Another bug in a security patch only fixed in a rollup

Topic

New Reply

Looks like we have another one… I’m seeing reports that the IE 11 “doesn’t print iframe” bug, introduced in the  IE 11 security update KB 4021558, i
[See the full post at: Another bug in a security patch only fixed in a rollup]

9 users thanked author for this post.

John in Mtl, HiFlyer, SueW, AJNorth, EstherD, Microfix, Elly, JDeC, ch100

Reply | Quote

Replies

You raise an important point, Woody.

Also important in my view would be an article or discussion summarising the experience of those in Group B versus those in Group A since the distinction was applied. In other words, what benefits if any have in practice resulted from being highly selective in the application of the monthly updates?

The original purpose of Group B was to prevent systems from being compromised by those updates which were defective but which weren’t needed for security reasons and could therefore safely be considered optional. So what is the actual experience thus far, have Group B users saved themselves from unwanted problems by not installing certain updates or simply created unwanted problems by failing to install important fixes? Or has there been no real advantage or disadvantage in adopting a selective approach?

In short, do the Group B users consider the time expended in selecting and manually downloading security-only updates to have been worthwhile thus far as compared with adopting the Group A “Notify but do not download or install” approach each month?

5 users thanked author for this post.

walker, HiFlyer, SueW, Noel Carboni, ch100

Reply | Quote

Seff wrote:

The original purpose of Group B was to prevent systems from being compromised by those updates which were defective

This is actually not true, although there is a good chance that everyone has a different understanding of the so-called Group B and this includes me.
MS-DEFCON system is instead what is trying to prevent systems from being compromised by defective updates.
I think the Group B approach was and still is a concept targeted to those who were concerned about the telemetry patches in an attempt to avoid those patches.
It is well known that the most problematic patches of all are the security patches, because by their nature, they impose restrictions which in some situations negatively impact functionality.
I am not including in this discussion the Preview patches, because their purpose is self-descriptive, although they have been remarkably reliable for their purpose since their first release.
So Group B style of patching does not make the systems more stable, quite the opposite. And there are few more arguments in favour of this statement which are already well-known to those regularly reading my posts.

7 users thanked author for this post.

walker, AJNorth, samak, EstherD, woody, abbodi86, Seff

Reply | Quote

Thanks for the correction ch100, I had forgotten the telemetry argument.

As for the rest of your comment, I did indeed have you very much in mind when considering the value of actually assessing the net benefit (if any) in having followed the Group B approach. I know there are clearly people for whom it wouldn’t be considered remotely appropriate, as per your various arguments to date, but my interest is in seeing an article/discussion from those who did consider it appropriate with an update as to whether they still see it as worthwhile? Balancing their experiences and current views against the comments you (and doubtless others) have made on the wisdom or otherwise of adopting these different approaches would make for interesting reading.

3 users thanked author for this post.

HiFlyer, woody, ch100

Reply | Quote

The main reason should have been the principle that the user decides what will run on the computer, not MS. Americans talk a lot about freedom, but when it comes to corporations it is empty talk.

3 users thanked author for this post.

Elly, HiFlyer, samak

Reply | Quote

Unquestionably, Yes. I adopted a “Group B” approach (prior to discovering this website) after months of computer problems caused largely by buggy updates – although it took a P.C. technician to explain that to me. Since adopting this approach (which I find quite straightforward and not at all time-consuming) I have had no computer problems, at least none that I haven’t been able to resolve myself. Nary a one in over 18 months now. Thanks to the warnings provided on this site, I chose not to install KB 4021558. I should be fine when, in due course, I install KB 4025252 – the updates are cumulative. To date, then, no real problem. I realise of course that one day this may change, but I’ll deal with that situation when it arises. I’m slightly intrigued however by the issue so many people have with the “Group B” approach who don’t follow it – surely it’s up to each individual to maintain their P.C. in the way that works best for them? I don’t waste my time challenging the members of “Group A” to justify their approach. Install whatever you like; it’s your machine!

10 users thanked author for this post.

HiFlyer, David F, grayslady, SueW, samak, Microfix, Cybertooth, Noel Carboni, Sessh, Elly

Reply | Quote

It’s interesting how there’s always a pushback whenever people try to take shots at the Group B approach. Indeed, it seems just a little bit insecure the way Group A advocates feel the need to constantly take shots at Group B’s approach. I suppose that will never end, but I too have had zero problems with updates since getting away from Group A. I was in that group for a very, very long time; up until January of this year actually.

However, a Group A approach requires a degree of trust which has been breached numerous times by Microsoft and no longer exists for me. I will never give that to them again. Windows updates have caused problems for me here and there even with automatic updates on and even with installing every single thing MS wanted me to. It makes no difference because it’s the c*** quality of the updates themselves. It permeates into all updates, Security-Only or otherwise. It’s about risk and there’s much less of it when I have control. Of course, I do not buy into the importance of being “up to date” all the time. Many years of experience has taught me that. Good habits and layered protection pretty much takes care of everything.

Besides, I don’t use IE and never have. I am pretty sure this printing problem was already fixed, though. KB4032782 fixed this, didn’t it?

8 users thanked author for this post.

HiFlyer, Capella, grayslady, SueW, samak, Cybertooth, Noel Carboni

Reply | Quote

Just saying, from my non-techy point of view, that Group B has been easily applied, and no adverse effects noted on my Win 7 laptop. I’ll keep it going as long as possible, even moving it off-line when support ends, or the security updates are no longer viable.

I chose Group B because the telemetry being back ported into Win 7 is unacceptable for me, and the GWX dirty tricks campaign showed Microsoft’s disregard of their customers and betrayed the trust I had in them. That won’t be a business I’ll support again. At first I thought it was a mistake, but they have doubled down…

It feels good to be able to just use my laptop, do simple regular maintenance, and be problem free… and that is Group B, so far, for me.

 

Non-techy Win 10 Pro and Linux Mint experimenter

10 users thanked author for this post.

RamRod, HiFlyer, SueW, samak, Alice, Microfix, Cybertooth, Noel Carboni, Sessh

Reply | Quote

My Windows 7 x64 Ultimate “Group B since May 2016” hardware system is running smoothly and without flaws. I won’t put up another “perfect 10” reliability report for it, that’s getting boring. I don’t require anything of it that it would do if only I did a “Group A” update.

Elly and others are right to mention “loss of trust in Microsoft”. That’s important.

-Noel

5 users thanked author for this post.

walker, HiFlyer, SueW, twbartender, samak

Reply | Quote

Im group A.  Thats what I do.  I use “Notify but dont down load.  I look at each and only check off what I actually need.  I dont deal with Azerbijan and other countries currencies I hide them.   So far they haven`t come back.

Reply | Quote

https://support.microsoft.com/en-us/help/4025252/cumulative-security-update-for-internet-explorer-july-11-2017

•Addressed issue introduced by KB4032782 where Internet Explorer may close unexpectedly when you visit some websites.

i take that as the fix is already implemented

3 users thanked author for this post.

walker, woody, windows7forever

Reply | Quote

Yep, but…

The mysterious closing bug is different from the iframe print bug, isn’t it?

Reply | Quote

woody wrote:

Yep, but… The mysterious closing bug is different from the iframe print bug, isn’t it?

KB4032782, a non-cumulative update, fixed the iframe bug, but introduced a bug of its own – the mysterious closing bug. KB4025252 fixes the bug introduced in KB4032782.

So… installing KB4025252 fixes the iframe bug if KB4032782 isn’t installed and fixes the mysterious closing bug if it is.

 

7 users thanked author for this post.

walker, HiFlyer, SueW, Microfix, Alice, EstherD, abbodi86

Reply | Quote

I can live with IE bugs regarding IFrame printing going unremediated — I don’t use IE.

1 user thanked author for this post.

Microfix

Reply | Quote

My stance in adopting a Group B method.

1.  The GWX nuisance caused the loss of my trust.  In no way will I allow an update to install automatically or that isn’t for “security only.”  All others are not worth the risk-except IE 11, .NET Framework & MSRT.

2.  Will avoid the “optional” updates that to me are questionable in nature.

3.  Mainly, it’s my machine & I don’t want M$ foisting c*** onto it.

This method helps me manage quite well.

Meanwhile, askwoody continues to be a great source of information.  Thank you one & all.

————–  
Win8.1 x64

6 users thanked author for this post.

HiFlyer, SueW, samak, Cybertooth, Microfix, wdburt1

Reply | Quote

There are more options than Woody’s grouping of A, B, and W.

As I understand, A is Windows 10 style, with Windows Update set to automatically download and install all important patches (not sure where the recommended ones end up).  Group B is people who manually download and install the security-only patches.

I’m not in either group by those rules.  Like group A people, I install the full rollups, but like group B people, I have automatic updates OFF and I carefully vet each patch before I install it.  At no point would I turn on automatic updates; I haven’t done that since the introduction of Windows updates back in the day, and I am not about to start now.

I too am concerned about the telemetry, but that which was added in the patch rollups seems just as easy to remove.  I say “seems” because I cannot be 100% sure it’s all gone, but when I have run Wireshark and inspected what it’s captured, I don’t see anything that should not be happening.

I am not really concerned about Microsoft slipping something nasty in via the full rollup.  First, Woody does a good job of keeping his ear to the ground and listening for any rumblings that might indicate a problem; second, I keep backups of all my main PCs going back for some time (several months, along with reference backups on external media that often go back even further), and if worst comes to worst and I discover that there is an unremovable (truly unremovable, not just WU telling me it is) patch that I can’t abide, I can go back before it was installed.

There is no doubt that MS has (unfortunately) chosen to have an adversarial relationship with its non-enterprise customers, and that means MS itself is a threat, just as de facto malware is a threat.  The worst of the MS threat can be mitigated fairly well, and the benefit to that is added protection from the non-MS threat from ransomware and other such things.

I can understand the impulse to give up on MS and forsake all updates, but while it may be satisfying on one level to yell out the window that you’re as mad as something and you’re not going to take it anymore, it’s not what I would consider the most logical.  Threats outside of Redmond do exist, and if you’re hit with a ransomware that encrypts all your important files, it will make Microsoft’s bad stuff seem positively trivial right at that moment.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon

4 users thanked author for this post.

HiFlyer, SueW, Cybertooth, EstherD

Reply | Quote

“As I understand, A is Windows 10 style, with Windows Update set to automatically download and install all important patches (not sure where the recommended ones end up).  Group B is people who manually download and install the security-only patches.”

I don’t agree with that interpretation, which only goes to confirm the point ch100 has made about the lack of clarity in the definitions!

To me, Group A involves installing the Security Quality Monthly Rollup together with the other updates that are neither optional nor unchecked as part of the monthly WU offerings, subject to any exceptions identified here and elsewhere as best avoided. It’s nothing to do with them being automatically downloaded and installed, I personally have WU set to “Notify but do not download or install” but I consider myself Group A because I update through WU rather than manually through the MS Catalog and don’t install the security-only update but am happy to install the monthly rollup.

In any event, it was always my anticipation that when two distinct categories were defined most people would end up somewhere in the middle!

1 user thanked author for this post.

ch100

Reply | Quote

Even if that is the definition, I still don’t fall into A or B!

There are still updates that are not included in the monthly rollup, and I don’t install anything just because it’s listed as “important.”  I am still manually selecting the updates I want to install; the only thing that has really changed since I did the security-only updates is that now I “want to install” the rollup instead of the security update. Really, what happens each patch Tuesday is that I look at what’s available and take what I want, if anything, and leave the rest until such time as I want that too or until I’ve decided to permanently pass on it.  It’s a patch buffet!  Same as it has been since the late 90s, for some of us at least.

The main thrust of “group A” seems to be that the person is accepting any patch marked as important (though I did read about it being on automatic from someone).  It’s meant to be the relatively easy way for people who don’t want to bother with vetting patches themselves (or that would not know where to begin in finding the info to do that; this site is a great place to start for that).  Even if I do end up mostly installing the same patches as a true group A, it’s a different mental process that goes into it than accepting Microsoft’s guidance on the matter, which seems to be at the center of group “A”.

When I was doing the security-only updates some months ago, I wasn’t really in “B” as I understand it either.  I seem to remember that “B” involves only security updates, and that anything that doesn’t come checked doesn’t GET checked, but that was never my strategy either.  I’ve checked a number of optional patches; if it seems like a good idea, I accept it.  At that time, the only thing holding me back from the rollups was the telemetry, so any patch that contained non-security fixes that didn’t itself contain telemetry was fair game.

Where it comes from really doesn’t enter into it… as long as I know it’s a real MS patch, Windows Update is as good as a manual install.  I never really thought about patches downloaded from the catalog as being any different than Windows Update.  It’s the patch contents I am thinking of, not how it got from MS to me.  As long as I know it actually came from MS (in practice, that means I got it from MS, not a third party), it’s all the same to me.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon

2 users thanked author for this post.

Seff, EstherD

Reply | Quote

@seff
Best practice. ?

Reply | Quote

@ Anonymous

Same here for W7 x64 and W8.1 x64, you’ve hit the nail on the head for us with the exception of MSRT (hasn’t been on either of our PC’s since mid 2015)

Keeping IT Lean, Clean and Mean!

Reply | Quote

The IE11 Print Frame bug that KB4021558 caused was corrected in KB4032782.

Viper

Reply | Quote

I’ve really come to the point of hating my job over the last couple years. Too much BS for what should be a fairly simple job of keeping my client’s OS updated.

I’m at the point of suggesting all of my clients consider switching to Linux or Apple. For my less technical clientele, most have ipads and iphones and love the simplicity. Heck, my 80 year-old Father can surf, text and email from his ipad and iphone, yet every time he tries to do something on his Windows desktop he gets frustrated.

I have a few clients that have extremely sensitive data and they are now afraid of MS. Can’t say I blame them! Had one extremely privacy-minded client recently purchase and ipad and he is now considering Apple products for his office.

Ahhh Thanks for letting me vent!

Never Say Never

4 users thanked author for this post.

walker, HiFlyer, woody, AJNorth

Reply | Quote

Some fans of Old Time Radio may be reminded of this classic line from the occupants of the house at 79 Wistful Vista, “No, don’t open that door, McGee!”

Alas, many have, and still more will… (but, then, Redmond has devolved into a corporation which, when it actually condescends to ascertain its customers’ opinions, will first tell them what they are).

Reply | Quote

We went down the privacy-concerns road a while ago, and I ended up with a couple of Linux machines that talk to the ‘net and a Windows 7 machine that’s mute. It was last updated in March or April, but it has WiFi and wired LAN disabled. It runs Quicken, which seems to be highly resistant to Linux operation, and holds copies of key files. I don’t load files into it, so the out-of-date virus programs aren’t a problem, either. (Hmm, sounds like my PC circa 1987…)

Quicken ’17 is stable enough, and I haven’t done on-line banking in almost 20 years, so it works. When that machine starts acting cranky (it’s 5 years old), I’ll switch to one of the Linux alternatives for money management. MS lost my business, and Quicken has, too.

Reply | Quote

Both Internet Explorer bugs mentioned in this thread should have been fixed for both Group A and Group B after installing the July 2017 updates.

Interesting note from CVE-2017-8529 | Microsoft Browser Information Disclosure Vulnerability:

“7/11/2017 Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE. Microsoft is continuing to investigate a solution for this known issue and will notify customers as soon as an update is available.”

3 users thanked author for this post.

SueW, Microfix, ch100

Reply | Quote

This means that the security fix for IE was rolled back for a PR reason, as the number of users affected is likely not significant compared to the number of Outlook users affected by the bugs which were not fixed. In case of Outlook, security was considered more important than functionality, while for IE this is the opposite.

Reply | Quote

MrBrian wrote:

Both Internet Explorer bugs mentioned in this thread should have been fixed for both Group A and Group B after installing the July 2017 updates.

ch100 wrote:

This means that the security fix for IE was rolled back for a PR reason, as the number of users affected is likely not significant compared to the number of Outlook users affected by the bugs which were not fixed.

Lemme see if I understand the sequence here.

June 13: Microsoft releases a slew of bad patches for IE — June Internet Explorer Cumulative Update 4021558, Monthly Rollups 4022719, 4022724, 4022726 (all fed through Automatic Update), and Security Updates 4022727, 4022714, 4022715, or 4022725.

June 21: Microsoft acknowledges the “can’t print from iframe” bug.

June 22: Microsoft releases a second patch, KB 4032782, which fixes the “can’t print from iframe bug” by disabling one of the security components of the June 13 patches. It’s an optional update, so IE users can choose to either (1) fix the CVE-2017-8529 security hole, or (2) enable printing from iframes. Those using Automatic Update who don’t touch anything will still have problems with printing from iframes.

June 27: Microsoft releases another big bunch of IE-related patches. Again, the choices are (1) fix the security hole or (2) enable printing from iframes. In this case, those using Automatic Update who don’t install the Preview Rollup patches (which are not checked by default), will still have problems with printing from iframes. EXCEPT folks running Win10 Creators Update, 1703. The people running Creators Update are automatically updated with the patch, enabling printing from iframes, but disabling the fix for the security hole.

July 11: Another bunch of patches, on Patch Tuesday, but this time the role seems to be reversed:

Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE.

That is, everybody who has Automatic Update turned on should now be able to print from iframes and will be exposed to the security hole.

Did I get that right?

I don’t believe that, by the way. There’s no reference to the iframe printing bug in the cumulative updates for 1511 or 1607, while there WAS a reference to it in 1703. And it seems odd that installing the July Security-only patch for IE would remove the CVE-2017-8529 protection from the June Security-only patch. The July Security-only patch has a “silver bullet” for one part of the June Security-only patch.

Could Microsoft possibly make this more complicated?

4 users thanked author for this post.

Elly, walker, HiFlyer, ch100

Reply | Quote

Woody, it looks about right to me, except that I am not following so closely and I cannot confirm any of the dates. Some patches have been retired in the mean time, like the “preview” mid-cycle for Win 10 1703 which came via WU.
My understanding for 1703 is that:

– June 2017 official CU KB4022725 plugs a security hole, but breaks iFrame printing in IE
– Mid-cycle preview patch KB4022716 rolls back the security hole and allows iFrame printing again. However there is a new bug introduced in IE by this patch, shutting down IE.
– July 2017 official and current CU KB4025342 keeps the security hole unplugged to allow printing in iFrame, but also fixes the IE shutdown. At the same time, the previous interim fix update KB4022716 is retired, being removed from the Catalog and WU

I don’t think you captured the last part about fixing the IE shutdown and expiring of the patch.
https://support.microsoft.com/en-us/help/4025342

Addressed issue introduced by KB4022716 where Internet Explorer 11 may close unexpectedly when you visit some websites.

https://support.microsoft.com/en-us/help/4022716

The update that this article describes is no longer available and has been replaced by a newer update. It is recommended that you install the most current cumulative update, KB4025342.

3 users thanked author for this post.

Elly, walker, woody

Reply | Quote

From Patch Tuesday – July 2017:

“One final point of interest: last month, Microsoft released a fix for CVE-2017-8529 (a browser information disclosure vulnerability whereby an attacker can detect specific files on the user’s computer) that broke the printing functionality in Internet Explorer and Edge for some users. Over the next two weeks they released various updates to resolve the printing issue, which ultimately removed the protection against CVE-2017-8529. Microsoft has still not been able to resolve the security issue without reintroducing the printing bug, and customers who take automatic updates will still be vulnerable. As of this writing, the only way to be protected is to have applied the June updates and no others (which is not recommended). The severity of CVE-2017-8529 is considered low (on server systems) to moderate (otherwise). If it is of concern, for example on particularly sensitive systems, a workaround would be to use a different web browser until this vulnerability is correctly patched.”

2 users thanked author for this post.

walker, woody

Reply | Quote

Well, considering the discussions here, I’ve got to put in my two cents worth (pun).

During GWX I was taking care of a huge bunch of Joe Users – keeping them off Win10 (or rolling them back when they got hijacked. I spent hours, sending emails, writing newsletter articles, making phone calls, putting my hands on people’s computers. NONE of these people were capable of coping with it themselves. Some say they can learn to be responsible. No, the vast majority can’t (or won’t).
So when GWX was over, I put all these people back on Automatic because they were not even capable of understanding or implementing something like DEFCON. I felt an isolated crash was better than cleaning up Ransomware!

For myself, what I do is sorta hybrid. I have checked “Give me recommended updates the same way I get important updates.” I have checked “Give me updates for other Microsoft products.” I DO NOT install unchecked updates – that includes those in the “optional updates” list. The ONLY updates I ever HIDE are the telemetry updates mentioned in AKB2000003.
Occasionally I will UNCHECK (not hide) updates (example .NET Framework 4.7 on Win7)
I install the Group B patches and UNCHECK (not hide) the Rollup each month. Otherwise, I pretty much install everything.
I have to say here – I do not use Outlook, although I do use Word and Excel a good deal and Access occasionally. I do not use IE11.

So what am I missing from beint in Group A? The non-security part of the Rollup – I install the security-only and IE11 components. Excluding Office, there aren’t a lot of updates in WU these days – Rollup, .NET, MSRT. I have not had a crash or BSOD on my Win7 of Win8.1 machines.

I have thought about installing the Rollup. Considering MS’s lack of quality in patches lately, it seems to me that the Group B patches provide only 2/3 of the exposure of the full Rollup. In addition, I don’t trust MS not to put telemetry on my machines that will push me in the direction they are going – a direction I don’t want to go. I do not want my information sold to “partners” and I do not want ads on my computer. I don’t want bloat from “Apps” I never intend to use (are not usable). I want my OS and data local – I do not want to push everything to the “cloud.”

And so I teeter – to Rollup or not to Rollup, that is the question.
I’m trying it on one machine as a test.

9 users thanked author for this post.

Kathy70, dgreen, Noel Carboni, Bill C., walker, HiFlyer, grayslady, Seff, Canadian Tech

Reply | Quote

Thanks Woody.  For me and my clients, B has come to an end.  C is the future.

CT

Reply | Quote

Group C? As in “no further updates applied?”

I’ve been a card-carrying member of Group B since October 2016. I also manage a few dozen Windows systems for family, friends, and coworker’s personal systems as requested. I’ve become acclimated to the process. Recommending Group C is something I’m not willing to do yet except for very specific scenarios.

These days, a user no longer has to visit the shady side of the Web. The most common vectors I see folks running into is a compromised third-party ad server pushing a malicious ad, or some malicious Javascript on a compromised web page. Granted, there are ways to protect against that, but most regular users don’t want the inconvenience of something like NoScript.

Anyway, you’re a brave man for going “no updates.” For air-gapped PCs with no network access, sure, but for a network-connected system, the risk is just too high in my opinion. It’s only a matter of time before we get another zero-day for Windows.

The fact that we’re even having this conversation is kind of amazing to me. We’re all running our own brand of risk analysis for our unique situations. Do we patch or not patch? Do we roll the dice to determine that, in any given month, Microsoft will harm our PC more than BadExploitKit#97? Between lousy QA, telemetry, stealth updates, and forced “features,” Microsoft indeed looks more like the #BadGuy with each passing day.

4 users thanked author for this post.

Elly, HiFlyer, MrBrian, EstherD

Reply | Quote

Reply to anonymous above;

Based on M$’s past aggressive GWX campaign which included quietly hiding updates, since Oct 2016, my Win 7 computer has been in Group C because you never know what may be hidden by M$ in the monthly Patch Rollups, either for the Group A Quality Rollups or the Group B Security-Only patches. This came to pass when M$ quietly hid Kabylake/Ryzen processor-blocking updates in the April 2017 Patch Rollups for both Group A and B.

Because of the GWX campaign, in Aug 2016, I transitioned to Linux Mint as my main OS and nary a problem ever since. Linux is very good for general usage, ie web-surfing, streaming videos, sending emails, online shopping, etc.

I think M$ have likely hidden NSA-related Telemetry updates in the Rollups, eg many new versions of KB 2952664. Also, hidden updates in the Rollups to detect Windows piracy.
… M$ may even start hiding updates that display ads in Win 7/8.1 computers. 2020/2023 is still a long way off and you never know what is hidden up Nadella’s sleeves, ie to make Win 7/8.1 unpalatable to use.

Reply | Quote

Yes, but this is an exaggeration pushed by interested parties.

It is quite possible to live without MS security and “improvements” as long as you are careful and take frequent backups. The hackers are usually miles ahead of MS anyway.

Reply | Quote

We’ve seen a major counterexample: MS17-010. You really need to install that one.

4 users thanked author for this post.

Elly, walker, SueW, ch100

Reply | Quote

Being careful and taking frequent backups is good advice for you and me, but Joe User can’t be bothered when it comes to maintaining their computer.

PKCano, posting further above, was talking about how he/she was expending all this time and effort trying to help people avoid the GWX campaign. None of the supported individuals were capable of dealing with it on their own. I’ve seen this time and again with my own friends, family, coworkers, clients, etc.

Most people just want their computer to work like an appliance. I was just talking to someone a few days ago about this. Software is in a constant state of change, and much of it is thanks to updates. Updates usually fix known problems, but can introduce new ones or even step on the toes of other software. Joe User often doesn’t understand this. To them, updates are an unwanted nuisance. Updates make them close their work and restart the computer.

They also don’t understand why things like backing up data is essential because, again, they don’t fully understand how computers work. I’ve given up educating a few of my clients on the necessity of backups. They just don’t care. It goes in one ear and out the other. They don’t need to back up their car, their washing machine, or their toaster–why should they back up their computer?

Some people just want to play Farmville, search “The Google,” watch “The YouTube,” and forward silly chain letters sent to them by their friends. If they are required to do any sort of basic maintenance for their computer to protect it and their data, there’s always something more interesting to do instead. If someone has zero interest in a topic (such as maintaining their computer), they won’t expend the effort to understand it and take action.

1 user thanked author for this post.

Kirsty

Reply | Quote

Luckily (for this case at least) I don’t use internet explorer…

Anothter question: next month I’ll have to update mom’s computer who stopped updating at all in 2015 as this windows 10 debacle started. I will choose group A for her computer to keep things easier for her regarding future updates.

But is there still anything out there I should NOT install, even as group A? Is there still any patches out there which want to turn your system to windows 10?

1 user thanked author for this post.

BrianL

Reply | Quote

I would follow the MS-DEFCON 3 instructions to install all Group A patches.

Then, if you’re really concerned about snooping, go through the AKB 2000007 list.

3 users thanked author for this post.

walker, AJNorth, ch100

Reply | Quote

Group A is what MS counted on when it unleashed all its c..p and apparently it knew what it was doing. Ultimately, users enabled them and coming here and kvetching about it means absolutely nothing.

Reply | Quote

I moved to group A – “separate junk updates” + “disable integrated tracking” when the tracking junk got put in all the critical security updates. I don’t have a problem with the non-security  bug fixes in group A, I have a problem with the tracking (other than OCA dumps) they have retroactively added to ALL update groups (except for the no update at all group of course).

Reply | Quote

The title of this article is simply untrue (see #125443) and, as a result, is spreading unnecessary FUD.

May I suggest that both of these issues could be resolved by adding a question mark to the end of the title?

Reply | Quote

PKCano wrote:

Considering MS’s lack of quality in patches lately, it seems to me that the Group B patches provide only 2/3 of the exposure of the full Rollup. In addition, I don’t trust MS not to put telemetry on my machines that will push me in the direction they are going – a direction I don’t want to go. I do not want my information sold to “partners” and I do not want ads on my computer. I don’t want bloat from “Apps” I never intend to use (are not usable). I want my OS and data local – I do not want to push everything to the “cloud.” And so I teeter – to Rollup or not to Rollup, that is the question. I’m trying it on one machine as a test.

Well said – not only does Group B avoid telemetry, it also provides only 2/3 of the exposure of the full Rollup. Why teeter? Be happy !

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

3 users thanked author for this post.

Elly, HiFlyer, SueW

Reply | Quote

“not only does Group B avoid telemetry”

Not true. Telemetry has been a part of Windows 7 since it came out.

2 users thanked author for this post.

walker, ch100

Reply | Quote

MrBrian wrote:

Telemetry has been a part of Windows 7 since it came out.

Yep. In fact, it’s been around since the Dr. Watson days of Windows 3.0

https://blogs.msdn.microsoft.com/oldnewthing/20050810-13/?p=34623

5 users thanked author for this post.

Elly, SueW, walker, ch100, Kirsty

Reply | Quote

I am glad to see someone who reasearched this subject in depth and has all the facts finally debunking a myth.
I am wondering What would “Group B” people think about these 2 services widely implemented in larger enterprises while many of those same enterprises have maximum IT security requirements in place and fully implemented according to most stringent standards?
The screenshot below is taken from a Windows 7 virtual desktop with Citrix VDA agent installed.
See Citrix CEIP and Citrix Telemetry services started and fully functional.
There is even a specific user created by the installer for telemetry purpose.

Reply | Quote

To be honest, telemetry has always been the least of my concerns. I’m just happily keeping my P.C.s fully functional the best way I know how. Shame if it upsets people – but they are my P.C.s.

Reply | Quote

To all “geeks” and “Non-geeks “, of which I am. I run a HP PAVILION P6520Y DESKTOP WITH WINDOWS 7 SP1 X64 HOME PREMIUM. I turned off IE 12 months ago and don’t turn it on for anything. I use Windows update once a day to see what MS has to offer for Group B. I am using the the Original programing that came with this desktop. The only problems I have had were caused by by me. I pick and choose updates. There are lots of individuals doing and using their original systems. Updating using Group A approach will allow MS to inject telemetry onto the computer. Everything on my computer is 2009 – 2010 vintage. I check the computer for “spynet and such once a week. Results is that I can use all the programs I put on” extra” and a few more that Woody advised using. No burps!

Reply | Quote

BrianL wrote:

Updating using Group A approach will allow MS to inject telemetry onto the computer.

I’ll just mention that telemetry isn’t a given if you take all the updates. It can be blocked. It doesn’t run by magic, but by scheduled jobs and services, all of which you can take under your control. For example, you can easily choose to Disable the Diagnostics Tracking Service and the entries in the Task Scheduler Library > Microsoft > Windows > Customer Experience Improvement area.

Beyond that, implementing and maintaining additional protection, such as a firewall and/or DNS proxy, that prevents your computer from communicating with sites it has no business contacting (or that you don’t want contacted) is actually a good idea from multiple security perspectives.

In very real terms: Windows 7 and newer all have had some telemetry built in since they first came out. Choosing not to install their latest updates may have some tenuous merit, but in reality things are a bit more complicated than that and additional steps need to be taken in order to really quiet down any modern system (and yes, it’s doable with a fully updated Windows 7 – and even 8.1 and 10 if you shun the Apps).

Some things I’ve done (some at a deep geek level) include:

• Disabling services
• Disabling scheduled tasks
• Implementing regular scripted checks to make sure they stay disabled
• Deconfiguration of advanced browswer functions, like running ActiveX, by default
• Registry tweaks (e.g., to eliminate Spynet comms)
• Installation of a good, manageable 3rd party firewall package
• Implementation of a blacklisting DNS proxy server
• Daily compilation of big blacklists from many online sources

So far I’ve found that it’s possible to surf the bleeding edge and allow just enough communications to succeed that the programs that want to be “cloud integrated” can still function (e.g., Adobe stuff, Visual Studio, etc.) while blocking telemetry e.g., the following list, among others:

spynet2.microsoft.com              # AV and MSRT telemetry
spynetalt.microsoft.com            # AV and MSRT telemetry
wdcp.microsoft.com                 # AV and MSRT telemetry
wdcpalt.microsoft.com              # AV and MSRT telemetry
iecvlist.microsoft.com             # Compatibility view list, contacted even though deconfigured
ieonline.microsoft.com             # Something IE contacts that it shouldn't
r20swj13mr.microsoft.com           # Unknown why this is contacted by IE when being shut down
www.msftconnecttest.com            # Microsoft attempts to determine connectivity with its own site with this
ipv6.msftconnecttest.com           # Microsoft attempts to determine connectivity with its own site with this

#  Special Microsoft sync, telemetry, and privacy addresses to block

vortex* 

*settings-win.data.microsoft.com 
*vortex*microsoft* 
statsfe*microsoft* 
*vo.msecnd.net 
*telemetry*microsoft* 
a-*.a-msedge.net 
*smartscreen*microsoft* 

#  Other blocked telemetry

*telemetry.* 

This is just a tiny, tiny fraction of the lists I’ve developed. My wildcarded blacklist currently has over 30,000 entries, and the individual server blacklist (things not covered by the wildcarded list) is over 50,000 entries. It’s amazing to see how many site contacts are avoided in day to day operations, yet I can surf everywhere and see the content and my applications just work.

To be quite honest, I would feel tremendously exposed if I didn’t maintain a list of “do not contact” sites.

More detail on the things I do here: A Description of My Quite Effective Security Environment (Long)

In all seriousness, if I were using Windows 7 interactively – i.e., to surf the web and run programs – I’d keep it up to date with Group A updates, until such time as Microsoft proves that it has degraded the functionality of the system.

I DO follow the Group A strategy on the Windows 8.1 workstation I use interactively all the time for my critical work, though I choose WHEN to allow the updates, usually about the time Woody moves the MS-DEFCON level to the higher numbers. Windows itself doesn’t even try to send telemetry, though a few applications (e.g., Visual Studio) still do and are blocked by the several additional security layers I have in place.

-Noel

8 users thanked author for this post.

Elly, SueW, John in Mtl, EstherD, walker, HiFlyer, woody, AJNorth

Reply | Quote

I have been on Group B since it’s birth.  No issues as of yet.  I have not used MS IE since Netscape existed and don’t plan to do so in any realm of reality.  When Win7 OS is no longer functional online then I will isolate it off the grid and turn fully over to any of the Linux distros available worldwide.

3 users thanked author for this post.

Elly, Capella, AJNorth

Reply | Quote

When Win7 OS is no longer functional online then I will isolate it off the grid and turn fully over to any of the Linux distros available worldwide.

In addition, I shall continue to run Win 7 (as I currently do with XP) as a virtual machine.

Reply | Quote

I do that (run XP in a VM occasionally).

A wrinkle came up some time ago, though: If you disable SMB1 on your network, XP just doesn’t do Windows Networking (file and printer sharing) any more.

In my case it’s a non-issue since VMware provides the ability to share files to/from the host system directly, and that’s all I need. I only use the XP VM as a curiosity nowadays.

But I can imagine if I had an XP system that NEEDED to talk to servers on my network I’d have had to make a different decision regarding eliminating SMB1 across the board.

The same kind of thing is going to happen with Windows 7. It might be security certificate requirements for longer keys, or inherent insecurity in SMB2, or something we’re not even thinking about, but you can be sure Microsoft is planning its obsolescence. There are very real, if sometimes intangible, advantages to keeping current.

-Noel

2 users thanked author for this post.

Elly, AJNorth

Reply | Quote

G’Day Noel,

Your point about keeping the parent OS current is exceedingly well taken (and one with which I absolutely agree).

On the other hand, though there will undoubtedly be an increasing number of subsystems that become deactivated in obsolete OSs that one may be running in a virtual environment over time, nevertheless I should expect that, at least for the technically inclined, there will almost invariably still be viable work-arounds that maintain acceptable security while still allowing the particular functionality desired (even if they are less than convenient) — or at least long enough for any necessity to continue running these obsolete OSs to become moot. (Hope springs eternal… .)

Regards,
A.J.

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

? says:

from Ghacks.net

“How to disable Microsoft SpyNet on Windows 7”

https://www.ghacks.net/2011/06/02/disabling-microsoft-spynet-in-windows7/

 

Reply | Quote

What’s funny is that if Microsoft had just opted NOT to do the GWX campaign, where they proved beyond a shadow of a doubt that they were untrustworthy and willing to push garbageware to everyone’s computers, we’d probably not be having anywhere near as many people wanting to block telemetry to them.

Folks are not unwilling to have their system usage count for something in the future decision-making, as long as the recipient of the telemetry isn’t demonstrably nefarious.

And for those (e.g., at Microsoft) having difficulty differentiating “nefarious” from “acceptable business practices”, just look at what society considered right and wrong a few versions ago:

• Creating a decent OS worth BUYING then refining it for years: AWESOME
• Building trust: GREAT
• Fixing bugs BEFORE release to the public: VERY GOOD
• Fixing latent bugs through the update mechanism: GOOD
• Setting defaults to auto yet providing ways to control: POSITIVE
• Incentivizing people to contribute info to help build the next OS: DECENT
• Using the update mechanism for advertising: BAD
• Releasing buggy new software twice a year: BAD
• Removing user control: NEGATIVE
• Breaking things in old OSs via the update mechanism: WORSE
• Taking data from people without their knowledge: NASTY
• Sharing or selling personal data: TERRIBLE

-Noel

9 users thanked author for this post.

Elly, SueW, LH, John in Mtl, Bill C., walker, HiFlyer, windows7forever, AJNorth

Reply | Quote

As mentioned by a few here, any problems with Group B IE patches will be resolved in the next patch cycle.

Keep in mind that the IE patches for Group B are cumulative, not stand-alone. A quick look at the file size would clue you in. For example, KB4025252 is 57.7mb. The full IE 11 installation package is 57mb (EIE11_EN-US_WOL_WIN764.EXE).

Gosh, people try to over complicate things. Nothing to worry about Group B people.

Reply | Quote

We may think there’s a good discussion to be had in July 2017 over whether to follow Group A or Group B, but just wait until we’re approaching the end of life support for Windows 7 in January 2020 – boy are there going to be some interesting discussions over what to do then!

1 user thanked author for this post.

SueW

Reply | Quote

Reply to #125457
Hello, Reply to to PKCano July 18, 2017 at 8:27 pm & Anonymous July 18, 2017 at 11:14 pm.

Agree. Thumbs up.
When helping friends, family, clients, etc, it seems all MANY want is to browse the web and get emails. When asked what is your browser one gets “I don’t know” or their ISP’s name. (I thought “The Google” & “The Youtube” was funny). When asked, how did that get on your computer I get “I don’t know”.
Unfortunately all I could do is set it up for group A, auto update ON, and then load Spybot Anti-Beacon to turn off telemetry/Customer Experience. win7user

Reply | Quote

I think we need to accept that for many users computers are just a tool, a means to an end. Just as most of us want a car to run us from A to B without wanting to have to learn all about the internal combustion engine and spend all our spare time messing around under the bonnet, so some just want to access various things on their computers without having to learn all about them and spend time running backups, scans, and updates etc. I don’t blame people for that, it’s a perfectly reasonable position for people with busy lives and no particular interest in technology.

After all, when many of us started out with computers they were just sealed units with no internet connection and there was no need to do anything except insert a disk and run the game or program. I miss those days!

3 users thanked author for this post.

Elly, HiFlyer, ch100

Reply | Quote

Not sure if some future IE security-only patch will fix the bug. But we’ve been waiting for a long time.

1 user thanked author for this post.

HiFlyer

Reply | Quote

If MS is going to do this why even have a security-only branch?

Presumably, to meet contract obligations.  No doubt Microsoft’s behavior adheres strictly to those terms, even if the spirit of the thing lies elsewhere.  Microsoft doesn’t want you to just do the security patches!

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon

3 users thanked author for this post.

HiFlyer, woody, ch100

Reply | Quote