, your computer defense systems, etc.

Every path is probably going to be a time-consuming, somewhat-risky proposition. And that is really annoying, because this is not how it should be for ordinary home computer owners.

Reply | Quote

I did my usual System Image, then ran Windows Update. Next reboot, and every second or third boot, I got a bsod.
Every time, a different driver caused the crash. I had gotten to the point that it HAD to be hardware…bad news for a laptop…when I saw the news here about the updated patch.
I put the last image back on, re- Windows Updated, and everything has been flawless since.

This wasn’t just a Lenovo problem.

Reply | Quote

Fascinating. What hardware are you using?

Reply | Quote

Thanks poohsticks.

So for now, if I am in group B, I just need to have applied the October and November security updates?

Office and .Net updates are still pushed through Windows update?

Someone should write a little software to verify your patching status when you run group B.

I think I went group C for a month to decide if I would be B or A, but then I applied the November security only patch thinking I already applied the October one. I am glad those seems to be independent and you don’t need one before the other. That could not always be the case.

Reply | Quote

@AlexEiffel,

Yes, to be in Group B,
1. install the Oct and Nov security-only updates from the Update Catalog
2. install the .NET and Office updates that show up in your Windows Update

Woody’s steps for Group B: http://www.infoworld.com/article/3136173/microsoft-windows/how-to-cautiously-update-windows-7-and-81-machines.html

The security-only updates are said to be independent of each other, and while everyone here has said that it would be better to install them in date order, I would expect that it would be fine for you to add your October after your November, if November is already on your computer.

Reply | Quote

HP HDX Pavilion from 2008.
HP never issued Win7 drivers for it, so I try not to complain.

Reply | Quote

Hmm, yesterday I have just encountered a problem with KB3197868 breaking certain Microsoft business applications over which I have little control. It is only an obscure functionality in those systems which is broken and this is why it took so long to be reported in the first place. The access to those systems is done in IE11 configured in IE8 Document Mode compatibility and I give Microsoft the benefit of doubt as they cannot test against every combination available in the wild and more than likely their answer would be that updated products which are not affected are available.
I had to uninstall KB3197868 and rollback to the October 2016 monthly update for the affected systems. I suspect the NTLM change of behaviour to be the more likely culprit rather than the IE security component, but this is only of academic interest while they come as a bundle and can normally be installed or uninstalled only as whole. Our good friend abbodi86 may contradict me, but we are talking about supported enterprise configurations here.
Home users or the smallest businesses have nothing to worry about, as those products are certainly not in use by those users.

Reply | Quote

Interesting. Have you reported this to patchmanagement.org? Some people there may be tearing their hair out….

Reply | Quote

Scary. I wonder what else may have been affected…?

Reply | Quote

So if you have the outdated UEFI firmware and missed the bad patch and now the detection logic isn’t giving you the patch until you update your firmware, how do you even know you NEED to update your firmware so you can get this security update?

Reply | Quote

The ball is in the Lenovo’s court now.
Lenovo has to inform the systems administrator somehow.
Don’t forget that this is about servers and if professional/power user end-users install and use servers, they should now how to manage them.

Reply | Quote

“Only the detection mechanism — the “metadata’ — was changed”

as in an “if Lenovo, do not install” rule?

Yes = MS issues a security-only patch that clobbers Lenovo laptops (for example)… I read about it and refrain from installing the patch. MS re-issues the patch with a rule that prevents it from installing on a Lenovo laptop.

Now I am missing a security patch, unless they later re-issue the patch in a form that works for Lenovo laptops. Right?

Reply | Quote

Right.

Presumably, in this case, Lenovo will fix their machines….

Reply | Quote