MS-DEFCON 4: Patch, but watch out for KB 3101488, and clean up afterwards

I’m now ready to give the go-ahead on the November Black Tuesday patches (including the two Windows Update patches released yesterday). We’ve had a couple of bad patches re-issued by Microsoft in the past couple of weeks (e.g., KB 3105846, 3097877), but with one exception none of the currently available patches, as best I can tell, are show-stoppers.

The one exception? If you use Outlook 2013, avoid patch KB 3101488 and check out the warnings at KB 3118497.

As I announced last month, I’m no longer going to try to list all of the Windows 7 and 8.1 patches that put Microsoft-created advertising, snooping, and other Microsoft crapware on your machine. There are just too many patches that have nothing to do with making your machine work better, and have everything to do with Microsoft trying to sell you something. If I tried to separate the useful patches from the crapware patches, you’d spend an hour or more trying to figure out what to patch and when.

Unfortunately, you can’t stop patching Win7 and Win8.1. There are too many legitimate security holes out there.

So we’re stuck between Charybdis and Scylla. For those of you willing to make the effort to identify individual patches that stink, your best source of information is Susan Bradley’s Patch Release Grid. For the vast majority of you, I say go ahead and install all of the patches except KB 3101488 on systems that use Outlook 2013.

After installing the patches, Windows 7 and 8.1 users should immediately run GWX Control Panel. (The latest version has a feature called Monitor Mode that’ll run the program automatically after your update.) If privacy is important to you – and it should be – Win 7 and 8.1 users should then follow the advice at the end of Susan Bradley’s article last month in Windows Secrets Newsletter, and turn off the Diagnostic Tracking Service.

If the idea of Microsoft snooping on you drives you absolutely nuts, try using Spybot Anti-Beacon (t/h B Silverstein). I won’t guarantee that it’ll keep all of your data out of Microsoft’s mitts, and I won’t guarantee that running it is problem-free. But it is the best approach I’ve seen to solving the general snooping questions. If you’ve used Spybot Anti-Beacon, please drop a note in the comments and let me know what you think. I’m particularly interested in learning about any problems.

Even if you plan on upgrading your machine to Windows 10 some day, you should go ahead and block GWX — prevent the advertising and downloads — and turn off the Diagnostic Tracking Service.

Windows 10 users don’t have as many options, of course, although the metered connection trick still works to hold off on updates. If you have your line set up as a metered connection, turn it off for a while and let the updates come through. You should have, or soon get, build 1511, the so-called Windows 10 Fall Update, Threshold 2, and/or build 10586. It isn’t a huge improvement over the RTM build 10240, but it is a step in the right direction. To check, in the Cortana search box, type “winver” and hit Enter. If you’re all caught up, Windows should say it’s on “OS Build 10586.14.” If you don’t have it yet, don’t worry, Microsoft will catch up with you sooner or later.

If you’re running Windows 10 and you’re very sensitive about your privacy, you can turn off some of the leaks in Windows 10. Keep in mind, though, that some of the features in Windows 10 – Cortana comes to mind – really do need to hook your machine up to Microsoft’s data-sucking mechanism. Ed Bott steps you through the basic settings in his ZDNet article about Windows 10 privacy. But if you really want to cut the snooping cord, Spybot Anti-Beacon is your best bet. Watch out: You can clobber all sorts of Windows 10 features if you aren’t careful. On the other hand, maybe you figure the features aren’t worth the snooping. Only you can tell.

With that as prelude, I’m dropping us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

And remember, don’t check any boxes that aren’t checked already. Don’t use Internet Explorer. And in Win 7 and 8.1, keep Automatic Update set to notify but don’t download.