Where we stand with the December patches

Topic

New Reply

Things were looking pretty good for This Month in Patches — until two days ago. Now, it’s anybody’s guess. But I continue to recommend that you hold
[See the full post at: Where we stand with the December patches]

6 users thanked author for this post.

ch100, abbodi86, Mele20, cesmart4125, Microfix, WildBill

Reply | Quote

Replies

I received a notification of this update on Windows 8.1 which is set for manual updates. I will be ignoring this update. Will it go away when the January cumulative update is released?

I am no longer an active member of the forums.

Reply | Quote

The fix for IE will be rolled into the Jan. Rollups and IE CUs.

9 users thanked author for this post.

ch100, cesmart4125, OscarCP, Microfix, SueW, WildBill, banzaigtv, geekdom, woody

Reply | Quote

And in January 2019 upon patch release, we will probably be under DEFCON-Wait-to-Patch.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

banzaigtv

Reply | Quote

But apparently we now have less than a week to wait to install Patch Tuesday updates. We no longer have the luxury of waiting two weeks since Microsoft now apparently releases buggy quality updates every few f******’ days. Our peace of mind is going away.

I am no longer an active member of the forums.

Reply | Quote

The next Patch Tuesday is January 8, 2019, the second Tuesday of each month.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Microfix

Reply | Quote

Really basic users of W7 Group A  never had a problem except we don’t need the previews.  Enterprise  is another story.  I use Firefox.

1 user thanked author for this post.

ch100

Reply | Quote

There have been some real howlers with Windows 7 updates. One recent problem update that comes to mind is SSU KB3177467 related. “Here be dragons” holds true.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

@geo Actually Enterprise users have never had much of a problem.
It is a common misconception that somehow businesses are impacted by the quality of the Microsoft patches. This is an extremely rare occurrence, but it certainly happens now and then.
I am aware of businesses with 100k + users installing patches less than 48 hours after their release for compliance reasons and which almost never experience an issue with the official patches. I am currently working for one of those businesses and it is not an easy job.
Congrats for being in Group A, the Group B style of patching is a fake.

Reply | Quote

It’s “fake” only until you’ve had users complaining that Outlook isn’t working or their documents have disappeared, road warriors call in tears, telling you that their Surface laptops are bricked, and banks of servers have lost their IP addresses.

Group K(ill me now)

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

Thanks for enlightening me about Group B patching being fake.

I did not know that and, in my blind ignorance, am sorry to admit that I have been patching as “Group B” from way before it was given this name, for some 20 years by now, and have had not a single problem because of an installed bad patch: never, ever. And in recent years, as things have become more complicated, I have been able to continue without problems in good part thanks to the advice and information provided by other loungers and by MVPs here, at Woody’s.

But now your comment has opened my eyes and am ready to start patching in whatever way you might kindly suggest that one should do this. I am always ready to learn at the feet of true masters.

 

Group B, Windows 7 Pro, SP1 x64.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

RTEsysadmin, The Surfing Pensioner

Reply | Quote

I installed the IE updates and have not seen side effects.  December updates have been installed as well.

Susan Bradley Patch Lady/Prudent patcher

14 users thanked author for this post.

OscarCP, rc primak, abbodi86, ch100, Mele20, Pixie, AusJohn, cesmart4125, Geo, Mr. Natural, Microfix, AJNorth, woody, WildBill

Reply | Quote

Susan,
Are you going to add the new KB’s (for IE patch) for Windows 10 versions to the Patch List? And are there also new SSU’s?

Reply | Quote

And are there also new SSU’s?

Can’t speak for Susan re Master Patch List, but for list of Latest Servicing Stack Updates for each version of Windows, see Microsoft Security Advisory ADV990001 – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Hope this helps.

Reply | Quote

Thanks for the Computerworld article, Boss. Unless you say “The Sky Is Falling!”, I can wait. Not in a hurry to patch until you move us to MS-DEFCON 3 or above.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

rc primak

Reply | Quote

This fix for IE11 will probably be included in the upcoming “Preview of Monthly Rollup” release, right?

Reply | Quote

There are not going to be Previews in Dec. It will be included in the Jan Rollups and SOs for Win7/8.1 and in the CUs for Win10.

8 users thanked author for this post.

rc primak, SueW, abbodi86, Mele20, Hopper15, flackcatcher, Geo, Microfix

Reply | Quote

Because of Christmas / holidays?  Was this announced somewhere?

Reply | Quote

Yes, MS announced it. There is a link somewhere in one of the latest threads.

https://www.computerworld.com/article/3327564/microsoft-windows/patch-tuesday-breaks-records-some-good-most-bad-and-check-for-updates-still-stings.html

6 users thanked author for this post.

rc primak, warrenrumak, flackcatcher, Geo, Microfix, woody

Reply | Quote

Great, thanks. With any luck, there won’t be any “surprises” before the 2nd week of January.

Reply | Quote

PKCano wrote:

There are not going to be Previews in Dec. It will be included in the Jan Rollups and SOs for Win7/8.1 and in the CUs for Win10.

If that’s the case I won’t be installing it.  I’ll just wait for the Jan Rollup.

Reply | Quote

Thank you Woody for keeping us abreast of the bleeding edge Chicken Little Headlines, I appreciate your ‘cool headed’ response and will wait for your reasoned advice. It is those “poison frog darts” that reallly scare me.

Amazing Truths Revealed: Link to Simply Magnificent AskWoody Knowledge Bases

Reply | Quote

Looks like I just got another brand new KB 4023057 waiting for a restart while I was away.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

As far as I can remember from reading, over  a number of years, what has been reported here and elsewhere, nothing really bad has come to Windows 7 users (Group B in particular, I am glad to add) for looking (and waiting) before jumping, no matter how much in need of urgent action, and how scary, things might be made to look. To me, that’s the real trick.

And thanks to Woody and Co. for always helping to lower the temperature from “overheated” to “moderate” in situations such as this…

(“Meteor Crater News”? A really terrific choice of cover picture; is it a still from some movie?)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

Rashly installed the December updates yesterday, and immediately began having problems loading Outlook 2010.  Later in the day, had a spontaneous shutdown:  *click* and a black screen.  Attempted to reboot, had another shutdown mid-boot.  Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.  Waiting now for clarity on which updates are suspect.

Reply | Quote

Could you please give us some information about your computer hardware?
What version of Windows are you running?
What updates were installed? For Windows? For Office 2010?

This information will help pinpoint the problem and help others avoid the problem.
Thanks.

Reply | Quote

Windows 7/x64

Office 2010 updates:

Security Update for Microsoft Excel 2010 (KB4461577) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB4461570) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB4461576) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB4461521) 32-Bit Edition
Update for Microsoft Office 2010 (KB4227172) 32-Bit Edition
Update for Microsoft Office 2010 (KB4461579) 32-Bit Edition

Windows 7 Updates

2018-12 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4483187)
2018-12 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64 (KB4471987)
2018-12 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4471318)
Windows Malicious Software Removal Tool x64 – December 2018 (KB890830)

 

Reply | Quote

Thanks for the information.

The Dec patches for Windows have generally been OK. We have had a couple of reports of problems with Outlook and the Dec patches. They have issued a bug fix for Office 2013, and there maybe ones for the other Office products in the offing.

We are still on DEFCON2. Give it a little more time to let the problems shake out before trying to update again. Come back and check on the status here.

BTW, did you check out Woody’s ComputerWorld article linked on the main blog article?

Reply | Quote

Yes, thanks.  I notice others have reported problems with Win 7 and KB4483187.   Think I’ll just wait a little and see what else turns up; then try installing the other updates one at a time.

Reply | Quote

Is the Outlook patch mainstream, which means on Windows Microsoft Update, or only a hotfix with limited release in the Catalog?
We should not be concerned with commenting about Catalog only releases, although mentioning them is useful for those few who may need to try them to fix specific issues.

Reply | Quote

If I understand the information correctly, mainly on the CVE page, that IE patch is really a patch for jscript.dll, which IE9 and newer don’t even use by default, but may be used under special circumstances (compatibility mode?) and by other applications, right?

Then again, just a bit ago when I checked the CVE page, there was mitigation information listing that by default IE has measures reducing the risks of such exploits, a way to restrict access to jscript.dll and a notice that doing so shouldn’t normally affect IE9+ since it uses jscript9.dll, but now when I looked again while writing this it says there are no mitigating measures. Weird.

Reply | Quote

Yes, I saw the same thing…a couple of hours ago there were instructions on how to mitigate the vulnerability via restricting access to jscript.dll, and now the instructions are gone.

However, the instructions were mostly for those running server versions of Windows, as I noticed in the details. Also, the article made mention (under the “Workarounds” heading) of running IE in an Enhanced Security “Environment” (my word, as I don’t recall the exact one) as well for those running servers, complete with a link to instructions on implementing said environment/settings from within IE’s (or the Control Panel’s) Internet Options dialog box.

Makes me wonder why MS took down the instructions: They weren’t that overly complex or technical in nature. They involved two very infrequently used commands used at an administrator-level command prompt to first take ownership of jscript.dll and next to modify its access control list to restrict what a certain group of users on the given computer is allowed to do with the file.

Reply | Quote

@Woody posted that Workaround earlier here.

Reply | Quote

But the workaround has since been modified with additional takeown commands (before and after disappearing several times).

2 users thanked author for this post.

rc primak, PKCano

Reply | Quote

Ok, as of yesterday’s posting above, the instructions in the article had been removed, that I know for sure. BUT, as of THIS writing, they’re back. As I said above, who knows why MS pulled them, as right now, they’re exactly the same as they were yesterday before being removed from the article. This problem (being there and gone again) has been noted on the other thread related to this issue by other AskWoody readers/members.

Good thing for all of us, @Woody ‘s posted (via copy/paste) the instructions here for us to attempt at our leisure should we choose to do so.

Reply | Quote

Here is the current version of the Workaround per MS (12/22/2018):

Workarounds

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\syswow64\jscript.dll
	cacls %windir%\syswow64\jscript.dll /E /P everyone:N
	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\syswow64\jscript.dll /E /R everyone

1 user thanked author for this post.

rc primak

Reply | Quote

ALL of the steps mentioned by MS with the command line can also be performed via the GUI, no need for the command line.
HOWEVER, they must be performed as an administrator, just like the command line options.

Reply | Quote

Hello anonymous, When you said you “Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.” Anon, what recovery option did you choose that helped you roll-back? Was it the “Last Known Good Configuration” option? Thanks, in advance.

Reply | Quote

Yes, it was.

Reply | Quote

Uh, how is it possible to wait to install patches when Microsoft is just going to keep replacing them with out-of-band updates every few days? We have no choice but to install the Patch Tuesday updates immediately. Therefore, the MS-DEFCON data means nothing anymore.

I am no longer an active member of the forums.

Reply | Quote

@bangzaigtv- I hear your frustration… but there are definitely choices to be made. Relatively few people here are willing to act as beta-testers for Microsoft…

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

rc primak, SueW

Reply | Quote

Or putting it differently, few people who have a better understanding, just take a calculated risk… and everything is OK.
No beta-testing at all, just following the manufacturer’s instructions like for any other product.
Someone who says that they dual-boot Win 81 and Win 10 and makes claims of potential (not experienced) problems does really contribute in a positive sense?
Why not following Susan’s lead on this matter?

Reply | Quote

If I decide to keep Windows 10 for a bit longer, is there going to be any problems turning off Windows Update in services.msc, then manually downloading and installing the Patch Tuesday cumulative update released on 12/11/18? I have updates set to manual on the Group Policy Editor settings and Windows will display this week’s update as the one it will be set to download. What is that patch number I should be looking for? It’s for Windows 10 Pro version 1803. Also, should I manually download and install the latest version of the Windows Malacious Software Removal Tool?

I am no longer an active member of the forums.

Reply | Quote

The latest CU for 1803 is KB4483234 (12/19/2018). Be sure you have the SSU KB4477137 installed before. And yes, to MSRT.

1 user thanked author for this post.

banzaigtv

Reply | Quote

No, not the 12/19 update. I need the one for 12/11. So when I download the updates manually each month, then how do I find out the numbers for both the SSU and CU patches for Patch Tuesday each time?

I am no longer an active member of the forums.

Reply | Quote

Susan’s Master Patch List:
https://www.askwoody.com/patch-list-master/

Windows - commercial by definition and now function...

1 user thanked author for this post.

banzaigtv

Reply | Quote

The Win10 History pages have the information on Patch Tues updates for all versions of Win10. When you open the page for the specific CU (by the KB number) it tells you what SSU you need at the bottom of the page.

1 user thanked author for this post.

banzaigtv

Reply | Quote

Report from the field:

Five Win 7 Pro and three Win 8.1 Pro (all x64) were patched with the Dec 2018 “Group B” patches (KB4471328 & KB4483187 and KB4471322 & KB4483187, respectively) about forty hours ago; none of their users have experienced any issues as of a couple of hours ago (the Dec .NET has not yet been installed).

1 user thanked author for this post.

SueW

Reply | Quote

This may be a cross-post, as I may have done it on some other forum…but I installed KB 4483317 without incident.

I did have some trouble with my Bluetooth CSR software stack and drivers around the same time, but nobody exists who doesn’t have trouble with Bluetooth at some time, so I’m thinking it was a quinky-dink.

 

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

I suspect KB4483317 may be a typo?

Reply | Quote

@woody

As requested via email, pls help with these:

Win 8.1 x86 & x64:
List installed KB4052978 & KB4054522 – Dec 2017 Security Only Updates. Help with the list of security only updates incl..net updates from MS catalog to be installed and to be avoided for telemetry/botched. In Jan 2018 we have AMD boot issue updates and worried/stuck since the device is AMD.

FYI: Not interested in Group A/combined/rollups updates even-though u moved to Group A . No MS Office installed.

Unable to follow with the updates and update list here – confused with searching for details/issue details posted by you. Please help with KB list and the threads regards to it.

Also, provide Win 7 x86 & x64 – Security only updates incl. .net updates from Jan 2018 if possible.

Thanks…..

Merry X’mas n New Year!

Reply | Quote

The Security-only patches for Win7/8.1 and IE11 Cumulative Updates (both 32-bit and 64-bit) are listed in AKB2000003 from October 2016 to the current December 2018 updates. The link is a direct download from the MS Update Catalog.

For January 2017, KB4073578 released for AMD is marked.

When a patch shows that it replaces another patch, you do not need both. You do not need the replaced (superseded) patch.

If there is a .exe file included with the .msu update when you download it, simply put the .exe file in the same location as the KB numbered .msu update. You do not need to click on it. It will be executed automatically during the install process of the .msu update.

The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

4 users thanked author for this post.

Xi, SueW, Elly, AJNorth

Reply | Quote

PKCano wrote:

The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

Thanks for the detailed clarification.
However, for Win 7, the .Net framework security only patches are available in update catalog. Why? Can we use it instead of .net rollup patches for win 7?

Reply | Quote

You will find that the .NET Security-only patch is bundled as well.
If you click on the SO patch download button in the catalog, you will find the download to be multiple patches for the different versions.
If you click on the name of the update (instead of the “download” button), then click on “More information” in the box that pops up, you will find that each of the SO patches has a different KB number. This will tell you which of the patches is for which version of .NET, but then you need to know what version(s) is/are installed on your computer as well.

Reply | Quote