• Patch Lady – to patch or not to patch?

    I am cringing as I’m typing this – as I hate it when I tell people to roll back on updates.  But after reading this and especially Kevin Beaumont’s tweet about the risk of Spectre/Meltdown [low risk] versus the risk of the bug introduced by ALL of the updates released since January,  [high risk] one is kinda stuck between a rock and a hard place.

    The problem is between January and March there are a lot of OTHER updates released in addition to the Spectre and Meltdown that are bundled in the Windows 7/Server 2012 R2 updates.  For those following the Woody patching recommendations I think I’m going to go even farther out on a limb and propose that if you are holding off on the March updates, you need to roll all the way back to pre-January and hold tight.

    Me personally, I still would determine how paranoid of a user base you have.  If there are users in your patching environment that they surf and click on ANYTHING, I’d hope you’d make them do their random surfing on an ipad, not a Windows machine (probably still with local admin rights) until this Windows 7 patching mess gets straightened out.  I don’t like telling people to roll back to pre-January updates, but neither do I appreciate Microsoft having constant side effects that are measurable and impactful and all that happens is that they keep on telling us that they are working on the issues and this will be fixed in a future release.  That SMB memory leak has been happening since January.  And in the Security triad of (Confidentiality, Integrity, and Availability)  information security, availability is important.  On servers in particular that SMB memory leak has availability side effects.

    I see many of you asking for the order of updates to install and right now my recommendation is:

    If you have any January through March update installed, make sure KB4100480 is installed.

    Otherwise go into add/remove programs and roll back to December’s KB4054521 (security only) or KB4054518 (rollup) and then hang tight and keep our fingers crossed that April’s updates will resolve these issues.

    And then Microsoft please please please, do something about these known issues and fix them, because it pains me greatly to publically type this.

    (Edit, please note that this only applies to 64bit not 32bit, apologies for not noting that. Also be aware that if you see any patch with AMD64 in the name, it applies to Intel 64 as well.)