We’re still at MS-DEFCON 2: Don’t install any patches just yet

Topic

New Reply

For those of you who are asking: It’s much, much too early to tell if all of the patches that have come out since Patch Tuesday are worthy. At least o
[See the full post at: We’re still at MS-DEFCON 2: Don’t install any patches just yet]

Reply | Quote

Replies

@woody:

I am wondering about KB3156418. Have you heard anything, or do you want to give a recommendation?

It’s the roll-up, and I don’t know if I need it or not.

Thanks.

Windows 8.1

Reply | Quote

Don’t install anything just yet.

Reply | Quote

Woody.
To make sure I have it straight, Is it it ok to install the following updates or should they be on the wait list each month with the rest of them.
I don’t remember any of these types causing problems?

Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB3154070)

Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64 (KB3142024)

Security Update for Microsoft .NET Framework 4.6.1 on Windows 7 and Windows Server 2008 R2 for x64 (KB3136000)

The monthly Malicious Software removal tool

Thanks.

Reply | Quote

There’s no pressing reason to install any of them, unless you actively use Internet Explorer to visit web sites.

Patience.

Reply | Quote

@Woody, when you write, “At least one is causing problems”,
is that the IE update problem (which sounded pretty limited in scope, fortunately) that you pointed out a couple of days ago to the contributor “Walker”?

Reply | Quote

If I recall – and my head’s buried in other stuff at the moment – there was a minor patch that got pulled.

Reply | Quote

this is for JC.. Your post may have been right, but you sure were a bit rude. Woody does a lot for us and he deserves our respect

Reply | Quote

Woody, I think you are right, just trying to give you some help here. KB3139923 was pulled on May 16 and reissued this Patch Tuesday for unknown reasons. It is optional affecting very few users and those are mostly in enterprise and there is no need to install it now.

Reply | Quote

What flash issue?

Reply | Quote

Agreed. Way too dictatorial, but not unusual with IT folks in my experience. Time to brush up on those social skills JC, even if you spend all day looking at a screen instead of talking to people.

Reply | Quote

Mr. Deus Ex aficionado,

Thanks for info, please point us to your web page of information and tips.

Reply | Quote

Here, Here…… been mulling over this all day.
Found it a bit uncalled for to say the least!
Glad others felt that too. Woody like everyone else
on this planet is only human…. and to err is human!
Besides he works his butt off for us……and the
fact that he even published it shows his strong qualities!
Just my 2 bits – again!!! LT

Reply | Quote

Yes, I was wondering the same thing

Reply | Quote

Walter Bear,

Woody suggested I post this from an email I sent to him yesterday.

I installed 3154070 (CSU for IE), 3142024, 3136000, and 890830 (MSRT) among the 24 from four days ago (Win7 x64). [This was on a laptop that hadn’t been updated in over two months.]

I have had cause to use IE since then and encountered no problems (or advertising). I agree with your advice to hold off [even though I went ahead]. The updates that people really need eventually will be identified, as will those to discard.

Jim in Yakima

ps – Just fired up the 6-core, which I knew didn’t need (security) updating. Found the three updates I posted about (two days ago) in less than two minutes.

Reply | Quote

(Thanks for posting it over here, Jim.)

Reply | Quote

I was about to say as much, so here. The message is already out in the open. As a matter of fact, I’m surprised Woody didn’t sanitize JC’s comment before posting it. I know I would have.

For the record, I appreciate the advice about Flash. I can certainly make use of it.

Reply | Quote

Hi Woody/All,

Thanks for the insight on these Microsoft updates however I still have non-security updates hanging from Patch Tuesday in April and we’re edging towards June… yikes!

I appreciate leaving May updates to hang but should we still be leaving April to hang? Very shortly I’ll have 3 months worth of updates hanging and its all becoming a blur and becoming more of an administrative nightmare as we progress.

Prior to April I was vetting KB numbers and installing a week or two later if nothing obvious seemed to be causing problems but have adopted extra caution through the Defcon system however its snowballing!

Any input would be gratefully received thanks Brett

Reply | Quote

Sure, my general recommendation for non-security updates for Win7 is… don’t install them. Don’t bother. For April or May, none are really necessary.

I’m still trying to wrap my head around the SP2 package.

Reply | Quote

Ya gotta have a thick skin (or thick head) to be in this business.

Reply | Quote

You might want to install only MSRT just to get it out of the way. It is just a anti-malware scanner updated every month which normally does not require a reboot, but runs for a while and takes few resources while running. For this reason I prefer to install MSRT separately from any other update. It is not known to cause any problems historically.
For those highly sensitive to this sort of issues, you should be aware that MSRT sends a report at the end of the scan back to Microsoft. It is nothing hidden and well documented by Microsoft. Blocking the report to be sent over the Internet can be configured in the registry, but I think it is too much trouble for no real benefit which is not worth it.

Reply | Quote

About the PPAPI flash: Can it actually be run without Chrome?

The way I read Adobe’s descriptions:

ActiveX – For IE, Edge and derivatives, on Windows 8+ only Microsoft can install updates. On Windows 7- just get your updates from Adobe.

NPAPI – For Mozilla, Pale Moon, Opera and other traditional browsers.

PPAPI – For Chrome and derivatives.

ActiveX Flash is run in the IE sandbox on Vista+ . (“Low Integrity Level” in its process token).

NPAPI Flash is run with little or no sandboxing unless the Browser does some special trickery to sandbox its plug in container process at the OS level.

PPAPI runs in a Google Salt/Pepper sandbox via CPU instruction stream filtering on first run and unusual register settings to contain it, presuming the instruction stream filter didn’t miss something.

That pretty much leaves us to choose between Google spyware (Chrome, portable or not), Microsoft spyware (IE with SmartScreen and other Telemetry), or hoping that the sites we allow flash on (thanks to the Eolas patent lawsuit forcing a prompt to run) won’t exploit any zero-days in Flash.

Reply | Quote

No need to install any non-security updates from April. None at all.

https://www.askwoody.com/tag/april-2016-black-tuesday/

Reply | Quote

Thank you very much Woody, I do appreciate your guidance and it must be a colossal effort to maintain these pages while kindly replying to every message.

Just one question please – for the non security Microsoft updates for Windows 7, I understand, but would it be acceptable to just hide the non-security updates so that they are just gone period, rather than have them hanging? I am revisiting your link for the process to follow (thank you) but as many windows 7 non-security updates are considered mainly around telemetry & windows 10 can we just consign these to the waste bin?

Thank you again, Brett

Reply | Quote

You can hide them if you want to, but Microsoft may bring them back.

Reply | Quote

In Ubuntu Linux, we can run the FreshPlayer wrapper, which allows running the PepperFlash plugin in the Firefox browser without using anything from Google.

http://www.webupd8.org/2014/05/fresh-player-plugin-pepper-flash.html

Windows users are pretty much stuck, as Chrome for Windows doesn’t have an open-source version, and hence no PepperFlash plugin independent of the Chrome Browser. At least that’s the latest I’ve read.

We in Ubuntu also have Chromium Browser, which is open-source, runs Pepper plugins, and does not have the Google spyware included.

Reply | Quote

This brings me to the observation of hidden updates being restored. Now that this is happening, why even “bother” hiding updates if they can so easily return? Used to be a solid practice, not so much anymore. What say you chief? Anyone? Is hiding a thing of the past?

Reply | Quote

Muchos Gracias Woody
Sometimes they come back

Reply | Quote

If they make any change of any kind (a revision, precheck it, pulling them for 2 weeks and re-adding them) then they will become un-hidden.

Reply | Quote

I don’t bother to hide. But I’m lazy.

Reply | Quote

For a PPAPI Flash from Firefox. Just disable Flash in Firefox, and install the Flash extension “Open in Chrome”.

https://addons.mozilla.org/en-US/firefox/addon/open-in-chrome/

Install Chrome if you do not have it yet.

When using Firefox, if you run across a web page that says you need Flash, or a blank Flash placeholder, just click this “Open in Chrome” icon in Firefox. The current Firefox tab is then opened in Chrome using the Flash PPAPI plugin.

Very, very cool!

Reply | Quote

Fascinating.

Reply | Quote

As Spock would say …

Reply | Quote

John W: I use Firefox, and the Flash reflects that it is the “safe version”. I don’t have Chrome, so I’m not quite certain what I should do to provide more protection. My FF Shockwave Flash reflects:

Shockwave Flash 21.0 r0
Up to Date
21.0.0.242
(and that it was updated Thursday, May 12th). Is this version not “safe”?

Would appreciate some details about this since I’ve not heard of it previously. Thank you for any additional information you may be able to provide.

Reply | Quote

And besides it all, even if Woody admits “guilt”, I think like many others pointed out on this site and this goes against Woody’s general advice, that there is still a place for IE and still a place for Flash as it is for other legacy technologies which are still in use like Java or QuickTime.
I wouldn’t even say that OP’s post is right or wrong. There are arguments going both ways.

Reply | Quote

PPAPI was the old implementation in Chrome. Now that Chrome has evolved, it implements Flash differently, natively, without a need to download from Adobe. I don’t know where else is needed.
NPAPI on the other hand is the old implementation since Netscape times which seems to be still in use but on the way out due to security concerns around this sort of implementation for plugins and not only for Flash.

Reply | Quote

They are not restored, just re-released and old ones expired after a while. If you read some of my replies on this site, you will find that I am against hiding updates which I think can cause technical issues with the re-released and/or expired updates. There is no definitive answer to this question, but I would say the best outcome is to ignore those updates which you do not wish to install and let Microsoft manage the re-release and their retiring as it is intended and is by design. Otherwise you may encounter slow scanning when trying to run Windows Update.

Reply | Quote

Not true, see my reply to Render. They are NEW updates (not new revisions) released under the same number which creates the confusion. Their function is the same though and thus keeping the same KB number.

Reply | Quote

For those who do actively use IE11 to visit Web sites and who might need Flash, would it be possible please to be a little more explicit on what might be advisable to install now? Are they just the cumulative security update for IE11 for May 2016 and the latest Flash Player update (ActiveX version) from Adobe?

Reply | Quote

I just can’t bring myself to recommend running IE with Flash – under any circumstances. Every month we see dozens of new security exposures.

Turn Flash off in IE. (In IE, click the gear icon in the upper right, then Manage add-ons. Choose Shockwave Flash and choose Disable.) Avoid going to sites that use Flash.

Use a different browser – probably Chrome – if you absolutely MUST visit a site with Flash.

In response to a different thread, JC Denton says “The best possible way to handle mandatory-flash websites is to download and use a PORTABLE browser such as Portable Firefox or Portable Chrome. Run the website in that browser and when you are done, just delete that entire browser folder and extract yourself a new/virgin copy of it whenever you need to access it.” You can get Portable Firefox here: http://portableapps.com/apps/internet/firefox_portable

Reply | Quote

Point taken about using Flash, although I would rather uninstall Adobe Flash Player 21 ActiveX from Control Panel > Programs and Features than simply disable the Shockwave Flash Object in Manage add-ons.

However, I would prefer to continue using IE11. So the question is, assuming Flash is uninstalled, is it currently better to run with the cumulative security update for IE11 for May 2016 or without it?

Reply | Quote

I’m not yet convinced any of the May updates are ready. But, yes, at some point you need to apply security updates to IE 11.

After you update, if you insist on using IE 11 and going to Flash-encrusted sites, uninstalling the ActiveX control as you describe is a good approach. Or you can use the method I described to turn off Flash inside IE.

But you’re far better off using portable Firefox or Chrome.

Reply | Quote

John W: Apologies. I missed your post(#11) with all of the detailed instructions. Thank you very much for that information. It is most appreciated!

Reply | Quote

@Walker – Glad that it helped. But I did make a typo in post #11 that could be confusing.

In regard to the extension “Open in Chrome”, I originally said “install the Flash extension”, but is should have read, “install the Firefox extension”.

This extension is useful for any page or content that does not behave or display correctly in Firefox. It’s not just for Flash content.

Having a button on the Firefox toolbar to just launch the current tab over to Chrome is awesome.

I really do prefer to use Firefox as my main browser, but some things just work better in Chrome … and the Chrome version of Flash is more secure, as are most plugins …

Reply | Quote

This is my original comment; preserved in an image:
https://anony.ws/i/2016/05/26/PortableBrowserComment.png

I stated that I was deeply disappointed and that Woody ‘fumbled and dropped the ball’. At no point did I directly insult Woody or resort to personal attacks/insults.

I merely criticized their lack of providing useful information in their multitude of posts complaining about Flash and how people should stop using Flash.

Thankfully, Woody shows a professional demeanor and doesn’t take things personally.

“Let me never fall into the vulgar mistake of dreaming that I am persecuted whenever I am contradicted.”
– Ralph Waldo Emerson

Now if YOU feel that I was ‘too rude’ to Woody or somehow disrespectful merely because I share criticism, then that is something YOU should deal with on YOUR end.

Woody is ok with it. I am ok with it. And the end result is some fantastically-useful information was spread to a much wider audience than otherwise.

Third parties like yourself and other pundits are not required or desired to ‘defend’ Woody against perceived insults. Woody is a grown adult and can handle themselves, thanks.

Reply | Quote

I’d love to do so, but I don’t work for free

Woody is not doing this for charity, they run advertisements, sell books, and do whatever they need to do to make money off of the information provided.

Good information is always appreciated, but incomplete information can be dangerous. Always consult more than one source when possible; be it from Woody or Steve Gibson or any other IT person.

When the market shifts to allow me to make a living from this kind of stuff without having to put it behind a paywall or filling my sites with advertising then I shall be happy to do so.

But until then, remember to maintain the Laputan Machine

Reply | Quote

I’d be very careful giving out potentially dangerous advice to those who may not have the technical aptitutde to resolve any problems that may arise from following your suggestion.

Go to the GitHub and read this under ‘Security Note’:

“This particular implementation doesn’t implement any sandbox. That means if any malicious code breaks through plugin security, there is no additional barriers. This is the same level of security as NPAPI Flash have.”

As of April 12th, the plugin is v0.3.5 (not even a stable v1.0 yet)
https://github.com/i-rinat/freshplayerplugin/releases

So you want to recommend a buggy alpha-quality wrapper for Pepper Flash that provides none of the benefits of a sandbox like the actual Pepper Flash AND has the potential to cause other issues and bugs on top of the inherent issues with Flash itself?

Do you see how absurd this all sounds? Why would you do that?

If you’re on Windows you can get stable releases of Chromium from here:
http://chromium.woolyss.com/

Linux distros should install from their official repositories. On Ubuntu & Linux Mint the package names are ‘chromium-browser’ and ‘pepperflashplugin-nonfree’ and there are little to no benefits in using a ‘wrapper’ for Pepper Flash that provides none of the security advantages or sandboxing benefits of Pepper Flash.

Reply | Quote

Hello Woody, this comment is directed at you since you seem like a reasonable person.

I’m glad that you were able and willing to communicate crucial information to a wider audience (many of whom aren’t as tech-saavy) in order to educate them on a safer alternative to running flash natively on their computers.

Cheers to you, here’s hoping that you will continue to improve and do research into things when writing about Flash in the future.

Reply | Quote

It’s a personal goal – but understand that I field responses in hundreds of areas… and I’m writing another 1,000-page book! I rely on people hanging around here to join in with comments and corrections. Each of you has an area of expertise, and I’m grateful for it.

Reply | Quote

Alas, AskWoody is all free, all the time. No ads. I pay the rent and keep it going because it’s an important resource for my book and InfoWorld readers…

Reply | Quote

For April or May, none are really necessary.

… and none of them really problematic or damaging
Hope this trend will last.

Reply | Quote

so which may 2016 updates can we install ? or it’s still defcon 2

Reply | Quote

It’s still MS-DEFCON 2. There aren’t any patches that absolutely have to be installed, as long as you aren’t using IE.

Reply | Quote

Just got a note from bertp on AskWoody.com: 3146706 changes the BuildLab & BuildLabEx entries in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion from GDR to LDR. Uninstalling 3146706 reverts the entries back to GDR.

btw what does that mean ?

Reply | Quote

What about KB2881030 MS Office update?

Reply | Quote

It was just released. Far, far too early to tell if it’s going to cause problems.

Reply | Quote

Thank you. I’ll keep checking back.

Reply | Quote