|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
Newsletter Archives
-
MS-DEFCON 4: Watch out for .NET and Office patches, but get caught up
Get patched up, but be aware of lingering bugs.
Computerworld Woody on Windows.
-
MS-DEFCON 2, October Windows updates, and KRACK
I’m moving us down to MS-DEFCON 2. No, installing this month’s patches isn’t a good idea. But the situation that caused me to run up to MS-DEFCON 1 has been fixed.
Microsoft fed the wrong updates to Windows Update servers (WSUS and SCCM) for four hours on Tuesday. Those bad updates – actually, combination of updates – caused many machines to throw blue screens. All of the affected machines were on Update servers. And by now all of those Update servers have been cleaned up. I hope.
Still, the enormous number of problems with this month’s patches looms, with some new bugs just now coming to light.
Many of you have written, asking if you need to apply the October Windows patches to protect against the KRACK Wi-Fi WPA2 security hole.
Microsoft released a Security Alert yesterday that says, in effect, not to worry about KRACK because the hole was plugged in last week’s patches. Which is fine. But that’s no reason to run out and install the October Patch Tuesday patches right away. As of this moment, there are no known active breaches using KRACK, and there aren’t likely to be any anytime soon.
KRACK is a real, significant threat, but it isn’t something you have to fix right away. Somebody may figure out a way to insert themselves into your Wi-Fi conversations using the KRACK approach, but “general availability” of that kind of exploit is a long way off — certainly months, possibly years.
Stay cool. Keep calm. And let’s see if Microsoft fixes any more of the October bugs.
-
MS-DEFCON 1: Patches failing at a phenomenal rate
Blue screens, bungled releases, stealthy NET upgrades, CRM blocks and complex manual fixes. It’s shaping up to be one hell of a patch-encumbered month, with KB 4041676 and KB 4041691 and the error INACCESSIBLE BOOT DEVICE leading the downward spiral.
Computerworld Woody on Windows.
Oh, and I switched over to MS-DEFCON 1. You’d have to be a certified masochist to install this month’s patches.
-
Patch Tuesday patches are out
Two detailed reports: Tuesday’s report on Computerworld Woody on Windows, and a Wednesday morning update. There’s a whole lot going on.
Of course, we’re at MS-DEFCON 2, so you shouldn’t install any of these.
I count 151 separate security patches, and 48 Knowledge Base articles. Nothing unexpected.
The Release Notes point to four known bugs:
The cumulative update for Win10 Creators Update, version 1703 – which sports dozens of fixes — has a couple of problems: Systems with support enabled for USB Type-C Connector System Software Interface (UCSI) may experience a blue screen or stop responding with a black screen when a system shutdown is initiated, and it may change Czech and Arabic languages to English for Microsoft Edge and other applications.
The cumulative update for Win10 Anniversary Update, version 1607, has a handful of problems: downloading updates using express installation files may fail, after installing a delta update package, the KB numbers appear twice under Installed Updates, package users may see an error dialog that indicates that an application exception has occurred when closing some applications.
The cumulative update for the original version of Win10, usually called 1507, has a similar problem: package users may see an error dialog that indicates that an application exception has occurred when closing some applications. Apparently this fix is only for the LTSC version.
The Monthly Rollup for Win7 also has an acknowledged bug: an error dialog that indicates that an application exception has occurred when closing some applications.
Anybody see any other bugs?
NOTE: There may be a big flaw in DNS being patched this month. CVE-2017-11779 Kelly Jackson Higgins on the DarkReading site has some details. From the definitive post by Nick Freeman at Bishop Fox:
if an attacker controls your DNS server (e.g., through a man-in-the-middle attack or a malicious coffee-shop hotspot) – they can gain access to your system. This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.
With all that doom and gloom, Microsoft says the flaw hasn’t been exploited, and rates it as “Exploitation Less Likely.”
UPDATE: Martin Brinkmann has his usual exhaustive list on ghacks:
- Windows 7: 20 vulnerabilities of which 5 are rated critical, 15 important
- Windows 8.1: 23 vulnerabilities of which 6 are rated critical, 17 important
- Windows 10 version 1607: 29 vulnerabilities, 6 critical, 23 important
- Windows 10 version 1703: 29 vulnerabilities of which 6 are rated critical, 23 important
I stand in awe of Brinkmann’s ability to turn this around so quickly!
ANOTHER UPDATE: Looks like several of the Office patches are to fix CVE-2017-11826, a bug in Word discovered by Qihoo 360. Catalin Cimpanu at Bleeping Computer has details. Apparently there’s an exploit already in the wild, dating back to August.
There’s a long list of related fixes in KB 4011217, Description of the security update for SharePoint Enterprise Server 2016: October 10, 2017
The Office update list is out: 27 non-security patches, 26 security patches, including key end-of-life patches for Word 2007, Word Viewer, and the Office Compatibility Pack.
Adobe has told Brian Krebs that they have no security updates today.
-
MS-DEFCON 2: Check to see that Auto Update is turned off
Looks like there’s a slew of patches waiting, for a dozen different platforms, including all versions of Windows (even RT 8.1!), Office, IE, Skype and more.
So much fun.
Computerworld Woody on Windows.
-
Office non-security patches for October 2017 are available
These are October patches. They are NOT covered under the current MS-DEFCON 3 umbrella for September patches. You do NOT want to install them yet (unless you want to be an unpaid Beta tester).
Office 2013
Update for Microsoft Access 2013 (KB3172543)
Update for Microsoft Excel 2013 (KB4011181)
Update for Microsoft Office 2013 (KB4011148)
Update for Microsoft Office 2013 (KB4011169)
Update for Microsoft Project 2013 (KB4011156)
Update for Microsoft Visio 2013 (KB4011149)
Update for Microsoft Word 2013 (KB4011150)Office 2016
Update for Microsoft Access 2016 (KB4011142)
Update for Microsoft Excel 2016 (KB4011166)
Update for Microsoft Office 2016 (KB4011036)
Update for Microsoft Office 2016 (KB4011135)
Update for Microsoft Office 2016 (KB4011139)
Update for Microsoft Office 2016 (KB4011144)
Update for Microsoft Office 2016 (KB4011158)
Update for Microsoft Office 2016 (KB4011167)
Update for Microsoft PowerPoint 2016 (KB4011164)
Update for Microsoft Project 2016 (KB4011141)
Update for Microsoft Visio 2016 (KB4011136)
Update for Microsoft Word 2016 (KB4011140)Office 2007 is on extended support. It no longer receives non-security updates. There were no updates listed for Office 2010. Security patches for all current supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday)
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
France : A law requiring messaging apps to implement a backdoor ..
by 2 hours, 26 minutes ago
-
Dev runs Windows 11 ARM on an iPad Air M2
by 3 hours, 15 minutes ago
-
MS-DEFCON 3: Cleanup time
by 53 minutes ago
-
KB5056686 (.NET v8.0.15) Delivered Twice in April 2025
by 5 hours, 51 minutes ago
-
How to enable Extended Security Maintenance on Ubuntu 20.04 LTS before it dies
by 14 hours, 29 minutes ago
-
Windows 11 Insider Preview build 26200.5562 released to DEV
by 18 hours, 27 minutes ago
-
Windows 11 Insider Preview build 26120.3872 (24H2) released to BETA
by 18 hours, 28 minutes ago
-
Unable to eject external hard drives
by 21 minutes ago
-
Saying goodbye to not-so-great technology
by 2 hours, 20 minutes ago
-
Tech I don’t miss, and some I do
by 1 minute ago
-
Synology limits hard drives
by 1 day, 22 hours ago
-
Links from Microsoft 365 and from WhatsApp not working
by 1 day, 1 hour ago
-
WhatsApp Security Advisories CVE-2025-30401
by 2 days, 4 hours ago
-
Upgrade Sequence
by 1 day, 22 hours ago
-
Chrome extensions with 6 million installs have hidden tracking code
by 3 hours, 40 minutes ago
-
Uninstall “New Outlook” before installing 2024 Home & Business?
by 20 hours, 54 minutes ago
-
The incredible shrinking desktop icons
by 3 days, 1 hour ago
-
Windows 11 Insider Preview Build 22635.520 (23H2) released to BETA
by 3 days, 3 hours ago
-
Connecting hard drive on USB 3.2 freezes File Explorer & Disk Management
by 2 hours, 25 minutes ago
-
Shellbag Analyser & Cleaner Update
by 1 day, 12 hours ago
-
CISA warns of increased breach risks following Oracle Cloud leak
by 3 days, 12 hours ago
-
Outlook 2024 two sent from email addresses
by 2 days, 17 hours ago
-
Speeding up 11’s search
by 1 day ago
-
HP Pavilion Will Not Wake Up After Being Idle for Longer Period
by 1 day, 12 hours ago
-
Make a Windows 11 Local Account Passwordless
by 4 days, 2 hours ago
-
Ubuntu 25.04 (Plucky Puffin)
by 4 days, 10 hours ago
-
24H2 fixed??
by 3 days, 2 hours ago
-
Uninstalr Updates
by 4 days, 15 hours ago
-
Apple zero days for April
by 11 hours, 59 minutes ago
-
CVE program gets last-minute funding from CISA – and maybe a new home
by 3 days, 12 hours ago
Remembering Woody
