Four sets of .NET security patches in the past two weeks

Topic

New Reply

If you’ve been having problems with any of this month’s .NET security patches, you aren’t alone. I count four separate versions of the patches in less
[See the full post at: Four sets of .NET security patches in the past two weeks]

4 users thanked author for this post.

HiFlyer, Elly, Microfix

Reply | Quote

Replies

Today I’ve restored Windows 8.1 from a backup dated March 2017. Running Windows Update found a few Security and Quality .NET updates.

– How security worth are they, should I hide or install them?
(if things go wrong, I can restore it back)

– Another question that might be helpful to myself and also others when restoring from backup and want to keep themselves on group B: After manually downloading all the updates from the Knowledge Base (thanks Woody, PKCano and others!), I get a folder with a couple of dozen updates that I have to manually run, click Yes – wait – click Close, and then delete the file so it won’t get in the way creating confusion and hoping I don’t skip any update in the middle of all those files.

So the question is, Is there a command I can type in order for Windows to run all the update files, one by one? (and adding the no reboot and silent options, and even better, restarting Windows after the last update is installed)

Thanks!

Reply | Quote

I have my standard download folder. All downloads from my browser including the MS Update Catalog files go there. I have 3 sub-folders, WU, WU_installed, and Working. I move them all into the WU sub-folder. As I install them I move then one at a time into the Working sub-folder for insallation. After they are installed, I move each patch to the WU_installed subfolder. I use the working folder to avoid any error of selection and to prevent any expansion of the executable along side the pending updates. I do this with all executables as some install routines are sloppy and may not clean up adequately.

At the end of the month after all the Group B updates are installed the WU_Installed folder is renamed with the month and year i.e., 2018_07, etc. and moved to a second physical drive on the PC into the Windows Update Archive, that is also backed up routinely to a USB HDD. If, after the updating a newer version is released I put it in the folders, but do not overwrite the original.

For updating the Win7-64Pro_SP1 laptop, I just put the monthly updates on a thumbdrive and transfer them to a similar download folder, but upon completion delete them.

As I use WU for .NET roillups and MS Office 2010, these are not archived.

It may sound obsessive, but it works for me.

1 user thanked author for this post.

Elly

Reply | Quote

Bill you’re not being obsessive. I essentially do the same thing (Group B – Win 7 Pro/Ultimate).

For example, this month I have a folder named “20180710” containing the July updates. I’ve been creating monthly folders since Oct 2016. I also keep running documentation in a text file (patch info, which machines were updated when, etc.)

Like you, I also accept Office 2010 and NET updates from WU.

– Carl –

Reply | Quote

If you are having problems it because you are not listening to Woody.  He will tell you when you should apply the patches.  I know a lot of you It pros think you have to apply all the latest patches as soon as they come out.  But unless you have a special reason why should apply a patch you should try to wait.  I am a retired IT department manager and I learned a long time ago to never apply the latest changes to the OS until you have to or until the bugs have been worked out.

Reply | Quote

Why does this article not mention Windows 10?

Microsoft has recently confirmed that this month’s update rollout includes a botched patch that breaks down .NET Framework and apps, and Windows 10 devices are affected as well.
This means that if you install the most recent cumulative updates for Windows 10, you also get this issue, and Microsoft has updated the official KB pages to reflect this.
Basically, all July 16 cumulative updates are impacted, namely KB4345421 for Windows 10 April 2018 Update (version 1803), KB4345420 for Fall Creators Update (version 1709), and KB4345419 for Creators Update (version 1703).
Windows 10 Cumulative Update KB4345421 Includes Botched .NET Framework Patch

1 user thanked author for this post.

woody

Reply | Quote

It’s true, although 1803 apparently bypasses the problem.

1 user thanked author for this post.

Microfix

Reply | Quote

How?

Known issues in this update
Symptom
After you install any of the July 2018 .NET Framework Security Updates, a COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors. The most common failure signature is the following:
Exception type: System.UnauthorizedAccessException
Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
July 16, 2018—KB4345421 (OS Build 17134.167)
Applies to: Windows 10, version 1803

1 user thanked author for this post.

walker

Reply | Quote

@b:  I agree about stating which version of Windows the person who is posting is using.   It would be a great help if each person would state which version of Windows he/she is using.  It would save a lot of time for those who are trying to read all of them.   There are more and more for Widows 10  it seems.    Thank you for your reference.   🙂

Reply | Quote

Actually, this only hits those who can’t resist to hit the check-for-updates button. Otherwise, previews like KB4345421 are not installed automatically.

So… don’t touch the switch, don’t touch the button, don’t touch nuttin’.

Reply | Quote

Same applies to July 10, 2018—KB4338819 (OS Build 17134.165)

1 user thanked author for this post.

abbodi86

Reply | Quote

.NET patches used to be one of the few ones you could count on to not break anything. Windows, Office, and even the MSRT have caused issues in the past, but the .NET’s were generally safe. My, how times change…

1 user thanked author for this post.

kiwisolutionz

Reply | Quote

Maybe the NSA needs more back doors! All joking aside, I haven’t updated .net since last December or perhaps January. I do keep IE updated since IE is integrated into Windows itself.

Reply | Quote

GoneToPlaid:

“All joking aside, I haven’t updated .net since last December or perhaps January.”

If one did that for very long, wouldn’t one find that fewer and fewer of the third party applications one has can be run well, safely, or at all in one’s computer, as time goes by?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

bassmanzam

Reply | Quote

Not according to Canadian Tech. See his post #188268.

1 user thanked author for this post.

Microfix

Reply | Quote

@The-Surfing-pensioner FTFY 🙂

#188268

Windows - commercial by definition and now function...

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

Sorry, but I was asking about not updating .NET.

That posting by CanadianTech is about not installing non-security updates. CT is entitled to his opinions, and his advice is not divinely infallible. A given .NET update might might or might not be a security one, but it is definitely its own very special kettle of fish.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

If it ain’t broke, don’t fix it.

Reply | Quote

Slow patching (or no patching) may affect .NET applications, but more than likely, nothing else.
It’s safe to assume that the standard attack vector (browser) is patched for vulnerabilities, at least up to date, and possibly even more up to date than the underlying OS.

As long as your browser is up to date, the likelihood of a busted system underneath, IMHO, is very slim. (Assuming of course you’re a mindful clicker, and aren’t trying to open files you shouldn’t from unknown strangers.)

It is true that yes there are .NET programs out there that require a specific version, but most of them are 4.62 or older; the newest being 4.71. I think the jury’s still out somewhat whether 4.71 is stable or not – though I haven’t had any problems with it.

2 users thanked author for this post.

GoneToPlaid, OscarCP

Reply | Quote

zero2dash,

Agreed! A good multi layered security system and some common sense should keep you safe.
Router with strong password, UPNP turned off, strong Wi-Fi password.
Good AV, I use Windows Defender with Malwarebytes Premium, never a problem.
Modern browser with JavaScript disabled by extension (think FireFox and NoScript or Chrome and ScriptBlock). Not to mention AdBlocker and Cookie Control addons.
Latest BIOS/UEFI updates from your Mother Board manufacturer.
Last but not least System Images taken on a regular basis with a good third party application (Macrium Reflect is my choice) that have been tested to work along with boot media for such. It also helps to have them on more than one external device you know belt and suspenders. Personally I currently rotate 6 drives, with at least one out of the house (parinoid…maybe, remember just because you’re parinoid doesn’t mean someone isn’t out to get you…(think hackers).

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

GoneToPlaid, zero2dash

Reply | Quote

I agree. This is why I refused to upgrade to .NET 4.7.1. I have yet to encounter a program which supposedly requires .NET 4.6.x which doesn’t run fine under .NET 4.5.5, which the .NET version which I have on all of my Win7 computers. I also deliberately do not allow .NET to run its optimization tasks, in Task Scheduler for my installed programs which use .NET, because these optimization tasks occasionally have bugs. I would rather have my programs which use .NET to properly run a bit slower, instead of a flawed optimization causing the program to crash.

Reply | Quote

A .NET Framework update, KB3142023, royally messed up my Vista laptop in May 2016. I lost the Windows Aero theme as well as the wallpaper behind the sidebar (where the Windows gadgets show). And Windows Explorer took on a semi-Windows 2000 appearance. Can’t remember what other ill effects there were, but I ended up installing a Vista backup image because no solution that I found on the Web at the time ever worked.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

That leaves us with a handful of .Net patches that have gone through at least four revisions — most of which are completely undocumented — in the past two weeks.

You’ll sound like having a severe stuttering problem, if you call it a re-re-re-release! 😀

Who’s testing this stuff?

You know it!

A fine opportunity to send a big “thank you!” to those nice, brave and friendly “front-line fighters” for testing and not least for reporting back to the rest of us. Very much appreciated and very, very helpful.

2 users thanked author for this post.

lanceboil, woody

Reply | Quote

You put your .Net patch in
You take your .Net patch out
You put your .Net patch in
And you shake it all about
You do the hokey pokey
And you turn yourself around
That’s what it’s all about

2 users thanked author for this post.

HiFlyer, GoneToPlaid

Reply | Quote

That was truly funny. Nice to have you here! Wise cracks like this one are nice to read while all of us deal with the pathetic misery of Windows Update.

1 user thanked author for this post.

EyeJove

Reply | Quote

Am I the only person who still CAN’T get these installed?
KB4340558
KB4338815
KB4054566
KB4338831

Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

Reply | Quote

All updates installed on receipt except KB4340558.   Microsoft and others published workaround to get that installed.  I did not implement any workarounds, figuring that the chances of making things better was equal to making things worse.    Eventually, Microsoft issued a new KB4340558, around the 20th, and that one installed successfully.

The only update that didn’t install was KB2976978, because I hid it.

1 user thanked author for this post.

Elly

Reply | Quote

OscarCP wrote:

GoneToPlaid: “All joking aside, I haven’t updated .net since last December or perhaps January.” If one did that for very long, wouldn’t one find that fewer and fewer of the third party applications one has can be run well, safely, or at all in one’s computer, as time goes by?

I can’t say. All I know is that all of my Win7 computers have .NET 4.5.5 installed and that all of the several dozens of programs which I use run just fine. The same thing goes for Visual C++. I have Visual C++ 2005 and 2008 installed, even though a couple of programs which I installed did install later versions of Visual C++ which of course have baked in telemetry. So I figured, what the h**l. I uninstalled the later version of Visual C++, and after uninstalling, I found that those few programs ran just fine and without complaining on launch. Go figure. I should point out that I have never installed any “Windows 10 only” programs which do require installing the Win10 C++ runtimes which Microsoft backported to Win8.1 and Win7.

The upshot is that I am very careful about what programs I install on my Win7 computers. I also am very careful about upgrading any programs if I have no compelling need to upgrade such programs.

1 user thanked author for this post.

OscarCP

Reply | Quote

Thanks for an excellent answer. A “thanks” indicated with a little glyph is not enough, so it is given again, with words.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Just arrived to our WSUS:

Dynamic Update for Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2920540)
DriverUpdate:HardwareID:%PCI\VEN_168C&DEV_0029*

Dynamic Update for Windows 8.1 (KB2920540)
DriverUpdate:HardwareID:%PCI\VEN_168C&DEV_0029*

The KB of course does not exist, plus driver updates are disabled altogether on the WSUS server.
Sigh…

Reply | Quote

Here’s a brief synopsis …

“If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is … ensure that you apply upcoming .NET Framework updates.”

Source: Advisory on July 2018 .NET Framework Updates

“Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable.”

Windows 7:
“Note that the Monthly Rollup and Security Only updates for .NET Framework are not affected.”

Source: Security Guidance (bottom of page)

The Update Catalog for KB4340556 (Win 7 NET update) had been updated July 20.
Source: Microsoft Update Catalog

Now for the confusing stuff …

1) The table in Security Guidance indicates that KB4340556 has been replaced.
2) The download link in the Update Catalog has 5 replacement patches for x64:

ndp45-kb4338417-x64_b55ee1c5a8f455e6b0837edea71b78951443d598.exe
windows6.1-kb4019990-x64_35cc310e81ef23439ba0ec1f11d7b71dd34adfe5.msu
windows6.1-kb4338423-x64_58b34908c283746456dd4b2b8c8b4d8e6b98fcf8.msu
msipatchregfix-amd64_5011cb29b096fb674a4795ee8fc2f7fdad33863a.exe
ndp46-kb4338420-x64_eefd3a67dbfb754d713963b1b9888a5e75868882.exe

Say what??????

3) There is no indication of proper install order.
4) Note the “msipatchregfix” file – no docs.

So ….
I’m assuming that:

1) MS will fix this disaster with a single NET rollup patch at some point through WU.
2) MS will clean up conflicting guidance in their various KB articles (yeah right).

Any takers????

– Carl –

Reply | Quote

Yesterday, I (W7/32) got offered 4338818 and the snooping patch. As per DefCon, did not install them. But: no .Net-update (have not had one for months), only one waiting in the Optionals. I think I best just wait a bit longer.

~ Annemarie

Reply | Quote