News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Daily Archives: October 8, 2019

  • Missed the September patches – now what?

    Posted on October 8th, 2019 at 21:29 woody Comment on the AskWoody Lounge

    Just got a message from an old friend:

    Hello Woody:

    You briefly went to DEFCON-3 last week for installing the September updates, but then shortly after that you dropped back to DEFCON-1 before I had a chance to install the September updates. I’m confused about what to do about the September updates, now that we’re past the Patch Tuesday for October. I’ve never seen you go past the Patch Tuesday without recommending we install the previous month’s updates. Should we be installing the September updates if we missed the narrow window of opportunity we had last week?

    It’s easy. Don’t do anything.

    I moved quickly to MS-DEFCON 1 when it became apparent that MS was releasing really buggy patches. Then releasing even buggier fixes to the buggy patches. Then pushing still-buggy fixes to the even buggier patches. Yep, three rounds of patches, all infested with bugs.

    If you didn’t get the September updates installed, don’t worry about it. There’s absolutely nothing in the September updates that has to be installed right away.

    That said, there is a significant looming problem. You need to make sure you don’t use Internet Explorer – and you have to disable IE as your default browser. Almost all of you have done that already, but if you haven’t, follow the detailed instructions in Monday’s AskWoody Plus Newsletter, or the original advice here.

    Then sit back and wait for the MS-DEFCON level to change to 3, 4, or 5. If you’re a Plus Member, I’ll also send out an email Alert when the change comes.

  • October 2019 Patch Tuesday – watch out

    Posted on October 8th, 2019 at 12:12 woody Comment on the AskWoody Lounge

    The patches just hit. I count 132 new patches in the Update Catalog — added to the 50 that were released on Oct. 3rd (and updated on the 4th).

    Dustin Childs, in his usual thorough overview for the Zero Day Initiative, pegs it at 59 separately identified security holes (CVEs). No new advisories. There are no new “Public” or “Exploited” patches. Our old friend CVE-2019-1367, the infamous IE zero-day isn’t on the list of new patches. Childs says:

    –       CVE-2019-1367 – Scripting Engine Memory Corruption Vulnerability
    This patch was actually released on September 23 to address active attacks reported on IE. However, this initial patch was only available via manual download and wasn’t on Windows Update or Automatic Update. On October 3, they updated and re-released the patch on all platforms. They also noted the updated patch addresses some quality issues introduced by the first patch. It seems the rush to create the update to stop the attacks had a bumpy start, and some reports indicate printing issues continue. If you’re worried about the risk, restricting access to jscript.dll is a good alternative to applying the patch. 

    Which is certainly giving Microsoft the benefit of the doubt. 🙂 I continue to recommend not using IE and setting your default browser to something – anything – else.

    Martin Brinkmann has his full listing on the site.

    I’m happy to report that, after a five day absence, the official list of Servicing Stack Updates, ADV990001, is now up and working. Almost all of the SSUs are new this month. (Servicing Stack Updates fix Windows Update itself. Normally, Windows Update installs them automatically; you only need to worry about them if you’re manually downloading and installing updates.)

    It looks like the latest cumulative updates for all Win10 versions include the changes made for the October 3 out-of-band patch. Bugs and all, I would assume.


    Günter Born has posted several descriptions of RDP bugs in the last cumulative update to Win10 version 1903, KB 4524147. Betcha bucks to buckaroos that we’ll see the same bugs (along with all of the printer bugs and Start menu bugs and … ) in the latest cumulative update, KB 4517389.

    We’re still at MS-DEFCON 1: Don’t patch. For any reason, real or imagined.