Installing Win10 1607 proves to be a mixed bag

Microsoft adds complications to August patching

Windows 10 Version 1607 gets a cumulative update right out of the gate, and Win7 gets a slight reprieve from its issue with slow update scanning.

Plus: Just when you had the nonsecurity Office-update schedule down, Microsoft changes it up — temporarily.

MS16-095 (3177356)

August’s Internet Explorer patch is incomplete

The August surprise is a cumulative Internet Explorer update that doesn’t include the usual Adobe Flash fix. If you haven’t done so already, I urge you to go into your browser settings and disable automatic Flash loading. A How-To Geek article gives instructions for Chrome, Firefox, IE, Opera, and Safari. This is important: A recent webcast I watched notes that preventing Flash media from automatically running is a key part of preventing browser-based ransomware attacks.

To make the change in Edge, go into Settings, scroll down to the bottom, and click View Advanced Settings; then set “Use Adobe Flash Player” to off. Note, however, that this setting doesn’t give you the “click-to-play” option you have in, say, Foxfire — with Edge, Flash is all or nothing. Given the risk of ransomware attacks via this media player, I’m more comfortable viewing Flash-based video in a browser other than Edge.

This cumulative IE update does remove RC4 ciphers (more info), a technology that’s no longer cryptographically secure. This update brings both Edge and IE 11 up to the same cipher level as the most recent versions of Chrome and Firefox. With the RC4 ciphers removed, you shouldn’t see any change in your browser experience.

What to do: Install KB 3177356 (MS16-095) as soon as it’s offered. (The patch is included in the Aug. 9, Win10 cumulative updates.)

MS16-096 (3176492, 3176493, 3176495) and MS16-103

The three patching faces of Windows 10

As promised, on August 2, Microsoft began rolling out Win10 Anniversary Upgrade — aka Version 1607. If you’ve installed the new version, you should have already received a cumulative update, in the form of KB 3176495.

According to a MS Support page, the cumulative fixes for the three versions of Win10 include:

Windows 10 1607

• Improved IE 11 reliability
• Retain pen-click settings after Win10 1607 update
• Mobile devices hang after quickly turning Bluetooth on/off
• Security updates to Kernel-Mode Drivers, Graphics Component, Edge, IE 11, and Windows Authentication

Windows 10 1511

• Improved reliability when coming out of standby mode
• Failure to start up in the BitLocker password-entry screen
• MouseUp/MouseDown failures with scroll bars in IFrame
• Slow content display after resizing in IE 11
• Special-key/mouse-click failures with Remote Assistance sessions
• Multi-pixel points rendering in Web Graphics Library
• Problems with standby-to-sleep transitions mode
• Updates not installing and IE 11 issues
• Security updates to IE 11, Edge, Kernel-Mode Drivers, Windows Authentication, Graphics Component, and Kernel-Mode Blacklist

Windows 10 RTM

• Improved IE 11 and WebDAV-shares reliability
• Failure to start up in the BitLocker password-entry screen
• MouseUp/MouseDown failures with scroll bars in IFrame
• Slow content display after resizing in IE 11
• DNS Subnet Prioritization impacting networking
• OLE drag and drop allowing download of only one item per operation
• Problems with revised daylight-saving time, updating, IE 11, and the Windows kernel
• Security updates to Kernel-Mode Blacklist, Edge, IE 11, Graphics Component, Windows Authentication, the lock screen, Kernel-Mode Drivers, and Secure Boot.

If you’re still running the original Windows 10 release, plan to upgrade soon to Version 1511 or 1607; it’s likely that Microsoft will continue supporting it for only four more months.

Another Win10 patch, described in Security Bulletin MS16-103, fixes a flaw in the Win10 Universal Outlook app. The vulnerability could lead to information disclosures, when the app fails to make a secure connection.

What to do: Install cumulative-updates KB 3176492 (Win10 RTM), KB 3176493 (Win10 1511), and KB 3176495 (Win10 1607) as soon as possible. See MS16-096 for more information.

Ways to push off Win10 Anniversary Update

If you’re running the business versions of Win10 (Professional or Enterprise), you can easily push off the upgrade to Version 1607 for up to four months. To do so, select Settings/Update & security, then click the Advanced options link. Next, check (enable) the Defer upgrades box.

If you aren’t running Win10 Pro/Enterprise, your options are more limited. You can use the Metered connection tricks, described in a How-To Geek article and a Windows Central story. Setting Metered connections in Win10 is designed for wireless networking, but the Windows Central piece shows how to set it up with Ethernet connections. And in an Infoworld article, Woody Leonard describes a third way to push off Version 1607.

Note that enabling Metered connection blocks all security updates as well.

The Anniversary Update issues that concern me most are potential compatibility problems third-party anti-malware apps. Posted warnings from McAfee, Kaspersky, Avast suggest that AV vendors are struggling to release editions of their products that are Win10 1607 compatible.

What to do: The Anniversary Update could show up in your Windows Update anytime in the next few weeks. Use the above techniques to give you control over when it’s installed.

MS16-097(3178034)

Graphics vulnerability impacts many platforms

The Microsoft Graphics Component code seems to be a popular target for hackers — we’ve had to patch it several times this year. The various patches in MS16-097 impact not just Windows (Vista through Win10), but also Office 2007/2010 plus Skype for Business and Lync.

Rated critical, the update changes how Windows handles embedded fonts. Viewing compromised Web content or opening a malicious document could let an attacker take remote control of a system. Note that users running Standard accounts are somewhat less vulnerable than those running in an admin-level account.

Expect to see KB 3178034 for Vista, Win7, and Win8.1. On Win10 systems, the patch is included in the cumulative updates. You might also see KB 3115109 for Office 2007, KB 3115131 for Office 2010, KB 3115481 for Word Viewer, KB 3115408 for Skype for Business 2016, and KB 3115431 for Lync 2013.

As usual, don’t be surprised to see patches for multiple Office versions.

What to do: Install any of the aforementioned patches if and when offered. See MS16-097 for details.

MS16-098 (3177725)

Kernel fix not needed for Win7 update-scan issues

Another month, another patch for the Windows kernel. However, unlike previous releases, this kernel update doesn’t seem to be needed for fixing slow Windows 7-update scanning. That problem seems to be cured with July’s nonsecurity, cumulative update KB 3172605 and the steps detailed by Woody Leonhard in an Infoworld article.

That said, we need this most-recent kernel update to protect ourselves from an important elevation-of-privilege vulnerability.

What to do: Install KB 3177725 (MS16-098).

MS16-099

Heaping helping of Office security fixes

As usual, Office gets the majority of security patches. The updates in MS16-099 fix five vulnerabilities, one for information disclosure and four for memory corruption. Most are rated important, but a MS Word fix is rated critical. The specific patches include:

• 3114340 — Office 2013 SP1
• 3114400 — Office 2010 SP2
• 3114442 — Office 2007 SP3
• 3114456 — OneNote 2007
• 3114869 — Office 2010 SP2
• 3114885 — One Note 2010 SP2
• 3114893 — Office 2007 SP3
• 3115256 — One Note 2013 SP1
• 3115415 — Office 2016
• 3115419 — One Note 2016
• 3115427 — Office 2013 SP1
• 3115439 — Word 2016
• 3115449 — Word 2013 SP1
• 3115465 — Word 2007 SP3
• 3115468 — Office 2010 SP2
• 3115471 — Word 2010 SP2
• 3115479 — Word Viewer
• 3115480 — Word Viewer
• 3179162 — Word for Mac 2011
• 3179163 — OneNote 2016 and Word 2016 for Mac — Mac

What to do: Install any of the above updates when and if offered. See MS16-099 for more information.

MS16-088

Redo update for a July MS Excel patch

July’s MS16-088 included important security fixes for Excel. But as noted in an Excel Support Team Blog post, after installing the patches, users could no longer open their workbooks. Ouch!

The fix will be released automatically next week via Windows Update, but in the meantime, you can download and install these updates manually — see the links below (and in the aforementioned post). Click-to-Run editions of Office will receive this fix automatically.

• Office 2016
• Office 2013
• Office 2010

What to do: Wait for the automatic update or use the above links to install the fix manually, if it’s needed immediately.

MS16-100 (3172729), MS16-102 (3175887)

Fixing features unique to Win8.1 and Win10

Windows 8.1 and Windows 10 introduced many new features, including Secure Boot and native viewing of PDF files. Given the history of Windows, we should not be surprised that these new capabilities need patching.

For example, a Secure Boot vulnerability gets a separate and important update, KB 3179577. The flaw could give an attacker access to a system if he installs a bogus boot manager. A servicing-stack update is also included in this patch; if you use Windows Update, you should get the needed prerequisites. If you receive an error message stating that the update isn’t applicable to your machine, ensure that KB 3173424 is already installed (another service-stack update).

PDFs have a long history as attack vectors. Microsoft’s move to include PDF readers in its browsers might make us even more vulnerable to attacks — especially when the PDF viewer contains a critical vulnerability. Without KB 3175887, attackers can use bogus PDF files to take over systems. This patch is included in the cumulative updates for Windows 10.

What to do: Install KB 3172729 (MS16-100) and KB 3175887 (MS16-102) when offered.

MS16-101 (3167679, 3177108)

Authentication Method issue for admins

Our final security update impacts networks that have domain-authenticated computers. The patch, rated important, fixes two elevation-of-privilege vulnerabilities that could be used in blended attacks. Note: Systems that don’t use domain authentication should still receive this update.

Admins should be aware that the update might have some unwanted network side effects.

For example, the update could prevent the Negotiate process from falling back to NTLM, when Kerberos authentication fails on a password change. See the support bulletin for the details.

Even with side effects, I recommend that administrators should install this important update.

What to do: Install KB 3167679 and/or KB 3177108 if and when offered. See MS16-101 for more information.

3161102

Finally killing off Windows Journal

You might see KB 3161102 offered. Typically, I recommend delaying nonessential updates, but not this time. The patch lets you remove the Windows Journal component — an app that’s rarely used and that has had numerous vulnerabilities.

What to do: If you never use Windows Journal, install KB 3161102.

Aug. nonsecurity fixes to arrive two weeks late

Microsoft must have been overwhelmed with getting Win10 1607 out the door. It effectively delayed the August release of nonsecurity updates until the third Tuesday rather than the first Tuesday, as reported in a TechNet blog post.

To add to the confusion, these updates were posted online on the usual first-Tuesday schedule (Aug. 2), but they won’t show up in Windows Update until Aug. 16. This is apparently a one-time-only change in the release schedule.

For the full list of nonsecurity Office updates, including SharePoint fixes, see the related TechNet blog post.

Office 2007/2010

• 3115461 – Outlook 2007 junk-mail filter
• 3115475 – Outlook 2010 junk-mail filter

Office 2013

• 3101491 – Outlook; errors on attachment download
• 3114721 – SharePoint Designer; exception error with “SPFile.SendToOfficeFile”
• 3115404 – Outlook junk-mail filter
• 3115425 – PowerPoint; slow printing
• 3115430 – SharePoint Server client; “SPFile.SendToOfficeFile” error
• 3115433 – OneDrive for Business; various fixes
• 3115434 – Project; faulty error message, language translations
• 3115444 – PowerPoint (in Home and Student RT); various fixes

Office 2016

• 3115141 – Office; crash on data import with ACEOLEDB
• 3115142 – Access; “Field Size” error in Table Design
• 3115270 – Excel (Power Pivot add-in); various fixes
• 3115405 – Visio; (no description)
• 3115406 – PowerPoint; indent errors
• 3115407 – Outlook junk-mail filter
• 3115409 – PowerPoint; language translations, crash on recovered-file save
• 3115410 – Outlook; Web Add-ins requirement set change
• 3115411 – Office; (no description)
• 3115413 – Office; (no description)
• 3115414 – Office Language Interface Pack; translation accuracy
• 3115416 – Office; (no description)
• 3115417 – Office (no description)
• 3115421 – Office (no description)
• 3115423 – OneDrive for Business; language translations and other fixes
• 3115424 – Project; numerous fixes and enhancements

What to do:I’ll report back on these updates in the next Patch Watch column.

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about two months after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page.

Patch	Released	Description	Status
3168965	07-12	Windows kernel-mode drivers	Install
3169659	07-12	JScript/VBScript; Vista and Server 2008	Install
3170008	07-12	Office; see MS16-088 for complete list	Install
3170048	07-12	.NET Framework; see MS16-091 for complete list	Install
3170050	07-12	Windows Kernel Mode; Win10 only	Install
3170106	07-12	Cumulative Internet Explorer update	Install
3170377	07-12	Windows kernel	Install
3170455	07-12	Windows Print Spooler	Install
3172727	07-12	Secure Boot	Install
3172985	07-12	Cumulative Win10 1511 update; KB 3163912 for Win10	Install
3174060	07-12	Adobe Flash Player; Win8.1/Win10	Install
3167679	08-09	Windows Authentication	Install
3172729	08-09	Secure Boot	Install
3175443	08-09	Internet Explorer cumulative update	Install
3175887	08-09	Windows PDF library	Install
3176492	08-09	Win10 RTM and Edge	Install
3176493	08-09	Win10 1511 and Edge	Install
3176495	08-09	Win10 1607 and Edge	Install
3177451	08-09	Office; see MS16-099 for complete list	Install
3177725	08-09	Kernel-mode drivers	Install
3178034	08-09	Windows Graphic Component	Install
3182332	08-09	Universal Outlook; Win10 RTM and Win10 1511	Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — okay to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

 

Installing Win10 1607 proves to be a mixed bag

In my Aug. 4 Field Notes column, I stated that it was good that the Windows 10 Anniversary Update was rolling out over several weeks.

Based on feedback from readers in the Windows Secrets Lounge, the update went well for some but certainly not all. If you like the latest thing, upgrading to Win10 1607 right now might be a case of “Be careful what you wish for.”

As I noted in that previous column, the update to Version 1607 hasn’t shown up in Windows Update on any of my standard systems. So I forced the update on a virtual-machine–based PC. That process went smoothly, with only a few settings resets.

That wasn’t the case for many upgraders who posted their experience in the Windows Secrets Lounge (see, for example, “Windows 10 Anniversary Update arrives — slowly” thread and “‘Anniversary Update’ installed OK” thread). There were numerous laments of installation issues with Version 1607 — and driver problems after the update completed.

Perhaps the wisest plan came from on Lounge member who received a notification that drivers for USB-connected Brother printers needed to be reinstalled after upgrading to Win10 1607. Resisting temptation, the Lounger has decided not to force the upgrade and practice patience. That’s a good plan for many — the more we delay the move to Version 1607, the more likely peripheral vendors will have checked and, if needed, upgraded their device drivers.

The reasons for a failed upgrade can be baffling. For example, Windows Secrets contributor Doug Spindler reported that the migration to Version 1607 went well on several machines, but one stubbornly refused to be upgraded. All the machines were the same make, model, and configuration. The updates were all clean installs, so there could not be an issue with installed drivers or software. Others reported a similar experience in the Lounge.

One Lounge post reported a common problem — and a solution. The upgrade download completely, but the actual installation repeatedly stalled. The solution was to disconnect the machine from the Internet the moment the download verification reached 100 percent. The installation process then completed, as expected. He then reconnected the machine to the Net to allow the installation of any needed updates.

Most the Lounge reports, the migration to Win10 1607 was forced, suggesting that Microsoft is being rather slow — and, we hope, careful— about sending out the upgrade via Windows Update. The manual installs usually used the Upgrade Assistant (site) or the Media Creation Tool (download page). The former is a small app that downloads onto your PC and lets you initiate the full upgrade process; the MCT is typically downloaded and installed on a thumb drive that can be used to upgrade multiple machines.

(For more on both installation options, see the March 12, 2015, Top Story, “New ways to get free Windows-installation media.” It focuses on Win8.1, but the concepts also apply to Windows 10.)

Recently, we received a reader question about using older copies of the Media Creation Tool. Would it automatically revert to the latest version? From my experience, it’s always best to download the latest version from Microsoft and install it on a thumb drive.

Back in the Lounge, there was some discussion about whether Version 1607 was a full OS install or an upgrade of the existing OS. Based on the installation experience — the size of the download, the number of reboots, and the introduction screens at the end of the process — this looks like a full OS install, though one that keeps your data, applications, and most of your settings intact. (That said, we must put in a reminder to make a full image backup of your system before any major upgrade.)

Reviewing post-installation changes: Many of the comments in the Lounge centered on changes found after the Win10 1607 upgrade completed. For example, there were numerous reports that the Windows Restore system was turned off. Also, there were cases where the security settings were reset to the defaults.

But there were also some odd side effects. In one instance, desktop and Start icons showed up in a generic style. The solution was to copy the original files in the Installer folder from C:\Windows.old and past them into the new folder.

Other reported changes include re-enabling HomeGroup, resetting default apps to Win10-native applications, and the removal of ClassicShell.

Bottom line: Do a careful review of all your systems settings soon after upgrading to Version 1607.

DisplayLink troubles: DisplayLink is used with mobile devices to connect to docking stations and displays with just one cable. But, as reported by Susan Bradley, posts in the Plugable.com forum warn that DisplayLink breaks after users install Win10 1607.

A DisplayLink support page states that the Anniversary Update edition requires new drivers, which should show up in Windows Update. The support information describes how to check that you have the correct drivers installed.

Pushing off the Win10 Anniversary Update

If Version 1607 arrives sooner than you’d like, there are ways to delay it. Susan discusses them in this week’s Patch Watch column. But for those who missed that column, here’s a quick summary.

• Win10 Pro and Enterprise: Use the Defer updates option under Windows Update/Advanced Options. That typically puts off nonsecurity updates for about four weeks.
• All versions: Set the Metered connection option under Network & Internet/Wi-Fi/Advanced options. Keep in mind, however, that this option is designed for wireless setups, it will delay security updates, and it can cause Internet-connected apps to not work properly.
• Use Microsoft’s Wushowhide application, as described in a Infoworld article.

For more information, check out this week’s Patch Watch.

Note for procrastinators: We have not verified this, but there are reports that Win7 users have upgraded to a free copy of Win10, after July 29, simply by entering a valid key.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.