News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • August 2019 Security patches: It’s a biiiiiiiiig month

    Home Forums AskWoody blog August 2019 Security patches: It’s a biiiiiiiiig month

    This topic contains 136 replies, has 33 voices, and was last updated by  woody 17 hours, 12 minutes ago.

    • Author
      Posts
    • #1907306 Reply

      woody
      Da Boss

      Looks like we’re getting 90 separate patches for 93 individually reported security holes (CVEs).
      [See the full post at: August 2019 Security patches: It’s a biiiiiiiiig month]

      6 users thanked author for this post.
    • #1907307 Reply

      PKCano
      Da Boss

      The 2019-08 Security-only Update and IE11 Cumulative Update have been added to AKB2000003  for Group B patchers (and anyone else who needs them).

      NOTE: The links in AKB2000003 are direct download links to the MS Update Catalog.

      A reminder for those still on Windows 7 and/or Server 2008: SHA-2 Code Signing has become mandatory. You will also need to download KB4474419 (the SHA-2 v.2 update dated 8/12) and the Servicing Stack KB4490628 if it has not been previously installed.

      Also be sure you have installed the Servicing Stack Update for Win 8.1 KB4504418

       

      UPDATE: See #1907649 below            UPDATE            UPDATE

      No, SO KB4512486 is telemetry-free

      • This reply was modified 5 days, 17 hours ago by  PKCano.
      7 users thanked author for this post.
      • #1907312 Reply

        Matthew
        AskWoody Plus

        So if we already installed the March version of the SHA-2 update on Windows 7, do we need to install this August version of it?

         

      • #1907328 Reply

        PKCano
        Da Boss

        The MS pages for KB4474419 say the following:

        • This security update was released March 12, 2019 for Windows 7 SP1 and Windows Server 2008 R2 SP1.

        • This security update was updated May 14, 2019 to add support for Windows Server 2008 SP2.

        • This security update was updated June 11, 2019 for Windows Server 2008 SP2 to correct an issue with the SHA-2 support for MSI files.

        • This security update was updated August 13, 2019 to include the bootmgfw.efi file to avoid startup failures on IA64 versions Windows 7 SP1 and Windows Server 2008 R2 SP1.

        If the latter point applies to your situation, you will definitely need to apply this patch.

        UPDATE
        : MS pages also say:

        This update also includes the following improvements:

        • Further hardening of infrastructure files that are used by the Windows Update and Microsoft Update client.

        • A more secure communication channel between the service and the Windows Update and Microsoft Update client has been added.

        So it would seem this patch should be installed for Win7 in general, not just IA46 based systems.

        • This reply was modified 6 days, 3 hours ago by  PKCano.
        • This reply was modified 6 days, 3 hours ago by  PKCano.
        4 users thanked author for this post.
        • #1907397 Reply

          OscarCP
          AskWoody Plus

          Thanks for the advice. According to it, I better install this latest version of the SHA-2 patch. I have this question: Is there any particular urgency in installing it, or can this wait a few weeks, along with the rest of this month’s patches?

          Windows 7 Pro, SP1, x64.

          • #1907405 Reply

            PKCano
            Da Boss

            We are on DEFCON 2. That applies to all the August patches.

            6 users thanked author for this post.
            • #1907484 Reply

              Tex265
              AskWoody Plus

              Windows 7 Pro SP1 x64

              Per PKCano comment above, what does IA64 based mean?

              Back on April 2 I installed the March Security Update KB4489878, the SHA-2 KB4474419, and separately first installed the Service Stack KB4490628.

              Windows Update is now showing me 2019-08 KB4474419 (again) and the MSRT, but not KB4512506 (the real August Security Update).

              Do I have to install KB4474419 again before Windows Update will give me KB4512506?

              If KB4474419 was previously updated in May then June, why was this not provided by Windows Update back then? And, should’nt we be installing now 2 months later?

              Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
            • #1907498 Reply

              PKCano
              Da Boss

              We are on DEFCON 2. There is no urgency/need to install ANY August patch at this time.

              2 users thanked author for this post.
            • #1907499 Reply

              Matthew
              AskWoody Plus

              From my simplistic understanding, most Windows users are on x64 (64-bit) or x86 (32-bit) architecture.  The IA64 architecture is different, mainly meant for servers, and usually cannot run 32-bit applications (unlike x64 which usually can).  Most of us running a desktop or laptop don’t have IA64.

               

              4 users thanked author for this post.
            • #1907586 Reply

              Tex265
              AskWoody Plus

              Windows Update is now showing me 2019-08 KB4474419 (again) and the MSRT, but not KB4512506 (the real August Security Update).

              The IA64 architecture is different, mainly meant for servers, and usually cannot run 32-bit applications (unlike x64 which usually can). Most of us running a desktop or laptop don’t have IA64.

              If true about IA64 and I have x64 – why am I receiving KB4474419 again as a Windows Update?

              Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
            • #1907593 Reply

              PKCano
              Da Boss

              Look up at #1907328.

              2 users thanked author for this post.
            • #1907648 Reply

              abbodi86
              AskWoody_MVP

              It’s an important security update, whether they re-release or not, it affects you or not, just install it and move on

              1 user thanked author for this post.
            • #1907832 Reply

              anonymous

              KB4474419 from august is most current version. If WU shows both from march and from august, it will be able to only install one of them, or both due to order of installation. In my example version from august was first then version from march failed and dissapeared from WU.

    • #1907316 Reply

      geekdom
      AskWoody Plus

      August Beta Test Report Windows 7 x64 Updates

      Important
      – Windows Malicious Software Removal Tool x64 – August 2019 (KB890830)
      – August 2019 Security Monthly Quality Rollup Windows7 for x64 (KB4512506)
      – August 2019 Security Update for Windows 7 for x64 (KB4474419)

      Optional
      – Microsoft .NET Framework 4.8 for Windows 7 x64 (KB4503548)

      Selected the important updates.
      – KB4512506 failed.
      – KB890830 installed.
      – KB4503548 installed.

      I rebooted and checked for updates.

      Selected important and optional update.
      – KB4512506 installed.
      – KB4503548 installed.

      I rebooted. The system came up. The system automatically rebooted again.

      Total time to install four updates was about 45 minutes with an initially failed update and a very slow download time.

      The guinea pig did not die and the system functions. However, this was a cumbersome update process.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      7 users thanked author for this post.
      • #1907564 Reply

        geekdom
        AskWoody Plus

        Addendum and correction:

        First pass, selected the important updates.
        – KB4512506 failed.
        – KB890830 installed.
        -KB4474419 installed, not KB4503548.

        Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
        • This reply was modified 6 days, 3 hours ago by  geekdom.
        1 user thanked author for this post.
    • #1907329 Reply

      anonymous

      Does anyone know yet if this monthly update also contains the same (or other) telemetry/snooping features as last months?

      • #1907332 Reply

        Microfix
        Da Boss

        (WU) SMQR patches certainly will but, as for Security Only patches we need reports in to confirm.

        ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

        1 user thanked author for this post.
        • #1907649 Reply

          abbodi86
          AskWoody_MVP

          No, SO KB4512486 is telemetry-free

          11 users thanked author for this post.
          • #1907761 Reply

            woody
            Da Boss

            Odd. But welcome news.

            Any idea about the advisability of installing the August SO update without installing the July SO update?

            2 users thanked author for this post.
            • #1908151 Reply

              GoneToPlaid
              AskWoody Plus

              I disabled the two telemetry things in Task Manager which were installed by the July SO update. After installing the August SO update, these two tasks remained disabled. The July SO update telemetry items in Task Manager are set to run infrequently. This suggests that these two tasks merely gather basic information about the computer, as in what updates and programs are installed. In other words, no “real time” data is constantly gathered, unlike when KB2952664 is installed.

              A half rant, yet food for thought…

              The upshot is that I think that users should install the July SO update and then simply disable the two tasks in Task Manager which gather some limited telemetry. I theorize that Microsoft simply wants to know why so many users refuse to upgrade to Windows 10. Is it because Windows 7 users are using older programs which will not run under Windows 10? Is is because many Windows 7 users are using much older hardware which may have issues with Windows 10? Is it because many Windows 7 users refuse to accept the telemetry which comes with Windows 10? Perhaps these are things which Microsoft wants to know.

              On the other hand, and after the abysmal failure of Windows 8, Microsoft could have simply asked their consumers these very questions via online surveys. Microsoft has a penchant for belatedly realizing that they royally messed up in anticipating what consumers really wanted. It seems that it takes Microsoft at least a solid three years to begin to acknowledge that they didn’t get it right.

              For the first time in Microsoft’s history, the Microsoft Windows branch (under Sinofsky and subsequently under Nadella), achieved the infamous milestone of releasing two OS versions in a row which were not well received. I wish that Balmer had been brought back to once again perform his magic and fix Windows 8, long before we ever got to this thing which is called Windows 10. The only company which I can think of which was equally inept is Chrysler.

              Everyone, please do not respond to my half rant, since doing so would take this topic way off topic. If you want to respond, create your own rant in the appropriate rant section of the forum.

              1 user thanked author for this post.
            • #1908183 Reply

              abbodi86
              AskWoody_MVP

              +1 for installing July SO

              i think you mean Task Scheduler not Task Manager 🙂

              1 user thanked author for this post.
            • #1908554 Reply

              SueW
              AskWoody Plus

              @gonetoplaid, thank you for providing your results regarding installing August’s SO!

              Had you also taken a look at Event Viewer after installing either July’s SO [KB4507456] or August’s SO? Per post #1907151, anonymous posted what he/she found after installing July’s SO — that Event Viewer showed this warning message:

              “A provider, InvProv, has been registered in the Windows Management Instrumentation namespace Root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.”

              I found these Warnings as well, right after installing July’s SO (as noted in the reply thread to anonymous). I’d be very interested in what your ‘take’ is, and if these Warnings can (or should) be deleted.  Thanks!

              Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

            • #1910246 Reply

              anonymous

              The very reason for Installing any Security Only Patches are for Patches that only contain Security Only functionality in said Security Only Patches and any Telemetry in them is non-excusable. By definition most folks doing that Security Only patching want to retain their Windows 7 installs without any Nagging or GWX sorts of Windows 10 foisting on MS’s part.

              So I can live without any Security Only patches that are not really Security Only patches.

              The folks using windows 7, or Windows 8.1(With TIFKAM go away third party software installed), are really and most definitely not wanting windows 10 and that loss of user control over privacy/system maintenance and the eventual OS as a subscription service business model that Windows 10 represents. Things after the 2020-2023 time frame will not be the same under Windows 10 and staying with 7/8.1(With TIFKAM hiding software) will give most of those users at least until 2023 to avoid that which will  not be user friendly at a higher Recurring Cost going forward under Windows 10.

              By 2023 I’ll expect that some Linux OS based laptop OEM will begin Offering new Linux OS based laptops with AMD’s Zen/Vega or Zen-2/Navi based APUs inside and then I can purchase new laptops that are outside of MS’s reach for the most part and Intel’s/Nvidia’s higher Markups/MSRPs as well as that relates to any PC/laptop total costs of ownership.

              I do not want to be tied in to any more recurring monthly expenses other that the necessary ISP expenses.  So my OS and related software/services will remain as low cost as possible under Linux/Open Source relative to Windows 10 and some unwelcome monetization expenses to come in the 2020-2023/later time frame.

               

          • #1908146 Reply

            abbodi86
            AskWoody_MVP

            I cannot say for sure

            the OS will still works perfectly with August SO KB4512486 (which require SHA2 KB4474419)

            but it will be missing some of security fixes for July vulnerabilities

            1 user thanked author for this post.
            • #1908204 Reply

              anonymous

              ? says:

              thank you, GTP and abbodi86!

              abbodi86, given the fact that security patching for Window’s 7 is scheduled to end soon do you think that skipping the July SO will really matter since the bulk of the file list for the patch seems to be updating the same well worn components and i’m going to relegate the win7 hdds to the closet with the the other Windows EOL versions next January? i do have the July SO patch on hand as well as your beautifully crafted remedy for the (unwarranted\unwanted) telemetry plumbing at the ready i just can’t bring myself to install it…

            • #1908253 Reply

              abbodi86
              AskWoody_MVP

              Well, 5 months is considerable period not to be patched, so install it

              1 user thanked author for this post.
    • #1907333 Reply

      anonymous

      I am not being offered the Win 7 monthly rollup KB4512506 (I still see the 2019-07 Preview KB4507437).

      I am assuming that this is due to the following:

      Symptom:
      Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

      Workaround:
      Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

      I have Norton Security 22.18.0.213 installed on my Win 7 system.

      Assume that there will be many others in the same situation.

      3 users thanked author for this post.
      • #1907338 Reply

        PKCano
        Da Boss

        You are not the only one with the problem. It affects the Semantec/Norton EndPoint Protection.

        See #1907303.

        2 users thanked author for this post.
        • #1907625 Reply

          OldBiddy
          AskWoody Lounger

          I have Symantec (Norton? Is it the same thing?) also and I haven’t been offered the August monthly roll up either. When it is offered can we assume the problem is fixed? DEFCON status notwithstanding of course. All I see in WU is a whole lot of drivers labeled optional.

          • #1907762 Reply

            woody
            Da Boss

            Symantec bought Norton in 1990.

            Few people realize that Norton, prior to Symantec, was a PC utility company WITHOUT an antivirus product. Norton Antivirus is just a convenient use of a trusted name.

            AFAIK, Peter’s still living on Martha’s Vineyard. He’s no longer on the board of Symantec. Rarely hear about him these days, except for his philanthropy.

            6 users thanked author for this post.
            • #1907764 Reply

              jabeattyauditor
              AskWoody Lounger

              Broadcom bought the Enterprise Security products from Symantec a few days ago, making them once again owned separately from the Norton (home/personal) line. (The transaction will likely close before year-end.)

              Broadcom intends to keep the Symantec nameplate in place for now.

              1 user thanked author for this post.
            • #1907867 Reply

              OldBiddy
              AskWoody Lounger

              Thanks @woody – that’s good to know about Symantec and Norton. I guess the Norton name still carries some cachet if people still use it.

              • This reply was modified 5 days, 9 hours ago by  OldBiddy. Reason: Spelling
      • #1907596 Reply

        Tex265
        AskWoody Plus

        I’m seeing the same thing as ? above with my Norton Security on Windows Pro SP1 x64.

        Windows Update is now showing me 2019-08 KB4474419 (again) and the MSRT, but not KB4512506 (the real August Security Update).

        Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
        2 users thanked author for this post.
      • #1907722 Reply

        PKCano
        Da Boss

        There is not urgency/need to install any of the August updates at this time. We are on DEFCON 2. WAIT!!

        There is a conflict with Semantec/Norton EndPoint Protection and the updates signed with SHA-2 only. This affects both the Monthly Rollup and the Security-only Update. Until this is worked out, MS has a block in Windows Update on computers running this security software, so you will not see (and should not install manually) the August SQMR or SO.

        4 users thanked author for this post.
    • #1907337 Reply

      anonymous

      ? says;

      peeked inside KB4512486 and did not see any telemetry

      https://support.microsoft.com/en-in/help/4512486/windows-7-update-kb4512486

      scroll down to “file information” and open it or save it…

      now i’m wondering if i can apply it (later on) w\o breaking something\everything naving not applied the July SO?

      • #1907659 Reply

        anonymous

        I recklessly installed KB4512486 and my Windows 7 laptop wound up reinstalling itself from scratch. Forgetting the full details of that patch including symptoms was rash on my part. I meant to get a new laptop considering my old one was on its metaphorical life support, but do hold off the update until Woody gives an “ok” on the Defcon.

    • #1907346 Reply

      ashfan212
      AskWoody Lounger

      Windows 7 x64 Home Premium Group A, McAfee AV

      I installed the SHA-2 update KB4474419 back in March. It appears that the August update to KB4474419 only applies to IA64 and not X64 based systems. Therefore, I am assuming that I will not need to reinstall this update.

      What is unclear is whether I will even be offered this update. I would imagine that WU would only offer KB4474419 as an “exclusive” update. Therefore, if I am not offered the update, should I use the technique of hiding all of the other updates to see if KB4474419 appears as an “exclusive” update? Or is it preferable not to attempt to reinstall the update (even if replacing the March update version with the August update version does no harm) as the August update only applies to IA64 based systems according to the documentation?

      • This reply was modified 6 days, 8 hours ago by  ashfan212.
      • This reply was modified 6 days, 8 hours ago by  ashfan212.
      • #1907356 Reply

        PKCano
        Da Boss

        KB4474419 is not an exclusive update.

        Edit: If you are not offered the patch through Windows Update, I would recommend waiting to download and manually install it.

        • This reply was modified 6 days, 3 hours ago by  PKCano.
        1 user thanked author for this post.
        • #1907375 Reply

          ashfan212
          AskWoody Lounger

          Hi PKCano,

          I am not doubting your claim that KB4474419 is NOT exclusive; however, the documentation for KB4474419 indicates that installation of this update requires a reboot. Wouldn’t that mean that one should install this update by itself and then reboot before attempting to install any other offered updates? I would imagine that installing KB4474419 along with the August monthly rollup concurrently would cause the rollup installation to fail, even when KB4474419 is installed first by WU before attempting the installation of the August monthly rollup.

          Perhaps this explains why the user Geekdom reported that the installation of the August monthly rollup KB4512506 failed to install on its first attempt, as that user indicated that KB4474419 was included in the set of updates that were received from WU.

          As an aside, is there a convenient way to check whether an update is marked as exclusive?

          • This reply was modified 6 days, 6 hours ago by  ashfan212.
          • #1907377 Reply

            PKCano
            Da Boss

            KB4474419 is NOT exclusive. Many Win7 updates “require a reboot.”
            I just installed, on my Win7 SP2, KB4512506 Rollup, KB4474419 SHA-2 v2, and KB890830 MSRT at the same time through Windows Update with no problems, no failures, no second reboot, no error messages.

            Screen-Shot-2019-08-13-at-3.43.13-PM

            Attachments:
            6 users thanked author for this post.
            • #1907389 Reply

              ashfan212
              AskWoody Lounger

              Very encouraging! I am also being offered KB4474419 as checked and important notwithstanding that I had installed the update in March.

              Perhaps your update procedure was successful because you had also previously installed KB4474419 prior to the August update.

            • #1907520 Reply

              PKCano
              Da Boss

              Selected the important updates. – KB4512506 failed. – KB890830 installed. – KB4503548 installed.

              KBKB4012215 is the installer for .NET 4.8 on Win7. It is not an update for the operating system. If I had to guess, I would suspect this for causing @geekdom ‘s problem. Just saying…

            • #1907550 Reply

              geekdom
              AskWoody Plus

              On the first pass, only the important updates were attempted.

              On the second pass, the important update that failed and the optional update were installed.

              Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
            • #1907561 Reply

              geekdom
              AskWoody Plus

              Reiterating:

              First pass, selected the important updates.
              – KB4512506 failed.
              – KB890830 installed.
              -KB4474419 installed.

              Optional

              Second pass, selected important update that failed and optional update.
              – KB4512506 installed.
              – KB4503548 installed.

              There is an error in my beta test report. Could someone correct it?

              Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
              • This reply was modified 6 days, 3 hours ago by  geekdom.
            • #1907562 Reply

              PKCano
              Da Boss

              Selected the important updates. – KB4512506 failed. – KB890830 installed. – KB4503548 installed. I rebooted and checked for updates.

              KB4503548 is the installer for .NET 4.8
              See #1907520.

              1 user thanked author for this post.
            • #1907551 Reply

              ashfan212
              AskWoody Lounger

              Hi PKCano,

              I had meant to say that KB4474419 is listed as a prerequisite to installing the August rollup KB4512506. That fact along with its required reboot caused me to inquire whether I should install KB4474419 separately prior to the installation of the August rollup. Anyway, that’s what I did and it seems to have worked. Thanks!

              1 user thanked author for this post.
            • #1908096 Reply

              GoneToPlaid
              AskWoody Plus

              Maybe because you already had KB4474419 version 1 installed back in March? But yeah, it shouldn’t be exclusive as long as it is installed first, before other updates.

              • This reply was modified 5 days, 1 hour ago by  GoneToPlaid. Reason: add more info
          • #1907390 Reply

            GoneToPlaid
            AskWoody Plus

            Yes, install KB4474419 by itself and then reboot before installing any other updates.

            2 users thanked author for this post.
    • #1907350 Reply

      anonymous

      According to Ghacks:

      “Systems with Symantec or Norton software installed may block or delete Windows updates which causes Windows to stop working or fail to start. Upgrade block is in place. Symantec support article for the issue.”

      But the Symantec support article says:

      “Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed”

      So no mention of Norton in the Symantec support article are they the same thing(Norton and Symantec Endpoint Protection).

      I’m also waiting for any KB4512486(Aug 2019 Sec Only Update) telemetry vetting as well just because of what happened with the July 2019 Sec Only update for Windows 7.

      • #1907765 Reply

        woody
        Da Boss

        I believe that “Norton Endpoint Security” is a common name for the product officially known as “Symantec Endpoint Security”

        Anybody know the details?

        • #1907916 Reply

          anonymous

          But the Symantec support article says[Verbatim]:

          “Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed”

          And it’s the Press that’s Adding that Norton Branding so maybe that AKA needs to be clarified with Symantec. I’m running an ISP provided version of Norton Security Suite and there that Norton branding is on the product but in the quoted statement above on the Branding that is only “Symantec Endpoint Protection” so I assume that Symantec’s branding is correct. But clarification is certainly needed with the Press asking Symantec if that actually includes any products with that Norton name included in the product’s branding.

          1 user thanked author for this post.
    • #1907358 Reply

      Microfix
      Da Boss

      This kind of looks weird and out of place for Windows update KB4512508. Extract from: https://www.ghacks.net/2019/08/13/microsoft-windows-security-updates-august-2019-overview/

      Fixed the MIT Kerberos realms issue that prevented devices from starting up or caused them to continue restarting.
      Security updates to Windows App Platform and Frameworks, Windows Storage and Filesystems, Microsoft Scripting Engine, Windows Input and Composition, Windows Wireless Networking, Windows Cryptography, Windows Datacenter Networking, Windows Virtualization, Windows Storage and Filesystems, the Microsoft JET Database Engine, Windows Linux, Windows Kernel, Windows Server, Windows MSXML, Internet Explorer, and Microsoft Edge.

      my bolding never thought I’d see the day TBH

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      • This reply was modified 6 days, 7 hours ago by  Microfix.
      • This reply was modified 6 days, 7 hours ago by  Microfix.
    • #1907371 Reply

      anonymous

      Possible new issue with August 2019 Updates on Win 7 Ultimate 32 bit.

      Downloads & installs both the 2019-08 Secutity Monthly Quality Rollup… and 2019-08 Security Update for Windows 7… patches.

      Reboots and starts to configure changes….  Then I get the following error:

      “Failure Configuring Windows Updates, Reverting to” …blah blah blah

      Reboots and reverts to previous patches.  First time I ever got this error while updating.

      Just to let y’all know…

      • #1907374 Reply

        PKCano
        Da Boss

        Were there any error codes?
        Did any of the patches install?
        Have you installed KB4490628 (Servicing Stack) and KB4474419 (Sha-2 update)?
        Are you running Semantec/Norton EndPoint Protection?

        • #1907382 Reply

          anonymous

          Yo Boss,

          Already had KB4490628 & KB4474419 patches before August 2019 updating.  As I said, both August 2019 patches (KB3212646 & KB4012215) were downloaded & installed…BUT it fails when it reboots and tries to CONFIGURE them on the “Don’t turn off power” screen.

           

          So there you have it….  BTW don’t have any Symantec s/w.

          • #1907402 Reply

            PKCano
            Da Boss

            Already had KB4490628 & KB4474419 patches before August 2019 updating. As I said, both August 2019 patches (KB3212646 & KB4012215) were downloaded & installed

            KB3212646 is January 2017 Rollup
            KB4012215 is March 2017 Rollup
            These are not August 2019 patches. Are you trying to install these?

      • #1907393 Reply

        GoneToPlaid
        AskWoody Plus

        You have to install either one or the other. The Security Only is for Group B users. The Monthly Rollup contains everything in the Security Only, plus updates for IE.

        • #1907394 Reply

          PKCano
          Da Boss

          It also includes the non-Security fixes not contained in either the Security-only Update of the IE11 Cumulative Update.

          1 user thanked author for this post.
    • #1907381 Reply

      anonymous

      Its looks like Flash Player died in the Windows 1903 version for the M$. Still in version 32.0.0.207. Already in version 32.0.0.238 for Firefox and Chrome.

       

    • #1907559 Reply

      warrenrumak
      AskWoody Plus

      It’s a small thing, but it’s worth mentioning that the availability of .NET Framework 4.8 to versions of Windows prior to 1903 is going to be throttled over the coming weeks and months.  Doing a “Check for Updates” will bypass the throttling, but otherwise it’s not going to show up right away for many people.

      .NET 4.8 is already included with Windows 10 1903 so none of this applies there.

      Details:  https://devblogs.microsoft.com/dotnet/net-framework-4-8-is-available-on-windows-update-wsus-and-mu-catalog/

      BTW, the main reason to install .NET 4.8 is that it improves startup time on a lot of .NET applications, in some cases by more than 20%.

      4 users thanked author for this post.
    • #1907565 Reply

      Microfix
      Da Boss

      Windows 8.1 Pro x64 on HP Laptop
      Installed SMQR KB4512488 via WU
      System rebooted, allowed 10-15 mins to cease SSD activity.

      Scrutinised the following for any changes prior to re-connecting online:

      Event Viewer
      Task Scheduler
      Performance Monitor/ Data Collector Sets/ Event Trace Sessions
      Performance Monitor/ Data Collector Sets/ Startup Event Trace Sessions
      GP settings

      Results = no changes

      EvViewer

      Configuration Notes:
      Diagtrack removed early 2018 and hasn’t returned.
      MRT disabled from downloading.
      uPNP disabled
      Windows Defender Antivirus Security Intelligence Update 1.299.1918.0

      SFC /verifyonly displayed:

      SFC

      WU review of update history

      WUpatch

      So far so good on win8.1 🙂

      EDIT: Also updated a Haswell Desktop and Ivybridge Laptop again no issues with either. device.

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      Attachments:
      2 users thanked author for this post.
    • #1907607 Reply

      GoneToPlaid
      AskWoody Plus

      Windows 7 Group B computers. I am now fully patched through August. Note that there is a bug in the Windows Update manual installer. Once updates are installed and if you click the Restart button in the Windows Update window, your computer might hang when shutting down and while trying to close the Windows Update program. I first noticed this bug starting last month, and the results are bogus errors being recorded in Event Viewer. The errors state that the Windows Update(s) were not successfully installed, when in fact they were.

      So until MS gets this bug fixed…

      If you want to reboot after installing one or more Windows 7 updates, click Cancel when you are asked to reboot your computer. Doing so causes the Windows Update manual installer to close. Then reboot your computer by going to Start and then Restart. You might want to use this procedure for the time being, even when installing updates via Windows Update.

      2 users thanked author for this post.
    • #1907640 Reply

      E Pericoloso Sporgersi
      AskWoody Plus

      JAP (*)

      Remember me, the vanilla computer guy?
      On my request Microsoft installed the August update for 1903 on Wednesday 14 August @ 01:30 UTC+2.

      Again I found no issue, not a single one. 

      How very boring!

      * Just Another Patch.

      • #1910727 Reply

        kiwisolutionz
        AskWoody Lounger

        Exactly the same for one of my 3 LAPTOPS – W10 Pro_build: 18362_19h1_Release:190318.1202. My only error with the 1st 1903 update was that I forgot to disable Winaero for WUpdate, so it crashed on reboot because of my faux pas! So I disabled-repeated install to succeed, I must say folks; this is a stable build from the 1st days of W10’s arrival; what a nightmare that was. this version is just humming along without issues (touch Woody) thank you for all your work team, never thought i’d upgrade from W7 Ultimate 64bit. I have one more laptop to upgrade (my bizzo one), so until I save all my data near EOL – then finally move over to W10. If things turn to custard later…guess it’s gunna be Linux (!)

        If there is magic on this earth ... it's in the water.

    • #1907723 Reply

      anonymous

      Windows 7 Home Premium x64, Avast AV

      First installed:

      – KB890830
      – KB4512506
      – KB4474419

      System rebooted twice.

      Then I installed KB4503548 and after that reboot I got the NET Language Pack offered, so I installed that one as well.

      No problems and no telemetry re-enabled.

      1 user thanked author for this post.
    • #1907725 Reply

      anonymous

      Windows 1903 (Home), Avast AV

      Installed KB890830 and KB4512508. Updates went smoothly.

      System File Checker did find some corrupted files after this update, but repaired them as well.

    • #1907741 Reply

      anonymous

      W7 64 Home Premium / W7 32 Starter. All installed. OK !

    • #1907745 Reply

      Seff
      AskWoody Plus

      According to Microsoft’s description, the current revision for KB4474419 includes “Further hardening of infrastructure files that are used by the Windows Update and Microsoft Update client”.

      Is it just me being cynical, or does that wording sound suspiciously like another move towards “encouraging” Windows 7 users to upgrade to Windows 10?

      Has anyone been able to establish what “further hardening of infrastructure files” actually means?

      • #1907756 Reply

        abbodi86
        AskWoody_MVP

        How’s that is an upgrade move? it’s actually a discouraging move (i.e. we are securing Windows Update)

        by the way, the v2 release for x64 and x86 does not have any new files or changed ones, only the digital signature security categories are updated

        4 users thanked author for this post.
        • #1907834 Reply

          Seff
          AskWoody Plus

          Thanks, just my natural cynicism wherever Microsoft is concerned then!

    • #1907773 Reply

      anonymous

      WARNING!!!

      looks like updates KB4512486 AND KB4512506 kills Windows 7 with nvme SSD drives. two out of ~100 pc’s won’t boot with these updates installed, and only these two has nvme SSD as boot drives.

      tried to remove both and install separately – it’s enough one of these patches to kill Windows 7 machine.

      2 users thanked author for this post.
      • #1907826 Reply

        woody
        Da Boss

        Did you install the Monthly Rollup (KB 4512506) using Windows Update, or did you install it manually?

        Can anyone else reproduce? I don’t see any confirmation online. Yet.

        My Seven Semper Fi machine has spinning platters…..

        • #1908433 Reply

          slkj00
          AskWoody Plus

          Looks like others are having problems with Win7 not booting after the update:

          https://community.spiceworks.com/topic/2226822-patch-tuesday-august-2019-breaking-computers-auto-repair-loop

           

        • #1910738 Reply

          kiwisolutionz
          AskWoody Lounger

          KB4512506 is not installed on my Crucial 250 SSD Drive,W7 Ultimate 64bit laptop (F-Secure AntiVirus) but: I found I have KB4474419 (The fix for kb4512506) installed; I cannot recall how this is so other than to say I may have spotted the advice on here earlier and just rolled with it at the time? The system is fine with no glitches that are noticeable at this point. hope this helps team, cheers all ; >)

          If there is magic on this earth ... it's in the water.

          • #1910740 Reply

            PKCano
            Da Boss

            KB4474419 is the the patch for SHA-2 hashing. There have been two versions, the first v.1 was released 3/11 , and v.2 released on 8/12. SHA-2 has become mandatory for Windows Update beginning in August 2019. Win7 also requires Servicing Stack KB4490628.

            The fix for KB4512506, which broke VB6, VBA and VBScript, is KB4517297, which was issued for Catalog download on 8/16.

      • #1911415 Reply

        anonymous

        I have one machine too that got BSOD 0x0000007B INACCESSIBLE_BOOT_DEVICE after installing KB4512506, it uses a Samsung 960 EVO NVMe SSD.

        I tried to use the latest Samsung NVMe driver instead of the Microsoft one bundled in KB2990941 but it did not help.

        The fix described in KB2839011 for uninstalling a patch from the WinPE environment did work fine, as did restoring a previous recovery point.

        What is strange is I have another workstation with a Samsung SM961 NVMe SSD that I held off to update until today when I could do a full backup but it went through without any issues!

    • #1907802 Reply

      Tex265
      AskWoody Plus

      From Norton Community Forum:

      Re: Is it safe to install August 2019 Windows 7 update??
      Posted: 13-Aug-2019 | 3:56PM • Edited: 13-Aug-2019 | 3:59PM • Permalink

      I’m running Norton Security v. 22.18.0.213 on Win 7 SP-1 Pro x64.

      Windows Update informed me that KB4474419 was available. I installed it, and my computer works fine.

      This update, however, is not the problem. The problem is apparently with KB4512506 — Monthly Rollup and KB4512486 — Security-only update. Even after installing KB4474419, MS Updates didn’t offer me either or the problematic ones.

      The Symantic Enterprise KB article only indicates that the problem is with Enterprise Endpoint Solutions; it doesn’t mention any of the Norton products at all.

      The answers provided to this Forum Thread are not at all clear except for this: “Defer the update until Norton has an official statement AND it clearly states a patch is available BEFORE attempting to install those updates at a later time.

      This should be in big red letters at the at the head of this Forum. I’m sure lots of Norton users around the world are wondering what’s going on with the August MS updates.

      I’m wondering out loud how Norton intends to distribute its official statement and clearly state that a patch is available to address this specific issue.

      And

      As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft will release an update to Windows 7 SP1 on August 13th, where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed.

      We have identified the potential for a negative interaction between Norton and the changes explained within the Microsoft KB. Symantec and Microsoft worked together to only allow the update to be visible to versions of Norton that offer full support for Windows 7 Updates that are solely SHA-2 signed.

      We will release a Norton patch in the coming days to support the installation of updates that are only SHA-2 signed.

      We don’t expect much impact. We can recommend that the customers click on ‘Always Allow’ when there is an alert, thereby allowing the Microsoft applications to function seamlessly.

      We will be posting about this issue on the public forums, if we see large impact.
      We already have an Enterprise KB article for this issue.

      Norton Forums Global Community Administrator | Symantec Corporation

      EDIT to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

      Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
      1 user thanked author for this post.
      • #1910746 Reply

        kiwisolutionz
        AskWoody Lounger

        KB4474419 is already installed on my laptop yet here it is in another package being offered to me again? Logic says to run with them both “whenever we get to Defcon 4 +”… System is stable with no glitches or conflicts to date.

        If there is magic on this earth ... it's in the water.

    • #1907878 Reply

      carpintero
      AskWoody Lounger

      CTF vulnerability (CVE-2019-1162) is scary.
      What is vulnerable?  Oh, just everything that contains text.
      http://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/

      2 users thanked author for this post.
    • #1907915 Reply

      WildBill
      AskWoody Plus

      This isn’t “fake news” (quite), since the CVE-2019-1181 & CVE-2019-1182 vulnerabilities have been documented. Yet I haven’t see such an over-the-top media reaction since before Y2K. From CNN: https://www.cnn.com/2019/08/14/tech/windows-10-microsoft-security-update-trnd/index.html

      Notice the headline: Microsoft urges Windows 10 users to update immediately

      As Simon Pope said in the M$ blog post, there are a lot more Windows OS’s affected than just Win10. CNN states in the 1st paragraph: ‘Microsoft is warning Windows 10 users to update their operating system immediately because of two “critical” vulnerabilities.’ Again, it’s not just Win10. Here’s a CNN quote that is definitely #FakeNews:

      ‘There are “potentially hundreds of millions of vulnerable computers,” Simon Pope, Microsoft’s director of Incident Response, wrote in a blog post Tuesday.’ Search the blog post & you will NOT find the words “potentially hundreds of millions” blah, blah, etc. Sounds like one of CNN’s political reporters is moonlighting in the Business section… or it’s someone reminiscing about the Y2K panic. This final quote is not quite true:

      “Other operating systems, such as Windows XP, are not affected.” WinXP isn’t, but see above, as well as the blog post. Could M$ have paid someone at CNN to start a panic among Win10 users & click “Check for updates”? Or was the Business reporter just bored?!

      Windows 8.1, 64-bit, now in Group B!
      Wild Bill Rides Again...

      1 user thanked author for this post.
      • #1907946 Reply

        Susan Bradley
        AskWoody MVP

        Gordon on Forbes is notoriously over the top.  As you say there is a kernel of truth and then the rest is OMG the sky is falling the sky is falling!!!!!

        Just like before you have to have RDP open and listening and most of us

        1. do not have it turned on or
        2.  do not have it open directly to the web

        Susan Bradley Patch Lady

        4 users thanked author for this post.
      • #1908458 Reply

        Alex5723
        AskWoody Plus

        someone reminiscing about the Y2K panic

        What Y2K panic ? I worked for 2 months, many times for 36 hours with no sleep, updating banking software for Y2K, which was a real threat to our banking systems and clients.
        Y2K was real.

        • This reply was modified 4 days, 7 hours ago by  Alex5723.
        1 user thanked author for this post.
        • #1908524 Reply

          WildBill
          AskWoody Plus

          It was… for those started with less than a year to go. For those who took care of business in 1998 or earlier, the rest were panicking. BTW, I was with a company who verified software to make sure they were Y2K compliant with less than 60 days to go.

          Windows 8.1, 64-bit, now in Group B!
          Wild Bill Rides Again...

    • #1907922 Reply

      rockandroller
      AskWoody Lounger

      Well, I got burned – my 2008R2 primary domain controller would not boot after the updates yesterday.  The other two 2008R2 servers here were not harmed by the updates. Our BDC is actually running 2008 standard, and it survived the updates unscathed (Well at least, it was able to boot afterwards…)

      Shout-out to Veaam for saving my bacon once again ( rolled the PDC back to Sunday’s image)… now have to figure out ‘which patch was the killer..”

      1 user thanked author for this post.
      • #1907926 Reply

        PKCano
        Da Boss

        Can you give us some specs on the 2008R2 that had problems and which updates you “tried” to install? What’s different than the other 2008R2 server?

        2 users thanked author for this post.
        • #1907948 Reply

          rockandroller
          AskWoody Lounger

          The “crash-and-burn’ auto update was installing these three…

          the MS ‘security intelligence’ ( AV definitions)

          the 4512506 quality rollup

          the 4474419 security patch

          ( in that order)

          After restoring from image backup, I tried installing the AV defs – they went in fine. Then I tried installing just 4474419 BY ITSELF. And that has rebooted OK!!

          Right now I am downloading the 4512506, with crossed fingers…

          The server in question is a bone-stock 2008 R2 Standard, fully updated with all non-optional updates (to date!) just running DNS and DC role, and nothing else. We have a gateway appliance that provides DHCP…

           

          PS: differences from our other 2008 R2 servers :

          its a physical machine ( the others are Hyper-V VMs) – and it’s running the DC role ( the others are file server and DB servers, respectively… )

           

          2 users thanked author for this post.
          • #1907958 Reply

            NetDef
            AskWoody_MVP

            Any chance that domain controller (the one that would not boot after KB4512506) was running Symantec AV?

            I upgraded two SBS 2011 machines last night, both are in VM containers on a 2012 R2 Core host. Both took the August 2019 updates fine with no problems and no loss on their RDP Gateway service. Two separate companies/clients.

            (Note, SBS 2011 runs Server 2008 R2 as their kernal.)

            ~ Group "Weekend" ~

      • #1907964 Reply

        rockandroller
        AskWoody Lounger

        No symantec anything on our 2008R2 DC . Furthermore…

        Just confirmed : KB4512506 IS THE KILLAH! Fails the reboot, after applying that patch.

        This after the KB4474419 was successfully applied, and successfully rebooted.

        Interestingly (or not) as it was “applying”, it got to 30% and then appeared to abruptly jump to the reboot stage (and subsequently failed).

        ROLLING BACK to the previous backup… disabling the updates till they get this fixed

        6 users thanked author for this post.
        • #1908099 Reply

          GoneToPlaid
          AskWoody Plus

          Yet was anything Symantec ever installed? I ask because some low level drivers might have been left behind when uninstalling any free trials which came with the computer. Long story, yet I believe that some AV manufacturers deliberately leave low level drivers behind in order to mess with the proper functionality of subsequently installed competing AV products. To get rid of any such remaining low level drivers, one has run download and run the AV manufacturer’s full removal tool.

          1 user thanked author for this post.
      • #1907972 Reply

        anonymous

        I had an issue with a couple of 2008R2 Vm’s today failing when trying to install KB4512506, other patches installed fine.

        Bit more digging and I noticed on the problem VM’s that KB4490628 (March Servicing stack update) was not installed on them. Installed that and tried installing KB4512506 again, installed fine, rebooted with no issues.

        Don’t know if the above might help?

        1 user thanked author for this post.
        • #1908069 Reply

          rockandroller
          AskWoody Lounger

          I just checked my problem child server ( hoping that KB4490628 might be a fix) but it turns out that it already has KB4490628 installed… So back to square zero on this 🙁

    • #1907985 Reply

      Geo
      AskWoody Plus

      Group A,  Win7X64,  home premium,  Microsoft security essentials,  AMD.  Don’t need the .net so hide it.  Installed with no problems, no slow down.

      2 users thanked author for this post.
      • #1908356 Reply

        anonymous

        Hello Geo, while I totally agree that not installing a .NET is a good idea, especially if you do NOT use any .Net for programs, I would ask you to investigate the Security Only (SO) .NETs offered.

        Windows 7 comes with .NET 3.5.1. Whenever there is a SO for that offered it may be good to install it. It is up to you.

        Again I say, if you do not need the higher numbered .NETs, then refuse them – unless you need them for a program you are using.

        • #1908365 Reply

          Geo
          AskWoody Plus

          I only use my computer for print,internet and email.  Modem only  Should switch to a Chromebook but am use to a desktop with windows.

    • #1907987 Reply

      ek
      AskWoody Lounger

      CTF vulnerability (CVE-2019-1162) is scary.
      What is vulnerable?  Oh, just everything that contains text.
      http://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/

      Yes, catastrophically bad and profoundly dangerous.

      I read Ormandy’s (project zero) blog post ( https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html ). I consider it priority reading for anyone concerned about Windows security.  Advance warning: expect a lot of face-palming and hand-wringing while you read it.

      The vulnerability is so bad – and seemingly so hopelessly entrenched throughout Windows – I don’t see how MS can ever truly fix it completely.  Especially with their current ‘dev teams.  It’s present in all versions of Windows from XP to Win 10.  So it’s been there for 20 years and just now discovered.  Ug!

      • #1908044 Reply

        anonymous

        ? says:

        thank you, ek

        did you see in the video’s and in the code how quickly and easily windows can be compromised? i have always disabled cftmon.exe from XP on up, so do you think that would slow down the cracking procedure?

        • #1908157 Reply

          ek
          AskWoody Lounger

          ? says:

          thank you, ek

          did you see in the video’s and in the code how quickly and easily windows can be compromised? i have always disabled cftmon.exe from XP on up, so do you think that would slow down the cracking procedure?

          Yes, I watched the video and shook my head in dismay.  MS ignored re-designing CTF to make it secure for 20 years.  I’m pretty sure at least some of their internals/kernel team knew about the mess.  I’m speculating that big changes to CTF internals would be messy and likely break a lot of stuff, so they punted.

          I don’t think disabling ctfmon will help.  Anyone can craft their own executable that leverages the CTF “API”.  This is one of those vulnerabilities that’s yet another great “tool” for malware and phishing.

          • #1908188 Reply

            anonymous

            ? says:

            thank you ek for the explanation! so this “new,” Window’s vulnerability can be described as just another one of many “potential” attack avenues not (currently) being exploited? and the real and present danger is using Window’s updates or Windows at all?

            1 user thanked author for this post.
    • #1907989 Reply

      anonymous

      Hi everyone,

      Thanks for all the great feedback and advice over time. A priceless resource!!

      I usually wait to install monthly security updates (and usually under Group B), but given the reported critical issues with the August update and recent issues I’ve had with security-only updates, I went ahead with the full roll-up.

      As others mentioned, there seemed to be an issue with the installation and configuration. In contrast to what I usually do when an install “gets stuck” (shut down, reboot, uninstall, and try re-installing), I let this one go ahead without my intervention. After three automatic reboots (which made be nervous, for sure!) and configurations (the first two were stuck at 15% and 30% completed), the update and configuration finally went through smoothly.

      It’s probably not how this update is supposed to run, but I thought I’d toss out my experience.

      I also installed KB4474419 (which looks like a retread from March(?)) that consistently previously failed to install, and the .NET Framework update  (KB4507240) before attempting the monthly (August) security update.

      My system is Windows 7, 64-bit. Just a regular person 🙂

      I will add to others’ frustration in having to go through this muckity-muck every month (and often more frequently) with MS–argh!!

      Emily

      1 user thanked author for this post.
    • #1908051 Reply

      EP
      AskWoody_MVP

      hi woody.

      check out these recent blogs from Born’s Tech & Windows World site:

      https://borncity.com/win/2019/08/14/symantec-norton-blocks-windows-updates-sha-2/

      noted about the problems with the Aug. 2019 Win7 updates and Symantec/Norton

      https://borncity.com/win/2019/08/14/windows-updates-kb4512506-kb4512486-drops-error-0x80092004/

      yup. either KB4512506 or KB4512486 fails to install or complete because the KB4490628 update was missing or not installed. really best for Win7 users to sit back and wait, which is what I’m currently doing; I won’t patch any of the few Win7 machines I have until things get sorted out for several days (but I have already installed both KB4474419 and KB4490628 updates way back in March 2019)

      • This reply was modified 5 days, 3 hours ago by  EP.
      2 users thanked author for this post.
      • #1908055 Reply

        geekdom
        AskWoody Plus

        The updates really aren’t playing nice this time.

        Just wait to patch.

        Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
        • This reply was modified 5 days, 3 hours ago by  geekdom.
        2 users thanked author for this post.
    • #1908098 Reply

      tbsky
      AskWoody Lounger

      KB4474419

      now my wsus server has two KB4474419 updates. one from March (already approved and installed fine on testing environment). one from August. normally with same KB, the two updates should have revisions, and the latter revision will obsolete previous revision. but KB4474419 is special.

      I don’t know how to deal with it. should I approve both March and August KB4474419? or I can just approved the August, abandon the March?

      • #1908229 Reply

        PKCano
        Da Boss

        You should approve both.
        The August KB4474419 v2 has changes from the March version.
        But the MS pages for the August version say it does not replace the March version:

        Update replacement information

        This update doesn’t replace a previously released update.

        5 users thanked author for this post.
    • #1908147 Reply

      WSMRCS
      AskWoody Lounger

      KB4512506 won’t install on Win7 x64

      Apparently I am not the only one having this problem:
      https://www.dslreports.com/forum/r32478603-Microsoft-August-2019-Security-Updates

      While it clearly says on the KB4512506 page that KB4474419 is a prerequisite, it’s also clear from the Update History that it tried to install KB4512506 first. Standalone installer wouldn’t work. Uninstalling and reinstalling KB4474419 didn’t help, either

      • #1908228 Reply

        PKCano
        Da Boss

        Do you have the latest Servicing Stack KB4490628 installed?
        If not, that may be the problem.

    • #1908358 Reply

      rockandroller
      AskWoody Lounger

      In my case, the March 2019 servicing stack was already installed 🙁

      This has been a real anomaly… I fell into the trap of complacency (always installing the ‘security patches’) since Windows updates have been mostly harmless for the last year or so. And I have only wasted all this time troubleshooting because the patch is marked “security” and these was all this hype about this latest critical vulnerability.

      NINE HOURS of after-hours overtime wasted researching this issue and trying all the various patch application permutations, and I have restored our domain controller from its backup about five times now.  To add insult to injury, the rather blasé word from ‘Microsoft Contingent Staff’ is that that so-called “security patch” can just be ignored until NEXT MONTH ( see https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3feaf46-f5e5-4e78-a1b8-888eada3d6d6/patch-tuesday-08132019-windows-update-killed-our-2008r2-pdc-will-not-boot?forum=winservergen )

      3 users thanked author for this post.
    • #1908403 Reply

      PKCano
      Da Boss

      I have installed August updates on these test machines:
      + 3 Win7 (one is 32-bit) KB4512596 SQMR, KB4474419 v2 SHA-2, and MSRT. (all had KB4474419 v1 SHA-2 and KB4490628 SSU previously installed)
      + 4 Win8.1 (one is 32-bit) KB4512488 SQMR and MSRT.

      I have used Windows Update on all, installing all patches at once. Have had no problems with any of them.

      Notice: I am not installing KB4503548, the .NET 4.8 installer on any of my Win7/Win8.1 computers.

       

      4 users thanked author for this post.
      • #1908421 Reply

        AJNorth
        AskWoody Plus

        Hello PKC,

        What is your rationale for not installing KB4503548?

        Cheers,

        AJN

        • #1908424 Reply

          PKCano
          Da Boss

          In the past (history speaks on the side of caution) the initial release of a .NET version on Win7 (in particular) and Win8.1 has been problematic. Reference the initial version of .NET 4.7 on Win7 as an example. So, just like DEFCON says, I wait. That is the main reason.
          Better safe than Microsofed.

          And, I don’t really have any need for it since I am not running programs that use/need .NET 4.8

          4 users thanked author for this post.
          • #1908428 Reply

            abbodi86
            AskWoody_MVP

            The newly published .NET 4.8 packages are actually refreshed with latest fixes (including security fixes from July)

            for Win7, it’s handled via separate bundled patch KB4503575
            for other systems, the MSU/CAB packages themselves are updated

            • This reply was modified 4 days, 8 hours ago by  abbodi86.
            1 user thanked author for this post.
        • #1908425 Reply

          Microfix
          Da Boss

          I always let installers call for .Net updates if required,
          otherwise I just ignore them as a rule of thumb via WU or the catalog.

          ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

          1 user thanked author for this post.
    • #1908430 Reply

      ek
      AskWoody Lounger

      ? says:

      thank you ek for the explanation! so this “new,” Window’s vulnerability can be described as just another one of many “potential” attack avenues not (currently) being exploited? and the real and present danger is using Window’s updates or Windows at all?

      Short answer to your 1st sentence: yes.  But this vulnerability is very different than the processor side channel vulnerabilities like Spectre – which are (generally) computationally expensive to leverage (ie: complex and relatively slow).  CTF is easy & fast to exploit to gain admin privs.

      On your 2nd sentence:  Well, if I made a statement like that I would be half serious.

      I’ve been using Linux the majority of the time for years now.

      I still run Windows 7 on some systems, but in doing so I follow these practices:

      • MS updates are now often as risky as malware.  So, I recently stopped patching.  Prior to that, I always kept the systems up to date.
      • The systems are behind a secure router with inbound/outbound rules set.
      • I periodically inspect system activity (process, disk, network, etc.).
      • I use a commercial Antivirus app and also do manual Defender scans.
      • I use a local DNS server/filter and DNS services (like Quad9 and OpenDNS) to block risky/unwanted hosts/domains.
      • The Windows systems never access the internet and especially: I avoid running a web browser of any sort on them.  But if I absolutely have to, I use Firefox with a number of security/privacy addons (eg: noscript, privacy badger, UBlock, containers, etc.).
      • I never store any sort of important documents on a Windows system anymore.
      • The systems are never “always on”.  I boot them when I need to use Windows and shut them down when done.
      • Software/application wise: the systems are “frozen”.  I don’t & won’t install any new Windows software (other than, maaaaybe, updates).
      • I disable a number of unneeded Windows services and block telemetry.

      So, yes, that’s a lot compromises & hoops to jump through just so I can (occasionally) use a a handful of Windows based apps I’m reluctant to abandon.  Not sure how much longer I’ll be willing to put up with it.

      4 users thanked author for this post.
      • #1908440 Reply

        anonymous

        ? says:

        again, many thanks ek for taking the time to reply and even more thanks for Woody, PKCano, abbodi86, and all the rest of the crew here for allowing me to vent my windows frustrations here and burn up precious airtime. all i really wanted to do is to finish out my windows 7 days in peace and then spin down quietly in January, but i know all to well that “you can’t always get what you want…”

        1 user thanked author for this post.
    • #1908437 Reply

      VVet69
      AskWoody Plus

      Also included in the August patches, specifically KB4512508, is a fix to a monstrous 20 year old security hole in Windows.  There is a very good write up with a link to the research that uncovered the hole here:  https://arstechnica.com/information-technology/2019/08/a-look-at-the-windows-10-exploit-google-zero-disclosed-this-week/

    • #1908802 Reply

      tbsky
      AskWoody Lounger

      approved both March and August kb4474419. and do some testing:

      1. client with March installed will install August just fine.

      2. client without kb4474419 will be offered both and install both.

      3. client with August installed can not install March and will not be offered March after reboot.

      test both wsus and windows update online,  the results are the same.

      so it seems March kb4474419 should be abandoned. the relationship between March and August seems like revisions, like many telemetry hotfixes.  but I don’t know why they co-exist.

       

       

       

      • #1908804 Reply

        PKCano
        Da Boss

        They are able to coexist. The MA pages for the August says it does not replace any other update. See @abbodi86 ‘s post here.

        1 user thanked author for this post.
      • #1908816 Reply

        GoneToPlaid
        AskWoody Plus

        Thank you for performing this testing. Technically, the August V2 KB4474419 does supersede the March V1 KB4474419. I take it that after you installed the August V2, the attempt to install the March V1 resulted in a message that “This update is not applicable for your computer”? If so, that message clearly indicates that the V2 update has superseded the V1 update. This would not be the first time that Microsoft forgot to mention that a given update supersedes a previous update.

        Supposedly the only change in the V2 update was to add a missing file to support Itanium processors. Without that file, computers with Itanium processors would black screen on bootup.

    • #1910150 Reply

      tbsky
      AskWoody Lounger

      Microsoft had many mistakes in wsus superseded relationships. many times I found wrong superseded patches. these kind of errors can be found easily when you compare the client scan result from wsus and on line update.

      I didn’t try to find patches which should be superseded but not. they are hard to find. KB4474419 is very important or I think I won’t notice the duplicate.

      but normally windows on line update is correct when wsus is wrong. the KB4474419 duplicate both at wsus and windows on line update. it is very strange to me.

       

       

       

      • This reply was modified 2 days, 14 hours ago by  tbsky.
    • #1910244 Reply

      tbsky
      AskWoody Lounger

      kb4486153 (dotnet 4.8) is  another strange thing.

      we have windows 10 1809 LTSC. but kb4486153 for windows 1809 didn’t fit with LTSC. other hotfix for windows 1809 also fit 1809 LTSC, but not this one.

      check  https://www.catalog.update.microsoft.com/Search.aspx?q=kb4486153

      I found Win10 1809 LTSC x64 share the same file with windows 2019. and there are another hotfix for 32bit 1809 LTSC.

      so we have many kb4486153 for 1809:

      for 2019 and 64bit 1809 ltsc (not in wsus)

      for 32bit 1809 ltsc (not in wsus)

      for normal 1809 64bit (in wsus)

      for normal 1809 32bit (in wsus)

      dot4.8 for win7/2008R2 just has 32bit/64bit version and share the same language pack.

      I don’t understand what microsoft is doing with win10.

    • #1910747 Reply

      geekdom
      AskWoody Plus

      August 17, 2019—KB4512514 (Preview of Monthly Rollup)
      https://support.microsoft.com/en-us/help/4512514/windows-7-update-kb4512514

      The above preview just showed in the Windows Update queue as an optional update.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      • This reply was modified 2 days, 4 hours ago by  geekdom.
      2 users thanked author for this post.
    • #1911184 Reply

      anonymous

      Have several 64-bit Win 7 Pro machines that history shows successful installation of KB4512506 followed by KB4474419

      Have at least 1 64-bit Win 7 Pro machine that was on automatic update, applying the 2 patches + KB890830, and upon reboot, not possible to boot -> Error 0xc000225 Black screen – unable to boot anything off hard drive (SATA SSD). Pulled the drive & ran chkdsk – everything OK. Unable to boot to HP recovery partition either.

      Boots to HP recovery from USB, but unable to repair startup.

      I had made a pure Microsoft Recovery CD -> bootable USB using Backup/Create System Restore Disk, and with this, I was able to UEFI boot the USB, and run startup repair successfully.  Machine booted normally. Applied KB4474419/ reboot successfully. Then tried KB4512506, and again neutered the machine/ same Error 0xc0000225. But, again able to recover with pure MS Startup Repair (not the one in HP’s recovery image).

      Seeing other reports of this from various sites

      Windows Boot Manager
      
      Windows failed to start. A recent hardware or software change might be the
      cause. To fix the problem:
      
      1. Insert your Windows installation disc and restart your computer.
      2. Choose your language settings, and then click "Next".
      3. Click "Repair your computer".
      
      If you do not have this disc, contact your system administrator or computer 
      manufacturer for assistance.
      
      Status: 0xc0000225
      
      Info: The boot selection failed because a required device is inaccessible.
      =======
      Startup Repair - 
      Name: System boot log diagnosis
      Result: Completed successfully. Error code = 0x0
      Boot manager generic failure 0xc0000225
      Root cause found:
      Boot manager failed to find OS loader.
      
      Repair action: File repair
      Result: Failed. Error code = 0xa
      
      Repair action: Boot configuration data store repair
      Result: Failed. Error code = 0x490
      
      Repair action: System Restore
      Result: Completed successfully. Error code = 0x0
      
      
      
      
      2 users thanked author for this post.
      • #1911195 Reply

        OscarCP
        AskWoody Plus

        Anonymous: Do you know for sure, by now, which of the patches caused the problem? From your entry, it looks as it might have been KB4512506, the Monthly S&Q rollup. Anyone has heard of a problem with the Windows 7 Security Only patch?

      • #1911211 Reply

        anonymous

        On window 7 machines with black screen of death after  KB4512506 or the security only version of the patch I found removing all drives except c drive (operating system) drive and then booting up worked find. Then add the removed drives back and all should be ok if its what I ran into.

        For some reason its scrambling the drive letters (identifiers) of the drives. Booting up with just the single drive straightens it out.

        No clue why but it worked.

        Crowz

        3 users thanked author for this post.
    • #1911220 Reply

      Lawrence Patterson
      AskWoody Plus

      Morning all and after reading the commentary I certainly appreciate seeing your responses / questions.  And what a ha ha, after Woody mention at the beginning of August that it should be a quiet month.  As I say many times to my users, IT never sleeps.

      Myself, will not wait till the end of the month as usual, and plan to start 2012 / 2016 Server updates next weekend.  Though we’ll see what bugs come up between now and then before i finalize my decision.

      A metaphor I’m telling my users who happen to catch the media’s reporting the “sky is falling, apply August patches NOW”, is as follows:

      “Bluekeep and its siblings are like the boogie man, not sure if they exist now, so we’ll wait till Microsoft gets things figured out and then we’ll patch before Bluekeep turns into Godzilla.”.

      This is the PG version, I have a non-PG version for those that appreciate the spice.

      Take care,

      IT Manager Geek

      2 users thanked author for this post.
    • #1911341 Reply

      geekdom
      AskWoody Plus

      Could there be a summary of all errors or borks to date?

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      • #1911723 Reply

        woody
        Da Boss

        I’ll be working on that later this week, as another of my monthly “Patch Status” articles for Computerworld.

        Right now, everything’s in a state of flux. And then some.

        4 users thanked author for this post.
    • #1911479 Reply

      anonymous

      Win 7 Pro X64 machine with Black Screen of Death – re-tried the August security only update – can’t boot – then tried the suggestion above of removing all but C: drive (machine in question had 2 drives, both SATA SSDs) – did not help.

      Have another almost identical machine, except it has even more hard drives, including nvme, and SATA SSDs, where the Aug update worked – but this machine is multi-boot, first boot device being Linux, with a default to Windows 10 and Windows 10’s default is Windows 7…

    • #1911536 Reply

      abbodi86
      AskWoody_MVP

      The 2019 SHA-2 Code Signing Support requirement for Windows and WSUS article is updated with more info for Windows 7

      while it’s not listed as prerequisite, but the FAQ section now suggest to include update KB3133977 for new installations of Windows 7

      those who have failed installations for already running Windows 7 OS can try the suggestion, particulary the last one (i.e. install KB3133977, reboot, run bcdboot.exe)

      1 user thanked author for this post.
      • #1911549 Reply

        anonymous

        Knowing what we do now about KB3133977 and Win7, would it be easier to install 3133977 before installing ANY other updates for August if we didn’t install 3133977 when it was first offered back in 2017 and hid it instead?

        • #1911688 Reply

          abbodi86
          AskWoody_MVP

          Yes, KB3133977 should (had) be installed anyway

          all recommended non-security updates are useful and safe, except the telemetry ones

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: August 2019 Security patches: It’s a biiiiiiiiig month

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel