Newsletter Archives

• MS-DEFCON 3: Get patched, but watch out

  Posted on May 30, 2016 at 06:16 CDT by woody • Comment in the Forums

  It’s been almost a week since Microsoft re-issued the famed, feared “Get Windows 10” patch, KB 3035583. I still don’t see what’s different about it, but at least those of you with “Give me recommended updates the same way I receive important updates” turned off won’t see a check mark on the patch in Windows Update – so it won’t install.

  There have been problems with this month’s patches, but most of them are reasonably well understood. A bug in the Office 2010 patch MS16-039/KB 3158453, for example, triggered “The Windows installer service could not be accessed. ” errors and a re-release of KB 3144432. Windows 10 got a new “Update Assistant” KB 3159635 to help Win10 users still on the RTM version to upgrade to build 1511.

  I found the new Windows 7 “SP2” to be frustrating and painfully slow, but it’s only intended for folks with Win7 systems that haven’t been updated in years, or for those who are building new Win7 systems from scratch. See the comments in this AskWoody post from Noel Carboni.

  With Office non-security patches just around the corner, it’s a good idea to get your system patched. I’m going to stick with my three-month-old advice: Skip all non-security patches; only install security patches. Here’s how to do that:

  Vista: If you haven’t yet followed the trick for speeding up Windows Update scans, use the methoddescribed in this InfoWorld article to first grease the skids. Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Go into Windows Update (see the Windows Update tab on this page), make sure security patches are checked and non-security patches are unchecked, then run the update.

  Windows 7: If you haven’t yet followed the trick for speeding up Windows Update scans, use the method described in this InfoWorld article to first grease the skids. Yes, that means you should install KB 3153199 manually. [Information updated, thanks to owburp and EP.]

  Also, note that the Windows 7 “SP2” convenience update rollup, KB 3125574, is NOT intended for people who’ve been keeping their Win7 systems up to date. It’s only really useful for people who are building new systems, or those who haven’t applied updates for many, many months.

  Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

  I don’t recommend that you use IE. But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

  Step 2. Run GWX Control Panel and set it to block OS upgrades.

  Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available.” Check the boxes next to items that say “Security Update.” Last month I warned about KB 3146706, but it’s been reissued and appears to be OK. UNCHECK the boxes next to any items that aren’t specifically marked as “Security Update.” All of them.

  Be aware of the fact that one of the security patches, KB 3154070, also includes non-security patches. Microsoft did the same thing in March. It’s an IE 11 patch, so you need it, even if Microsoft is sneaking in non-security stuff.

  As noted below, if you see Windows Defender listed or the Malicious Software Removal Tool, keep it checked, too. Those are security patches, whether they’re identified that way or not.

  Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

  Step 5. Click OK, then Install updates.

  Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

  Step 7. Click OK and reboot.

  Step 8. Run GWX Control Panel again, just for good luck. (Note: GWX Control Panel has a “Monitor Mode” option. If you choose to use that option, you won’t need to run GWX Control Panel again – it’s already running. Personally, I don’t use Monitor Mode. I don’t like to leave anything running if I don’t have to. So I run GWX Control Panel manually, twice.)

  Windows 8.1: I haven’t heard of any appreciable Windows Update speed-up by using the KB3138612 and KB3145739 trick. Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

  Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up. If you hit a problem, be sure to drop John Wink a line. The twelfth Win10 cumulative update should bring your version of Windows up to build 1511 OS version 10586.318 – what I like to call Windows 10.1.12.

  You may get a couple of stragglers — little patches that aren’t cumulative updates — KB 3147062 and KB 3152599. Those are OK to install, too. I still wish Microsoft would release individual patches like these, instead of massive cumulative updates, but…

  Office Click-to-Run: Thanks to reader Eric for an update – there was a Windows Installer issue in the April 2016 update, MS16-039. I see references to May 10 and May 25 fixes, with the latest build at 15.0.4823.1004. If you have details, I’d sure like to hear about it!

  Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebook to keep up on the latest. Microsoft’s releasing patches at a breathtaking rate. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

  I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

  My usual boilerplate advice:

  For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

  Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.

  Windows Patches/Security May 2016 Black Tuesday

• We’re still at MS-DEFCON 2: Don’t install any patches just yet

  Posted on May 18, 2016 at 16:17 CDT by woody • Comment in the Forums

  For those of you who are asking: It’s much, much too early to tell if all of the patches that have come out since Patch Tuesday are worthy. At least one is causing problems.

  Hold off. There’s nothing on offer that you need – providing you don’t use Internet Explorer, and don’t use Flash.

  Also, note this comment from JC Denton – which is absolutely spot-on:

  Woody, I am deeply disappointed in how you have fumbled and dropped the ball on this Flash issue.

  1 – People who need to use Flash should only ever use PPAPI flash (aka the Pepper Flash included with Chrome/Chromium).

  2 – Some people are still using the unsandboxed NPAPI version and that is dangerous. No mention of this in your posts even though you have a responsibility to inform your audience.

  3 – The best possible way to handle mandatory-flash websites is to download and use a PORTABLE browser such as Portable Firefox or Portable Chrome. Run the website in that browser and when you are done, just delete that entire browser folder and extract yourself a new/virgin copy of it whenever you need to access it. This method minimizes your attack surface and is a good computing practice. Once again ZERO mention of portable browsers being a thing or where to download them on your end.

  http://portableapps.com/apps/internet/firefox_portable
  http://portableapps.com/apps/internet/google_chrome_portable
  http://crportable.sourceforge.net/

  What a shame. I asked for orange security and got nothing but lemon-lime fumbles.

  You can do better than this. So do it!

  Windows Patches/Security May 2016 Black Tuesday

• Two new zero-days lead me to the same, old recommendations

  Posted on May 10, 2016 at 20:19 CDT by woody • Comment in the Forums

  Just a quick note. Dan Goodin at Ars Technica has an overview of two separate zero-day attacks that were just plugged, one from Microsoft, one from Adobe.

  The Microsoft zero-day has only been implemented in Internet Explorer. Lesson: Don’t use Internet Explorer. (Sound familiar?)

  The Adobe zero-day is with Flash. Lesson: Don’t use Flash. (Does that sound familiar, too?)

  Other than that, I’m looking for telltale signs of patches that should be installed immediately, and don’t see any. But I’ll look again early in the morning, and write up the results for InfoWorld.

  Windows Patches/Security May 2016 Black Tuesday

• MS-DEFCON 2: New “checked” KB3146706 leads me to turn the rating up

  Posted on May 3, 2016 at 15:45 CDT by woody • Comment in the Forums

  Microsoft has just changed KB3146706 into an important, checked, security update.

  As you may recall, people in China were having problems with the patch blowing away pirated Windows 7 machines.

  It’s much too early to tell if the patch is going to cause other problems. Thus, I’m recommending that you NOT install any patches just yet.

  There’s no documentation anywhere about today’s patches.

  We’re headed to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  As I mutter under my breath.

  UPDATE: There’s a new note in the KB 3146706 article:

  Known issues in this security update

  • After you install this security update on a Windows 7 SP1-based system, you may experience any of the following problems:
    • The system slows down
    • You cannot access folders under the Documents and Settings folder.
    • You cannot modify permissions on the Security tab in a the Properties dialog box
    • You may receive a disk write failure error message

    This problem may occur when certain third-party DRM software is installed. The problem is known to occur with certain DRM software from Fasoo.com.

    Contact the manufacturer of your software for more information about how to resolve this problem.

    The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

  Windows Patches/Security KB3146706, May 2016 Black Tuesday