Is Microsoft now fixing security patch bugs with non-security patches?

Topic

New Reply

For those of you who want to stay in “Group B,” this is a big deal. There’s a bug in MS16-087, the July security patch “Security update for Windows pr
[See the full post at: Is Microsoft now fixing security patch bugs with non-security patches?]

Reply | Quote

Replies

abbodi86 mentioned few times that there is no clear distinction between various types of patches and it is at most just arbitrary labelling. I said the same in a different context, that of supersedence in which patches from different categories supersede or are superseded by patches in another category. This typically means a cross between Recommended and Security.
However the new category of Preview needs to be treated differently than the traditional category of Optional non-recommended.

Reply | Quote

Woody,

You said the nature of the bug is documented in the KB article. Is that the KB3170005 article? I can’t find anything about the nature of the bug there.

Please tell me what I am doing wrong. Thanks.

Reply | Quote

Yes. Sorry, I should’ve posted the link:

https://support.microsoft.com/en-us/kb/3170005

There’s a lengthy description of (many!) bugs.

Reply | Quote

By hook or by crook you WILL install all we send you or watch your systemn die….slowly.

Modern day Thuggees

Reply | Quote

“At its root, the word “Thuggee” means “deceivers,”…”

https://www.damninteresting.com/the-thugs-of-india/

Reply | Quote

I think we have to wait how this first Preview will transform to Full patch(es).
Maybe this Preview is really just “testing” rollup of individual patches.
And some of those ok will then be included not only in “Rollup” but also in “Security Only” bundle. In this way Microsoft can patch bug in Security update with another Security update and in the same time test this patch in this Preview.
Uhm … just a thought… 🙂

Reply | Quote

Being someone in Group A who sympathizes with Group B I’m sorry you guys have this problem. Looks to me if the security updates have issues that get fixed in the monthly rollups it looks as looks as though your options are to either install the monthly rollups or just disable updates.

I mean for those of you who get the security only package a very grievous bug could come along that could be fixed in a monthly rollup. But if you don’t install that monthly rollup then you won’t get the fix.

One more thing I want to bring up. Who’s to say Microsoft might not slip the telemetry into the security only package at some point? If that turns out to be the case then know I called it here first. Even though they don’t really care about your privacy they know most people who actually give two s***s about the security of their system wants security updates. Why not hide some telemetry points in there as well?

That way they got everybody. Group A, Group B, Windows 10 users. Unless your on Vista. But I can’t really condone the use of Vista anymore. Because more and more programs are dropping support which that in itself is a security hazard. But I digress.

Also Windows 8.1 does have somewhat similar telemetry settings. But it’s not as bad as 10 is. https://i.imgur.com/8Q9qH2d.png
And again I want to state that I feel telemetry will be slipped into the security only package at some point. Which if that happens then those of you in Group B will probably have to avoid all updates which I wouldn’t reccomend.

Reply | Quote

I accidentally hit submit before I finished my first comment.

Anyways. It’s only inevitable that 7 & 8.1 whether it be through monthly rollups or stealthily slipping it into the security only package. Which I wouldn’t put it past them. I’m calling it here.

I bet they’re going to do that. Then Group B will probably have to move to Group W. No updates or anything. Which if it comes to that then I don’t recommend using Windows.

Either way. Looks like they have Group B cornered. A bug with a security update. Want it fixed? You have to install the monthly rollup. So yikes. But we’ll see.

Reply | Quote

THAT, to me, is the nightmare scenario.

Reply | Quote

*It’s only inevitable that 7 & 8.1 will have more TELEMETRY whether it be through monthly rollups or stealthily slipping it into the security only package. Which I wouldn’t put it past them. I’m calling it here.

Forgot the keyword. *HEAD SLAM*

Reply | Quote

Could be. You’re right, we need to see what happens – and hope that MS documents it.

Reply | Quote

@Anonymous User:
“One more thing I want to bring up. Who’s to say Microsoft might not slip the telemetry into the security only package at some point? If that turns out to be the case then know I called it here first.”

You didn’t call it first, it’s not a new conjecture here. We’re better cynics than that!
😉

Reply | Quote

Security only updates will never get it

Reply | Quote

Humorous that “Anonymous User” wants us to know that he/she called it here first.

The very nature of the name “Anonymous User” means that he/she doesn’t want to be known. So how will we know who it was who actually called it here first?

(I have too much time on my hands!)

Reply | Quote

Do a backup before you install the group B update. If it hoses your machine, restore the backup, then move to group W (or group L – Linux).

Reply | Quote

I already don’t recommend installing Windows and I called it here first… along time ago… Really… (just ask anybody… snif)

And quit stealing my nom de plume, I was Anonymous User first!

Sincerely,
John Squiggleworth
Canton OH

Reply | Quote

Oh, you’re THAT John Squiggleworth. I was confused there for a sec. 🙂

Reply | Quote

🙂

Reply | Quote

I was in Group B for all my Windows machines, but as I cannot install the KBxxxx605 speedup patch on the Win7-64 Pro Lenovo laptop due to the Bluetooth issue, I cannot get WU to show any updates since the Rollups launched. Had it running for 36 hours just to get the KB numbers and nothing.

The Laptop is looking very longingly at Mint flavors.

Actually for mobile email, I am considering an iPad.

My new Skylake build will be Linux, and the Haswell Win7-64 Pro gaming box will be Group B for gaming only.

While I object to the snooping on Privacy grounds, I dispise the deliberate sabotage by MS of a working PC.

Reply | Quote

You are John Squiggleworth, Esq., and I claim my five pounds!
🙂

(http://www.urbandictionary.com/define.php?term=AICM
“…an abbreviation of “you are ….. and I claim my £5” when speculating on the identity of a poster.
This started during the press circulation wars of the 20s and 30s with summer publicity campaigns by the Westminster Gazette (from 1927) and News Chronicle (mid-30s). A fuzzy photo of “Lobby Lud” (really a lowly newspaper employee) was printed in the paper along with the seaside resort where he would be that day. If you recognized him you could win ten pounds by producing a copy of the newspaper and saying, “You are Mr. Lobby Lud, I claim the Gazette Prize.”
After the war the Daily Mirror copied the campaign, but changed the phrase to “… and I claim my five pounds”. ”

https://en.wikipedia.org/wiki/Lobby_Lud
“The phrase “You are X and I claim my five pounds” has become a humorous way of pointing out a similarity between a subject and a second person.
It was regularly used by the British satirical magazine Private Eye, most notably on the cover of issue 180 in November 1968 which showed a photograph from the wedding of the former Jackie Kennedy in which the bride was apparently saying: “You are Aristotle Onassis and I claim my five million pounds” ” )

Reply | Quote

You must be far behind with the patches… all of them.
Give a go to https://support.microsoft.com/en-us/kb/3138612 which is the next best thing after KBxxxx605. It works on most instances.

Reply | Quote

You could manually install the security only update KB3192391, which will work to speed up WU until November Patch Tuesday at least

or if you accept a 3rd party solution, i ripped WU client components off KB3172605, allowing you to have the permanent speed fix without other fixes/bugs in KB3172605
just run install-online.cmd as administrator then reboot
http://pastebin.com/raw/UHXiAf4M

Reply | Quote

My question is semi-related in that, all I want to know is if it is now safe (“safe”) to install the KB3185330 (Win 7-64 Security Rollup) and the KB3188740 (Win 7-64 .Net Framework Rollup) that are waiting in the wings on my Win7 machine. In the past, I always waited a week or two for Susan Bradley to check out and establish the “safeness” of what what MS recently regurgitated to the masses before I took the plunge. Now it’s a few weeks later and I haven’t heard of any dramatic issues from others so far. TIA.

Reply | Quote

 
I just read Woody’s InfoWorld article. I will wait for the “all-clear” from Woody (with or without modification) before I do any kind of blind MS patch installations.
 

Reply | Quote

Can anyone explain how to add the language pack first?

“if you choose to install the packages yourself on live running system, make sure to add the correct LangPack package first, before the main package

I know how to run the cmd main package but not the zipped language pack.
Thanks

Reply | Quote

Wait.

Reply | Quote

“And again I want to state that I feel telemetry will be slipped into the security only package at some point. Which if that happens then those of you in Group B will probably have to avoid all updates which I wouldn’t recommend.”

If that happens, then I will avoid installing future updates. I have stated that position here before and I will stick to it.

Hope for the best. Prepare for the worst.

Reply | Quote

@Bill C.,

Oh no, that is the same patch that my Lenovo also cannot accept.

I last ran Windows Update in the early hours of this month’s Patch Tuesday – just prior to the new system’s being introduced – and it took less than 15 minutes (I was away from the computer for that long – it could have taken as few as 5 or 10 minutes).

I think I’ll try to run Windows Update tonight and see if it takes a long time. I’ll report back here.

Reply | Quote

@CH100,

Why would you say that he must be far behind on all the patches?

The Bluetooth-Intel-Lenovo-screw-up patch was always optional.

Reply | Quote

It means you must install the language pack first before applying any updates to the system

Why do you want the language pack anyway?
language pack usually gets integrated into install.wim to make multilingual distribution

Reply | Quote

Both are clean to me

Reply | Quote

Force everyone to run updates off a WSUS server, then you can still install individual updates (until they change THAT as well).

Reply | Quote

Wow. People are so cynical here.

Reply | Quote

Is it safe to install the Management Framework 5.0 update for Windows 7? It includes an update to PowerShell which is something I use.

Also is .NET Framework version 4.6.2 safe to install?

Reply | Quote

Okay. I chuckled at that.

Reply | Quote

Ah but that is the only way to fulfill the no fragmentation. Everybody will have the same crap.

Reply | Quote

I’d wait for just a couple more days.

Reply | Quote

I didn’t realize that. I’m seeing a lot of confusion about how to make WSUS install the Security-only patch, and avoid the Monthly Rollup.

The individual patches that I know about are only for Vista.

Reply | Quote

It is not that the Security Only patch cannot be installed. The issue is that after installing the Security Monthly, the Security Only still shows and apparently even installs, although it should be included in the bigger patch, installed previously.
I was convinced few days ago by someone who understand this stuff better than me that in such situations, what matters is only the component level installation which is resolved by TrustedInstaller.exe, while whatever WU or WSUS shows for the user or admin is only cosmetic.

Reply | Quote

Because of the supersedence and interdependencies. It is typical that those experiencing slow scanning have a limited number of patches installed compared to those more fortunate not experiencing slow scanning. This was before installing the “Bluetooth-Intel-Lenovo-screw-up patch” in your words. I think what matter most for scanning speed are certain Security patches superseding many, like 20-30 older patcher behaving like rollups, although not labelled as such by Microsoft. Those are the patches which were presented by Dalai monthly to do the “speed-up”, known also as the “magic” patches.
“All the patches” is on my wish list, the same one which is on Microsoft’s wish list “to avoid fragmentation”, but Security and in general all Important (not including Recommended) would do the job of speeding the scans, at least as it seems to be at the current date.

Reply | Quote

You have to have Ultimate or Enterprise, at least to be under the licensed terms for that functionality. In such a situation, you can install Language Packs from Windows Update. If you didn’t need Language Packs until now, you will not need them in the future. They can cause a lot of problems and it is better to avoid them if possible.

Reply | Quote

What can’t your Lenovo accept, this one?
https://support.microsoft.com/en-us/kb/3138612 or the one suggested by abbodi86 which is KB3192391? Why not?

Reply | Quote

Woody
This is the second reply to the WSUS issue. I read again and actually what you say is possible and is experienced by those having a default out of the box WSUS setting which is auto-approval for Critical and Security Updates. Critical are those non-security Important updates about which I keep insisting that are more important even than the Security updates.
With auto-approval, both Security patches are getting approved and installed, unless that automatic setting is disabled (which is normal practice) and each update approved manually by administrator. But I suppose less experienced WSUS admins do not check each setting after installation and leave everything default. Or maybe they inherit WSUS from someone else and it takes time to sort out the issues.

Reply | Quote

They are both components outside of Windows Update.
.NET 4.6.2 is fine if you don’t use applications which are broken by it and this is very unlikely unless it is Exchange Server.
If you find the answer for the other one, please let me know, as I am close to installing it myself.

Reply | Quote

In my opinion Microsoft has been arrogant and disingenuous in dealing with its customers on many fronts.

But they are not stupid.

Introducing a bug in a security update and fixing it in a non-security cumulative update is just another underhanded method of forcing customers to dance to their tune.

Reply | Quote

(Or they’re compleat WSUS dummies, like yours truly.)

Reply | Quote

The flip of that is true in WU as we saw last week. If you install the preview non-security rollup and security-only patch first, you are still offered the Monthly full rollup as as a checked important update.

Reply | Quote

Announce the funeral. Group B is dead. It looks like it is A or C. Thankfully, I have not directed my clients to take the first set of Security roll-ups.

This means that January 2020 “end” date for Win7 has already ended. Not so sure this is so bad. Could be better.

CT

Reply | Quote

The language pack note in the read me confused me. I thought the correct one had to be chosen and installed as part of the process for everyone.

So do I have this right?
1. Install-online.cmd and entire bin folder are extracted/placed in a folder.

2. The install-online.cmd is run and it automatically selects what it needs from the bin and I end up with KB3161647 Windows Update Client installed on my US English Win 7 Pro machine.

3. Windows Update history will not show KB3161647 installed but will show KB3172605 instead.

4. If needed the entire KB3172605 can be installed later to give the machine the other included updates.

I wonder how long this “speed up patch” will work?

Thanks abbodi86, I know everyone appreciates your knowledge and work!

Reply | Quote

@ Anon Gary I have had both KB’s show up in WU and per Woody’s advice I put them in a holding “cell” until the coast was deemed clear. And to T. Pickleson: I have had .NET Framework 4.6.2 installed on my Win 7 SP1 x64 for about two months with no ill effect BUT at this point in time I would wait for Woody’s OK.

Reply | Quote

I have personally gone within the last year from Group A to B to (now) C/W.

What worries me is the possibility that Microsoft might, under the guise of a “Security” update, install a time-bomb, such that your Win7 system is destroyed completely in Jan 2020 — because “your computer no longer receives security updates, therefore is insecure, and therefore we will protect you from yourself” — which they might call a “security update”.

Reply | Quote

I see, sorry about that, the note was ment for advanced users

1. 2. Correct

3. Correct, but KB3172605 will be shown (twice) in Installed Updates panel, not WU history

4, The components are the same and the fix will persist

Reply | Quote

If you are in group B (installing only the security updates), what would be the logic in MS sending you a time bomb “because your computer no longer receives security updates”?

Reply | Quote

My point is that, after Jan 2020, there WILL NOT BE any security updates, and MS might try to “protect me from myself” by installing a time-bomb IN ADVANCE, under the guise of a “security update”.

Reply | Quote

Could happen – or we could see a new “Get Windows X” campaign as support runs out.

Jan 2020 isn’t that far away, and there’s not a snowball’s chance Microsoft will extend the support date.

Reply | Quote

ch100 is right. I should have clarified that. You have to download them manually off Microsoft’s site.

Reply | Quote

I would call that a distinct possibility. In fact, in spite of the fact that I have been a died in the wool IE advocate for years, I will likely be switching out of it because I am Group C and will no longer be able to trust IE.

CT

Reply | Quote

Thanks for the info abbodi86. I would have looked in WU history and wondered why KB3172605 was not there. I had pretty much forgot about the Installed Updates panel.

Guess that explains why after installing KB3135445 a while back using a cmd script I could not find it in WU history.

I hope other folks on the site notice this conversation like BillC above who has a Win7-64 Pro Lenovo laptop like myself and doesn’t want to break bluetooth. Your effort gives us a way to still get our updates in 5 min instead of 5 days!

Thanks again.

Reply | Quote

I want to understand how this potential scenario would actually work…

Assume I choose Group A. I’m a non-Enterprise user. A bad patch shows up in say the December 2016 monthly rollup and it causes crashes on my systems and MS acknowledges the problem but there is no workaround. I back out the December monthly rollup and wait for the fix.

Stay with me …

Finally the fix is in the April 2017 monthly rollup. In this scenario, how would windows update deal with it? I would be sitting on the November 2016 monthly rollup as the last successful install.

– I have to skip the Dec 2016 monthly rollup and in January it would get replaced with Jan 2017 monthly rollup (I assume the Dec 2016 rollup would disappear from the list). The same would happen for the Feb and Mar monthly rollups – they disappear and I would have the April 2017 monthly rollup on the available list. If that is how it works, does that mean I can now install the April monthly rollup (only) and be totally up to date?

Reply | Quote

Yes.

You’re talking about the Monthly rollups. The Security-only patches work differently.

It’s rare for MS to leave a significant bug outstanding for more than a month – but it does happen.

Reply | Quote

So I was wondering Microsoft has a monthly rollup and a “Preview” rollup. I mean why not just hold them off the bug fixes and improvements until the next month’s rollup? Does the end user have to be Microsoft’s beta testers now?

Reply | Quote

I admit that the following is just in the realm of supposition bordering on paranoia, so I have the aluminum foil box here beside me (might wallpaper the room with it… ha ha) —

Would MS be able to do that (to initiate some kind of “nuclear” solution that would prevent the operating system from working properly after Jan 2020) to group C/W people, who earlier this month stopped updating and will not update anymore?

What I mean is, would they be able to do that in 2020 to a system, even if it were not being updated in the Windows Update traditional way, and had not been updated via Windows Update or via the Update Catalog since Oct. 2016) via other kinds of internet communication that Microsoft has with a computer?

Reply | Quote

Canadian Tech, I am also an IE acolyte.

What browser do you think you will switch to?

Reply | Quote

Your oft-repeated hypothesis that the slow scanning which has occurred sporadically in the last five or six months was only experienced by people who, in the immediately-prior month, had not been up-to-date on their security-only patches, seems to have been contradicted by some people’s experiences, including my own.

Reply | Quote

Highly unlikely. They didn’t do it with XP, can’t imagine why they’d do it with 7.

Reply | Quote

The preview rollup is meant for people who want to test the next month’s rollups. It’s a great idea, but not implemented very well.

http://www.infoworld.com/article/3130076/microsoft-windows/win-781-patchocalypse-springs-a-few-surprises.html

Reply | Quote

I never said that my Lenovo can’t accept 3138612. Indeed, in your and my prior conversations here about the Intel-Bluetooth-Lenovo-Screw-Up patch 3172605, I mentioned that I’d already installed 3138612.

I was simply responding to Bill C.’s comment about his possible *new* problem with having excluded patch 3172605,
because his original reason for excluding 3172605 is similar to mine, since we both have Lenovos with Intel Bluetooth.

In responding to Bill C., I was not saying that my own Windows Update is currently slow.
My WU was fast on the day before Patch Tuesday for October. I haven’t checked WU since then, and I didn’t get around to checking it last night. I don’t know if it will be slow now, or not.

If it turns out to be uncomfortably slow, then I might look into Abbodi’s solution(s), which I only skimmed previously because they looked complicated and I am not a computer-techie person,
or I might go into Group C and not worry about running WU anymore,
or I might go into a sub-category of Group B and just do what I can from the Update Catalog and not bother with Windows Update.

Reply | Quote

I don’t remember if this was not promised for Windows 10 at some stage. Is there an equivalent for Windows 10, other than the full OS installations for the Insider Preview versions?

Reply | Quote

I can tell you with authority that “occurred sporadically in the last five or six months was only experienced by people who, in the immediately-prior month, had not been up-to-date on their security-only patches” is simply not true.

I have updated many, many computers on a regular basis. Some would update quickly. Many would go into lengthy day-long scans, even though they had been updated mere days before.

I soon learned that the shortest way out of the trap was to reset WU by erasing the two folders it keeps catroot2 and softwaredistribution. Even then, although quicker, it still took far too long.

The KB3172605 thing, has made that experience a forgotten nightmare. Even with the KB3172605 solution, many still go into forever loops. If you read through the thread on the answers forum, you will find in several places where I told people exactly how to do that.

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

CT

Reply | Quote

Not named beta testers, but this is the intention and it was documented.
Apple have their version of Insider Preview for iOS and possible for MacOS for registered testers only.
The difference is that in Microsoft’s situation everyone can be a beta tester and unfortunately some of those who should not be, fall into that category by accident. Windows Update is supposed to be for everyone to install, not for testers.
In the Windows XP/2003 time, there was a section in Windows Update which was flagged for this purpose, but it was never implemented or made functional as far as I can tell.

Reply | Quote

Can you summarize this, afresh, for https://www.askwoody.com/2016/whats-the-latest-for-speeding-up-windows-7-scans/ ?

Reply | Quote

That is an excellent question. One I have no answer for. Some of the people I most respect use Firefox (including Woody). Clearly, the most popular is Chrome. Chrome comes with the same spyware implications as Windows 10. Firefox does not.

Among the few of my clients who use non IE browsers, I have found both Chrome and Firefox were far more likely to be infected than those that used IE only. That is why I have been an IE advocate. It simply made my job easier.

If I am not mistaken, I think both Chrome and Firefox are prone to be memory hogs and may not be a good idea on a 2G 32 bit machine, which many of my clients use.

I have a lot to learn.

One the things I know very well is that most people who have development backgrounds detest IE. I cannot tell you how many times a problem I complained about was blamed on IE, when it really had no bearing on it. The IE detesters simply have no knowledge of IE. I would not be the slightest bit surprised to learn that many MS developers do not use IE.

CT

Reply | Quote

The current security patch for October 2016 has 2 known issues, addressed via hotfixes, both documented. They address issues with SCOM Console (only of enterprise patching interest) and an issue with IE opening URL files of general interest.
None of those 2 hotfixes comes on Windows Update or WSUS/SCCM, although can be imported there from the Catalog, which I don’t find a very good idea, because the patch can later come through the regular channels to WSUS and cause undesired side-effects not to the end-user system but to managing WSUS.
There is an extra rollup for time zones which is on WSUS but not Windows Update and marked somehow urgent because addresses an issue happening now (in Turkey).
Someone needs to sort out what happens in this area of Microsoft or otherwise I would really find myself in a position to make a recommendation for the wider public to put all updates on hold until this mess is resolved, hopefully as promised sometime in February or March 2017. As we know and Woody already advised few times, it is not quite the right time for patching unless really understanding the full details of what is happening and this is not yet clear for anyone.

Reply | Quote

Sorry Woody, there is no reply link under your question, can I summarize.

I presume you mean summarize the “solution” AND the fix for when it does not work? And do that under the new blog heading?

Is that what you mean

CT

Reply | Quote

Yes. In very simple terms, what would you recommend to anyone who’s experiencing long Win7 update scan times?

Reply | Quote

Just a generic question, starting from Terry’s enquiry.

Does anybody have any experience with WMF 3.0/4.0/5.0 and what possible side effects are expected?
Generally those type of installations make massive changes in the Operating System and are expected to modify known behaviour and as such are not published on Windows Update, being targeted mostly to developers and IT Professionals.

.NET Framework 4.6.2 is for everyone and is a direct replacement for any version of .NET Framework 4.x.x. Still not on Windows Update so you may want to put it on hold for now.

Reply | Quote

Yep. If you’re a Windows Insider, the Insider Release Preview ring will give you an advance look at new cumulative rollups. It’s complicated.

http://www.infoworld.com/article/3125525/microsoft-windows/6-things-wrong-with-the-windows-insider-program.html

Reply | Quote

@Canadian Tech
I don’t know if Woody is a regular user of Firefox. I was under the impression that Woody is in favour of using Chrome primarily and Firefox next.
I am a primarily Firefox user but there was a time about 1 year ago or more when they were doing forced updates. It took me a very long time to figure out how to block that behaviour via like policy configuration, because that configuration is the best kept secret of Firefox. Now it looks easy for me and can even manage small enterprise installations with native behaviour and not third-party Group Policy templates (which exist).
I mentioned those facts to show that there is no 100% clean mainstream software at the moment. I even migrated to Chrome when forced updates where happening in Firefox and it lasted for me about 1 year, because the new versions of Firefox were changing behaviour often, disabling existing add-ons and this was the purpose of the forced updates. Like Windows 10. Now Firefox stabilised to a certain extent, but I always use the ESR version, the equivalent in intention of Windows LTSB or Citrix LTSB.
I am a regular user of IE and I can live and live well without an alternative browser on the desktop, but this is probably because I know its settings in detail and I can configure it correctly or at least to suit my purpose. Otherwise is too complicated. And it is the same memory hog like Firefox and Chrome, only in different circumstances perhaps.
It is the first time when I read somewhere that Chrome and Firefox are more exposed to malware than IE, but I am ready to learn more about it if there is any supporting information or just your own experience, anything would be useful.

Reply | Quote

@ Canadian Tech
What makes you think Group B is dead already? I think it will eventually happen after the current transition, but isn’t too early for this now?
I start looking at Group C as recommendation for a little while, not forever though, until more research is done and we understand better where it all goes.

Reply | Quote

Interesting assumption and it comes to the ownership of the OS. If it is proved beyond any doubt that the OS is owned by Microsoft and not the user, anything is possible.

Reply | Quote

As I said elsewhere, Windows 10 LTSB looks more and more interesting as alternative. Not sure how it can be obtained outside of an enterprise environment except for trialling it by downloading from Microsoft. I think that version is Microsoft safety net against a complete meltdown of the Store concept and Universal Apps which is not so unlikely.

Reply | Quote

Even worse if they rely on automatic approvals and this in a business environment.

Reply | Quote

That may have a reason as the Monthly is a later patch under a different number and replaces two previous patches with only one, which is the purpose of the rollups.
The behaviour is similar though.

Reply | Quote

Woody, Canadian Tech’s solution as confirmed by abbodi86 is working and definitive. Only that for some people like @poohsticks and others is not practical due to the Bluetooth issue.

I would add to Canadian Tech’s Solution that now KB3020369 should be replaced with the newer KB3177467 which needs to be installed anyway, but for the purpose of speeding the scans, both are as good.

Reply | Quote

In simple terms and with least problems, install in this order:
KB2533552
KB3020369
KB3177467
KB3172605

I know abbodi86 would object at least to KB2533552, but installing it first avoids cosmetic issues with Windows Update.

At minimum the last two patches in the list would do the job.

Reply | Quote

I think catroot2 does not need to be deleted and in most recommendations is not present. It is true that it is part of Microsoft’s recommendation though, so it is OK to delete it in addition to the SoftwareDistribution folder.

Reply | Quote

Sorry @poohsticks, I was under the impression that I was replying to Bill C.
I understand your system, at least from the information that you made available here before.

Just to end this discussion as it tend to get confusing due to many interleaved replies.
If you still experience slow scanning, get a piece of software which I mentioned few times named Windows Update MiniTool.
https://www.wilderssecurity.com/threads/windows-update-minitool.380535/
http://www.majorgeeks.com/files/details/windows_update_minitool.html

You can also download and find lengthy information on https://forums.mydigitallife.info
which is the best forum of all, but tends to be too technical and addresses Windows at a much lower level than is comfortable to most non-technical users. You may need a user account to be able to read all posts on MDL.

The tool is portable, does not need installation and is just an alternative GUI for Windows Update, with few extra features, already built-in by Microsoft, but not made available to the wider public.
Do not change anything, only select the checkbox “Include superseded”.

Regardless of the patches installed previously, you will have the fastest scanning time possible. I promise that you will be impressed.

Normal Windows Update through svchost.exe tries to filter out the superseded updates which are not needed and this is why the scanning time is lengthy.

Reply | Quote

@Canadian Tech

“I cannot tell you how many times a problem I complained about was blamed on IE, when it really had no bearing on it.
The IE detesters simply have no knowledge of IE.”

Yes, in my own little experience of computers and in asking for help with computer problems, it has been the same for me.

Reply | Quote

1. This is what I wrote here back in June.

That was before the current difficulties, of course.

“I have tried a few other browsers.

I always try to avoid Google/Chrome due to privacy considerations. Additionally, I must be in a very small minority on this, but I just don’t like how Chrome feels and looks.

I have used Firefox when I tried Ubuntu (for a couple weeks when a computer died, I used Ubuntu to rescue the files and to have an internet connection until I could get a new computer). It was probably a basic version of Firefox on my Ubuntu rescue disk, but I didn’t like the feel of it, though it was serviceable and I’d probably get used to it.

I don’t keep track of the market, but I’ve come across articles in the past year mentioning that Firefox is not as good as it once was, they are eliminating some options, and some users have been rolling back to previous versions or something.

Also, I use a VPN sometimes, and there seems to be a problem using Firefox with a VPN
(From Wikipedia: “In January 2015, TorrentFreak reported that using Firefox when connected to the internet using a VPN can be a serious security issue due to the browser’s support for WebRTC.” https://en.wikipedia.org/wiki/Firefox)

I also tried Pale Moon and Opera last year, but that was on my phone, so it’s not a valid comparison with the pc versions.

I know it’s on its way out, but I think that IE still has 1/3rd of the global market share so it’s not dead yet.

Last week in a comment on this site, Noel Carboni stuck up for IE, saying that he thought its present level of security really wasn’t too bad compared to the others. I’ve also read a few similar opinions by some technical people (though I know that many other technical people think that it’s terrible!)

I will probably stick with IE on my computer as long as I have this Win 7 computer, but I’ll keep an open mind, and continue to be as careful in my internet behaviors/setup that I can.”

https://www.askwoody.com/2016/are-we-fighting-a-losing-battle-for-privacy/comment-page-2/#comment-89664

—
2. Now, my concerns are:

a) I don’t like the feel/appearance of other browsers that I’ve tried

b1) the lack of privacy in Chrome

b2) the fact that I don’t even allow any Google IPs through my Peerblock setup,
so if I went with Chrome, it would require a major shift in my approach if I decided to let Google see, record, and sell everything I do online

c) the potential VPN problem with Firefox

d) the fact that I’d seen a number of people complaining earlier this year about Firefox’s recent changes, and sharing with each other how to get a prior version for their computers

e) the fact, as you said, that the IE alternatives seem to be less safe than IE 11’s current iteration

—-
3. I asked Woody this next question last week, but I have forgotten what he said.

Question: Will the updates for IE 11 be separately available in the Update Catalog, or will they only be a part of the security-only monthly update package of patches?

Reply | Quote

The above comment was directed to @Canadian Tech

Reply | Quote

@Canadian Tech,

Here are two recent-ish articles about Firefox that I found on the Ghacks.net site.

June 2016
“Why Firefox will continue to lose market share”
(apparently it had only a 9% market share at the time that article was written)
http://www.ghacks.net/2016/06/09/why-firefox-will-continue-to-lose-market-share/

September 2016
“The State of Mozilla Firefox”
http://www.ghacks.net/2016/09/04/the-state-of-mozilla-firefox/

Reply | Quote

Actually I was current on October 5 except for the GWX and telemetry patches, the Bluetooth breaker, and KB2952664. WU always worked well after I did the various speedups, even without the KBxxxx605 patch.

On the Monday before the October Patch Tuesday I actually saw some new Office security patches for MSWord and later in the day I saw the big Group A rollup. Since then NOTHING!

I was trying WU to get the KB numbers WU was showing for my machine that were NOT the rollups or security only.

Reply | Quote

@Abbodi86

Thanks for the info and the links. I looked at you comments at the link. I am on the road right now, but will definitely look very closely at your solutions once I am at home with my backup images.

I was going to install KB3192391, but was holding up until that patch had time to percolate and I got back from vacation.

If that Security only group also works I will probably use that, but I want to try the extraction process. I have heard the most recent version of KB3172605 has been fixed re: Intel BT issue, but cannot personally confirm.

Reply | Quote

@poohsticks

I am not certain what you are asking me. The reason I believe I will be forced to drop IE is that I will be in Group C and will then no longer get updates to IE. That could become risky and it may not even work any longer.

Personally, I have no experience with any browser but IE at this date.

I expect Group B is not practical. That it is either A or C.

CT

Reply | Quote

If fixes for Security patches are now going to be in non-security patches, how can doing security only patches be practical at all? The very first (October) patches could the first ones to do that.

CT

Reply | Quote

Sorry, but I have nothing scientific to prove Firefox or Chrome use leads to more infections. I is just observation among my clients. The difference has been quite large.

CT

Reply | Quote

In truth, sometimes the configuration of IE is to blame. There are settings known to cause problems, like the well-known (I hope) “Do not save encrypted pages on disk”. Other problematic settings are those having “Protected Mode” and in particular “Enhanced protected mode” in title. Also sometimes “Empty temporary internet files when browser is closed” causes issues. Although all those settings enhance security to some degree, none is ticked by default and there is good reason. End-users and sometimes administrators configure those settings and break the browser’s functionality.
The main issue which I have with IE is that it has far too many settings for the regular user and while they are very useful to experienced administrators, can also easily break the functionality big time, giving the illusion that either IE is not good enough or not secure enough, last one due to the past integration with Windows Explorer and the fact that leftovers from that past are very likely to be remaining in the OS.
This is where Woody’s generic advice not to use IE, unless absolutely required, comes into play. It does not mean that IE cannot be used and with good results, but it means that there are easier and more reliable alternatives for most users who normally don’t spend much effort in tweaking software for optimal configuration.

Reply | Quote

@poohsticks
“I know it’s on its way out, but I think that IE still has 1/3rd of the global market share so it’s not dead yet.”

It is not dead. If any of Microsoft’s browsers is going to die, I would say Edge is ahead of IE at the same time with all the “Modern/universal” Apps and the Store concept. Microsoft is just too late at the party and timing matters more than quality in this industry. And if you don’t have compelling quality to compensate for being late, this is a recipe for disaster. Only a major accident killing completely one of the competitor’s offer could rescue the Windows concept of Store applications. Note 7 is one such accident, but while it can affect Samsung, Google is already prepared with Plan B.

Reply | Quote

Unfortunately true. The Google machine is swallowing all competitors, for good or bad reasons.

Reply | Quote

See my reply about Windows Update MiniTool below or search in this page. Try that method and see what else is missing. Check what shows as hidden and see if it is something that you may have missed.
Next step after researching with WU MiniTool, if you don’t want to update with it although it is perfectly fine and easy to use, reset WU by deleting the SoftwareDistribution folder.
While KB3172605 is very good, you should be able to update from WU without it if the supersedence is correctly handled. Even the old WU Agent 7.6.7600.320 handled supersedence easily until about 1-1.5 years ago, the exact date depending on the performance of the computer. I did testing for few days and I proved beyond doubt that supersedence is to blame which was already known for years by people like Woody, Susan Bradley or the best Microsoft PFEs. The results were posted by Woody here. There were far less patches released until that time and this will be resolved completely with or without KB3172605 only in March 2017 if Microsoft is successful in their solution and manage it correctly. The concept is excellent. One condition, do not fall into the trap of being in Group B.

Reply | Quote

I did install .NET Framework 4.6.2. No problems so far. I was just curious if it was something I should install. .NET Framework 4.6.2 came out in August and I didn’t hear of it until recently.

Still unsure if I should install the Management Framework 5.0 though.

Reply | Quote

@CH100,

Thank you for your long reply to me here, and for your genuine attempts to help people on AskWoody.com to find resolutions to their problems.

At this time, I don’t want to turn to a third-party method to make my Windows Update scanning faster, but I will keep in mind that it is an option.

For further details, please see my post that I made tonight on a newer thread regarding
the current state of affairs for me and my uncooperative Lenovo:
https://www.askwoody.com/2016/whats-the-latest-for-speeding-up-windows-7-scans/comment-page-1/#comment-103788

Reply | Quote

As promised, I am now reporting back about my first attempt to run Windows Update after the new patching regime came into effect.

If you are interested in what happened, please continue to the following post:

https://www.askwoody.com/2016/whats-the-latest-for-speeding-up-windows-7-scans/comment-page-1/#comment-103788

Reply | Quote

@Bill C.,

After your return from vacation and the patches have percolated,
please come back here and catch us up on your progress with this – what worked and what didn’t.

I am interested because my Lenovo is somewhat in the same boat as yours, but I have much less facility with/knowledge of computers than you do, and I daren’t tinker on my own.

Reply | Quote

kindly disagree….

if you go to group policy – WU
you see the description that even on ‘never check updates”
the OS is suppose to dialback every 30 days or so
just to say hello to the mother ship
like “im not dead yet”

and then in event of prolong no updates
or more precisely unable to dialback
the system may legally suspect you are on a fake copy
this terminate your license key
rendering your computer to an incomplete w7 state
and in time may not even start up
and urge you to clean install
of which you have to re-activate
which in time they may ask you to update all KBs
to ‘protect you’ COMPLETELY

but then as long as it can dialback
it can dialback with some sneaky back back to yours kindly
rite?
does not have to show up as KBs do they?
just general ‘maintenance’ of the integrity of the OS 🙂
nothing to see here . . .

thats was partly my user experience (on a legit copy) btw
just terminated all WU and try to block all with firewall
didnt work 🙁

okie…. im already inside of a Faraday cage
already cement thick with aluminium
since 2008….
HA HA 😀

2020? enjoy the show kept in store for you – user!

peace2u all

Reply | Quote

Yes, i always install them, no issues

for Windows 7, you will need 4.0 and 5.0
3.0 is superseded

Reply | Quote

This would be a preferable route but the problem is getting the license.

I assume they won’t subscribe a single CAL as if they did the simple solution would be to set up a business and get one that way.

I don’t know what the minimum is but it will probably be five at least I’d imagine

Reply | Quote

There is the Enterprise version as service which I don’t know if it is active which may offer a way into LTSB.

Reply | Quote

Thanks abbodi86 🙂

Reply | Quote

As you know, I look after a bunch of PCs. IE does from time to time become difficult to use. When that happens, I routinely do a complete reset on it. It works 99% of the time. The process warns about loss of personalized settings, but in fact you do not lose them all. Most of the important ones are kept. The result is I can always return IE to performing quite nicely in a few minutes using Reset. The only outcome is people having to re-enter some data the first time they re-visit a web site.

CT

Reply | Quote

Would I still need 4.0 for Windows 8.1 or Windows 10? Or are they already a part of the base operating systems?

Reply | Quote

@Canadian Tech,

My first intention, since we are both IE users but both may wish to switch to a new browser soon, was to briefly describe my experiences/information regarding alternative browsers that I’ve tried or looked into.

My second intention was to ask you the following question
“Will the updates for IE 11 be separately available in the Update Catalog, or will they only be a part of the security-only monthly update package of patches?”
Because even if one decides not to be in Group A or Group B, I was just wondering if one could still update IE 11 on its own, if a separate manual patch will be provided for it in the Update Catalog, which had been bandied about as a possibility last month (and I think even Nathan Mercer said something along those lines).
(I expect that it’s probably not going to be available that way, but wanted to get confirmation.)

Reply | Quote

@CH100,

When I tried Chrome about 2 years ago, I found that it had a lot of settings.
Does IE really have more settings than Chrome?

However, I could not stand the tiny font and tiny top bar on Chrome, and there seemed to be no Chrome setting to make it bigger – that drove me crazy.

When I set up IE, I use a few trustworthy guides on the internet about which settings to choose, as well as my own experiences, and then I take screenshots of my setup when I get it just as I like it, so if something happens to it, I am not stuck doing it all from scratch again.

In my experience, when people tell me the first step in solving a computer problem is to reset my IE, I have learned that very often that doesn’t help my problem, but it causes me undue work to set it up again, so I will often skip to solution possibility number 2, number 3, etc. and one of those usually solves my computer’s problem.

It’s sort of like when you feel ill and the doctor says to take ibuprofen and rest, and return to the clinic in a few days if you still don’t feel better, but you know that what is wrong with you is unusual and not going to be solved by some ibuprofen and the passing of time. But from the doctor’s point of view, that solves enough people’s problems and requires no work on the part of the doctor that it’s a worthwhile first solution to insist that it is tried.

Reply | Quote

4.0 is part of win8.1
you need 5.0 = KB3134758

5.0 is part of win10

Reply | Quote

Thank you very much abbodi86. I will install it and see it how works out.

Reply | Quote

It seems that the Reset procedure is a common one.
While trying to configure Group Policy Preferences on IE10 about 1 year ago, I was monitoring various areas in the IE registry and actually found few quirks.
Following a full reset run in the admin context, some of the values are modified from DWORD to String (REG_SZ), a typical one would be “Use software rendering instead of GPU rendering”. There is no Group Policy associated with it, the user interface would work correctly, but a previously configured registry preference would not because of the data type change.
Other changes are related to previously existing features in earlier versions not available by default which are brought back by reset.
It is not a big issue for end users who would not see much difference, but in a managed environment it is important.
I am wondering if in fact resetting IE does actually more good than leaving it in the default state after the installation. Both states are functional, only not consistent.
The Registry keys involved and which I observed are under HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerAdvancedOptions where the settings and their registry equivalent are described.

Reply | Quote

I have always said that Group B will be abandoned by Microsoft eventually, but not yet.
I see now that your post was from a users perspective as being not practical. You are right if you refer to that aspect.
Most users should make up their mind soon to either patch in full (Group A, my recommendation) or not patch at all.
Group B style of patching will prove to be a nightmare for the end-user but for Woody also if he will monitor each alternative security patch, assess it, provide advice etc.

Reply | Quote

This is an interesting approach that you are concerned with the browser security, but a lot less with the security of the OS in general.
It is a difficult call as in the past there was known malware spreading via port 445 from the internet but also from infected machines in the same network. It was not due to Internet Explorer. This was long time ago, around 2001 but some would argue that we haven’t seen something similar exactly because people got more into the habit of patching.
I cannot appreciate accurately the risk not being so much involved in IT Security beyond the most basic level.

Reply | Quote

It is good enough if you have empiric data based on your experience.
Thank you for your feedback.
IE has lot more life in it, in particular in managed environments where Chrome tends to be implemented as alternative browser, but it is hardly as manageable or compatible with business applications as is IE.

Reply | Quote

@poohsticks
I fear that updates to windows will become so completely intertwined that it will be very risky to choose any one piece because it could be followed by another update (fix) that is tied to something else any you either won’t know about it or not want what ever it comes with.

The whole windows update thing looks more and more to me like B is not a valid choice. It is going to be either A or C. Given that choice, I will not be taking A. In a strange way that is kind of liberating because I no longer face Jan 2020 as some kind of drop dead date.

All this leads to an inevitable end of IE for me and my clients who wish to follow me.

CT

Reply | Quote

@Nd60
Which Group Policy?

“if you go to group policy – WU
you see the description that even on ‘never check updates”
the OS is suppose to dialback every 30 days or so
just to say hello to the mother ship
like “im not dead yet””

Reply | Quote

@CH100,

This nesting system here on this particular discussion is now very hard to read (though I think we are all doing a very good job of following it in this part of the discussion thread!)
and I am not actually replying to the comment of yours which is immediately just above this one, but rather to a different comment of yours.

I am asking you this question because you are an enthusiastic user of Firefox.

(I am not sure if you are the person who responded to my question here on AskWoody.com about one or two months ago about the major VPN leakage problem that Firefox was having…)

I use a VPN sometimes, and when I looked into using Firefox last year, I seemed to find that there was not a real fix yet for their VPN leakage problem.

Some people thought they had found a fix, and gave links to it online, but other people said that it was not a reliable fix. That was the only information that I could find out about it, the last time I researched it, which was maybe 14 months ago.

I am curious that Firefox’s Wikipedia page still mentions the VPN leakage problem, and it does not say that they ever found a fix for it. (That doesn’t mean that there is no fix for it now; Wikipedia isn’t always complete, of course).

Today I looked into this topic again for about 30 minutes, but the mentions I could find about Firefox and how to configure it were either from 2014/2015 — and thus they are old now and possibly no longer correct, given that Firefox has changed a lot in the last couple of years — or they were quite confusing and too detailed for me to get the gist of.

Here is my question to you: Given your knowledge about Firefox, can you tell me if their VPN leakage issue is now fully solved, and if a non-computer-techie person could install Firefox and could *easily* figure out how to configure it, so that it would not leak important information during VPN connections?

Reply | Quote

@poohsticks
I found about that Firefox VPN vulnerability myself from that post that you mentioned. It is this one https://en.wikipedia.org/wiki/WebRTC and can be resolved by changing a configuration in Firefox, by disabling the perceived insecure functionality.
To fix it natively, without add-ons, you would have to type about:config in the address bar and in the page with configurations, identify media.peerconnection.enabled and set to false. There are add-ons which would do the work for you, but I prefer to keep the extra software at minimum.

Reply | Quote

IMHO, It’s a horrible idea. How many unsuspecting sheeple in Group A will unwittingly install the preview just because it’s there?

What a travesty! I get offered crapola previews of future updates so I can be a beta tester but I have to take it on myself to search the catalog for security only updates.

Loathsome!!!!!

Reply | Quote

I have turned off windows updates on my

windows 8.1 HP Pavilion computer. I have had

it with bullies of all types. This may not be

a good alternative in the long run. But why

jump through MS hoops and hope your system

survives? Please explain in the simplest terms

what one should do to protect their system.

Reply | Quote

@Eric;

Re: https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/comment-page-1/#comment-103577

+1 Extend, Embrace, Exterminate

Too bad Wikileaks hasn’t found and published the entire devilish plan now being implemented by M$.

Reply | Quote

@Eric;

“Loathsome!!!!!”

+1 “Greed is Good!”

Reply | Quote

@Poohsticks;

Re: “…and I am not actually replying to the comment of yours which is immediately just above this one, but rather to a different comment of yours.”

One solution to the ‘nesting’ problem is to right click on the desired comment link (underlined date/time).

e.g.

poohsticks says:
October 23, 2016 at 2:35 am

@CH100,

https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/comment-page-1/#comment-103902

JF

Reply | Quote

Install all updates available during one of the last few days of each Calendar month and stop worrying. Set you configuration to Never check for updates and only when you are ready to update check for updates and approve all the updates which are already ticked by Windows Update. Ignore those which are not ticket or have Preview in title. You should install everything else.

Reply | Quote

@Joe Friday,

I don’t think that helps with what my complaints are about the nesting system.

The way that comments are nested here — with replies at various levels being spread down the page so that you don’t see easily which post was in reply to what comment, and the way that comments get thinner and take up many inches of the page — and the fact that reply buttons are no longer offered at a certain level, so the ability to reply to something specific stops.

Reply | Quote

@CH100,

Do you know if any official source has published a statement saying that Firefox will definitely not have the VPN leakage problem anymore if the computer owner does that configuration tweak?
That change in the configuration seems so simple that I wonder why apparently there was no fix being offered for the leakage for several months after it was discovered, and people couldn’t figure out how to stop it.
But maybe subsequently in the past year Firefox has put out a new version of the browser wherein such a simple configuration change would be enough to block the VPN leakage.
It was just weird that I could find old mentions of the problem online, but nothing saying that there is a reliable solution for it.
What I should do, if I decide to give up IE, is contact the customer support at my subscription VPN and ask them about this, to set my mind at ease.

Reply | Quote

@poohsticks
You say “That change in the configuration seems so simple that I wonder why apparently there was no fix being offered for the leakage for several months after it was discovered, and people couldn’t figure out how to stop it.”

What I actually said is not that I am providing a fix which apparently is not possible due to limitations in the protocol.
The configuration proposed completely disables the so called insecure protocol. I personally think that there is too much over-reaction to those sort of issues and people should get on with their life and worry a lot less.

Reply | Quote

Alas, it’s a limitation of the WordPress theme that I’m using…

Reply | Quote

This has been excellent advice up until the big sleep (slowdown). Now when and if you can still do this, you have to wait hours and even days, unless you jump through hoops doing slowdown fixes.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

Use the “solution” to solve the long running Windows Update process:

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

CT

Reply | Quote

It appears that this bug was also fixed in KB3197868 (Monthly Rollup – November 8, 2016) but not fixed in KB3197867 (Security-only update – November 8, 2016).

Here is how I determined this:
1. I looked at which files included in MS16-087 (see KB3170455) also appear in KB3192403 (Preview of Monthly Rollup – October 18, 2016). Win32spl.dll is the only such file, and it’s a newer version than included in MS16-087. This is likely the file that has the bug fix.
2. The newer version of Win32spl.dll is included in KB3197868 (Monthly Rollup – November 8, 2016).
3. Win32spl.dll is not included in KB3197867 (Security-only update – November 8, 2016).
4. Win32spl.dll is not included in KB3192391 (Security only update – October 11, 2016).

The method above isn’t foolproof, since it’s possible that a file in KB3192403 (Preview of Monthly Rollup – October 18, 2016) that’s not in MS16-087 could have fixed the bug.

Reply | Quote

Doing this analysis for the more recent Windows 7 security-only updates (Dec 2016, Jan 2017, March 2017) gives the result that this bug was not fixed in any of the Windows 7 security-only updates thus far.

1 user thanked author for this post.

woody

Reply | Quote

I’d like to follow through on this. Any additional info?

Reply | Quote

@Woody: If you meant what I tested (did you?), this is what I did:

1. For each of the security-only updates listed at https://support.microsoft.com/en-us/help/22801/windows-7-sp1-and-windows-server-2008-r2-sp1-update-history, visit its KB article, expand the Windows 7 file list, and search for file Win32spl.dll in the list. Verify that in each case it is not present.

2. Check for the presence of Win32spl.dll in the .CSV file linked to at https://support.microsoft.com/en-us/help/4012204/ms17-006-security-update-for-internet-explorer-march-14-2017. Verify that it is not present.

Woody’s blog post that started this topic is at https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/. The problematic update is MS16-087 (https://support.microsoft.com/en-us/help/3170005/ms16-087-security-update-for-windows-print-spooler-components-july-12,-2016); the October 2016 preview rollup was the first rollup to address the issues present in MS16-087. The reason for checking for Win32spl.dll is explained at https://www.askwoody.com/forums/topic/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/#post-30580.

Reply | Quote

Conclusion: If the analysis in my first post is correct, then if you’re in Group B, you’re missing a bug fix to a bug that was introduced in an earlier security update. Group A has this bug fix.

Reply | Quote

Woody and MrBrian,

This is very important, if I understand correctly.

Does this mean that a bug was introduced in a security-only patch that was fixed in a non-security patch??

Big question. If true, it means B is not a viable strategy.

CT

Reply | Quote

Let’s step back for a second because, as you say, if it’s true it’s a major setback.

I’ve lost the thread.

Precisely what is the bug?

Which Security only patch introduced it?

Which Monthly rollup fixed it?

Reply | Quote

Comment 16 mcbrian……

“It appears that this bug was also fixed in KB3197868 (Monthly Rollup – November 8, 2016) but not fixed in KB3197867 (Security-only update – November 8, 2016).”

CT

Reply | Quote

Right, but did the original bug appear due to a security patch?

Reply | Quote

This bug is listed as one of the bugs fixed in “October 18, 2016—KB3192403 (Preview of Monthly Rollup)” at https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history : “Addressed issue that prevents pushed-printer connections and printer connections from trusted servers from being installed in Point and Print scenarios after installing MS16-087.” This bug was introduced in “MS16-087: Security update for Windows print spooler components: July 12, 2016” – https://support.microsoft.com/en-us/kb/3170005. I don’t know anything more about this bug other than what Microsoft describes.

Since bugs fixed in a given preview rollup are supposed to also be fixed in the next monthly rollup after the given preview rollup, we should expect that this was bug was also fixed in “November 8, 2016—KB3197868 (Monthly Rollup)”, and my analysis seems to confirm that. Reminder: the monthly rollups contain both security and non-security fixes.

The big news, in my opinion, is that this bug fix seems to have not been included in either the October or November security-only rollups, according to my analysis.

Reply | Quote

Yes, in MS16-087 – “Security update for Windows print spooler components: July 12, 2016” – https://support.microsoft.com/en-us/kb/3170005.

Reply | Quote

I don’t know and I sure would like MrBrian to tell us.

I have been worried about just such a thing.

CT

Reply | Quote

If anyone wants to double-check what I did above, I used the file lists that are provided in the relevant Microsoft Knowledge Base articles.

Reply | Quote

According to https://support.microsoft.com/en-us/kb/3170005, it appears that it would be more accurate to describe the relevant updates in KB3192403 (Preview of Monthly Rollup – October 18, 2016) and KB3197868 (Monthly Rollup – November 8, 2016) as updates that give network administrators the ability to mitigate the issues introduced in MS16-087.

Reply | Quote

The issue and resolution is discussed in detail at https://www.systemcenterdudes.com/windows-10-point-and-print-printer-installation-prompt-uac/.

Reply | Quote

Isn’t “Group B” participants are looking for and are strict about having security fixes only?
you want Microsoft to start adding non-security fixes just because they solve a non-security issue? 😀

the fix won’t be included in security update unless a new security issue is identified in the same code

i understand the dilemma, but it’s your call to solve it 😉

Reply | Quote

Additional information that indicates that KB3197868 (Monthly Rollup – November 8, 2016) includes all of the fixes in KB3192403 (Preview of Monthly Rollup – October 18, 2016) – https://social.technet.microsoft.com/Forums/windows/en-US/2e974f0e-6975-469b-bda1-74f476f7ac8f/inclusion-of-kb3192403-patch-in-kb3197868?forum=w7itproinstall.

Reply | Quote

That’s to be expected, but it doesn’t answer two key questions: Did any of the preview patches change, and were any new patches added?

Microsoft’s playing this very close to the chest.

Reply | Quote

“The big news, in my opinion, is that this bug fix seems to have not been included in either the October or November security-only rollups, according to my analysis.”

If this is so, Group B is not practical except for technically oriented people.

As far as I and my clients are concerned that would mean Group B is a no go and leaves A or C.

I would really appreciate confirmation of this as soon as possible.

Thanks in advance.

CT

Reply | Quote

@Abbodi86,

What they seem to be talking about is:

There was a bug in a “security” update that Microsoft offered in July.

That bug seems to have a fix now,

but it looks like the fix is only included in the November cumulative Rollup,

and it looks like the fix is not included in the November Security-only Update.

This is concerning to them, because they had expected Microsoft to fix problems with prior months’ “security” updates
in the monthly Security-Only Updates (Group B)
AND in the monthly cumulative Rollups (Group A).

If fixes of prior security patches are not going to be included in the monthly Security-Only Updates, then the Group B pathway cannot continue to be a “safe” option.

1 user thanked author for this post.

HiFlyer

Reply | Quote

The whole porpose of “Preview of Monthly Rollup” is to provide non-security fixes before they are included in the next “Security Monthly Rollup”
there is no need for any explicit indication for that, it’s the new Model rules 🙂

@woody
they change from month to month, either with new fixes added or current components updated

nothing added to the security monthly rollup except security fixes
so, KB3197868 is exactly KB3192403 + secrity fixes in KB3197867

Reply | Quote

Good to know. Thanks.

I guess there will be times when the Preview is modified before it becomes the “final” Monthly rollup – but we haven’t seen that yet. October, November seem to have brought the non-security patches across without modification.

When that does happen, it’ll be interesting to see how it works. My guess is that those who installed the Preview won’t have to do anything more than install the “final” Rollup.

Reply | Quote

I’d like to get it, too.

Note that Microsoft could mend its ways in some future security-only patch. Still, this is a significant problem – if we can get verification.

Reply | Quote

Wasn’t there a hotfix issued for that bug? I seem to recall, but can’t come up with the KB.

Reply | Quote

Is this the hotfix KB3187022?

Reply | Quote

Issued Aug 30th – non-security

Reply | Quote

My understanding was (and I could be wrong) that it was Catalog only (or not available through WU).

Reply | Quote

Hmmmm… Looking at the Windows Update list, I see

MS16-120: October, 2016 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB3192393)

supersedes 3187022, which is the non-security hotfix.

Which means that the October security-only update should’ve fixed the bug in the July security-only update.

Or am I reading this wrong?

https://support.microsoft.com/en-us/kb/894199

Reply | Quote

Hmmmm
Doesn’t mention anything but Win8 Embeded Std and Server 2012.
KB3192392 (Win8) and KB3192391 (Win7) don’t mention it.
???

Reply | Quote

Maybe on the download site?

Reply | Quote

Exactly, Abbodi86. That is the issue. The question is, is B a practical path?

CT

Reply | Quote

I have found no evidence of a separate hotfix for this issue. For example, see http://marc.info/?t=147634375500001.

However, there are some workarounds described in https://social.technet.microsoft.com/Forums/windowsserver/en-US/030ee94a-047d-460a-bc39-52351a199364/kb3163912-breaks-point-and-print-restrictions-gpo-settings and http://serverfault.com/questions/799238/how-can-i-get-rid-of-the-do-you-trust-this-printer-message-box-and-add-my-prin.

Reply | Quote

No. That’s a fix for a different issue.

Reply | Quote

I fully understand the situation 🙂

but what i say is, the security update is ment to patch vulnerabilities
and although the bug is triggered by that update, but it doesn’t mean the fix is classified as security to be included in next security update

and as far as i understand, the fix is just a mitigation workaround for Admins, not a broad fix

Reply | Quote

For anyone considering not installing MS16-087, here is a post titled “Own a printer, own a network with point and print drive-by,” – http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack, written by the person that Microsoft acknowledges for working with them on one of the CVEs associated with MS16-087. Microsoft’s “Acknowledgments – 2016” – https://technet.microsoft.com/library/security/mt674627.aspx.

Reply | Quote

You are mixing two printing related bugs:

– 3187022 fixes the multiple printing jobs bug

– 3170005 bug is about Point and Print network printers

Reply | Quote

KB3192393 does indeed supersede KB3187022 according to its entry in the Microsoft Update Catalog. However, KB3187022 claims to fix issues introduced in MS16-098, not MS16-087.

Reply | Quote

Maybe somebody could ask at https://social.technet.microsoft.com/Forums/windowsserver/en-US/030ee94a-047d-460a-bc39-52351a199364/kb3163912-breaks-point-and-print-restrictions-gpo-settings. (I don’t have an account there.)

Reply | Quote

Sign up for an anonymous Microsoft account! It can come in handy.

Reply | Quote

You – and MrBrian – are right.

So that leaves us with a Security-only bug that’s only been fixed in the non-security part of a Monthly rollup.

Reply | Quote

Some things to keep in mind:
1. Perhaps one of the existing security-only updates does include the fix (i.e. my analysis could be wrong).
2. Perhaps Microsoft is planning to include the fix in a future security-only update, or in an updated version of one of the existing security-only updates.
3. The security-only updates have already included some other non-security fixes. Example: security-only update KB3197867 supersedes some updates that are for non-security fixes; see “Package Details” tab of http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=b92492c0-9ba6-4d83-846a-099ebb7fcfff.
4. This particular issue may not affect you.
5. If this particular issue does affect you, there are documented workarounds in some of the links already posted in this thread.

Reply | Quote

Very well summarized!

Reply | Quote

@MrBrian,

That is a great, helpful list.

—-
Number 1 is a good point.

The other site that was talking about it, the website that you linked to above, seemed to say that they only found the fix in the Rollups and Preview Rollups.
Have other groups of people looked into this and compared Updates and Rollups to see if this fix were in the Updates?

–
Probably most people here are not affected by the issue (4 & 5), but are worried about what the situation might portend for the safety of the Group B path in general.

–
As for 2, that is possible, but I would think that Microsoft, if they’ve already put it in the October and November Rollups (Group A) and there have been no problems in the implementation of it for the Group A people, would have put it in one or both of those months’ Updates (Group B), if they were ever planning to incorporate it in an Update.

–
Number 3 underscores what we all have been musing over since they announced this new updating system — if they could really be entrusted, or if it would even be possible, to unentangle the security patching from the non-security patching, past, present, and future, and, moving forward, maintain successfully two pathways of updating (Rollups and Updates) which were both viable options (for more than a month or two before the wires got crossed).

Abbodi86’s point, that he mentioned just above in this thread, is that even if the original July patch were called “security”, the problem with that patch and the subsequent fix for that problem were NOT considered “security” issues, and therefore it might be correct to keep the fix for that July patch out of the Security-Only Rollup.
…This might be a crucial factor in the definition of what the “Security-Only Update” is intended to include and to exclude, which Microsoft probably did not make clear when they introduced the new updating system.

Question:
If Abbodi86’s view/prediction ends up being Microsoft’s actual view on what is defined as “security”,
what do you Group B folks think this means for Group B — would it make taking the Rollup-only path less secure than you are comfortable with?

–
Personally, I don’t see how Microsoft can keep security and non-security separate enough to provide a reliable “security-only” path in the medium- and long-term. (Though I wish that it were possible.)

This is not a big thing on their agenda, anyway; quite the reverse — they want people to feel that they must accept the whole kit and caboodle of Group A Rollups.

Reply | Quote

@Abbodi86,

Okay, I think I understand your view —

You are saying that even if the original July patch were called “security”,

the problem/bug with that patch and the subsequent fix for that problem/bug were NOT considered “security” issues,

and therefore it might be correct to keep the bug fix for that July patch out of the Security-Only Rollup.

Whereas some other people would have assumed that any problem/bug occurring with a historical patch that Microsoft had classified as “security” would be fixed in the “security” pathway by including it in a monthly Security-Only Rollup.

…This might be a crucial factor in the definition of what the “Security-Only Update” is intended to include and to exclude, which Microsoft probably did not make clear when they introduced the new updating system.

Reply | Quote

To me, the distinction is whether the bug originated in a patch distributed through the “Group B” Security-only mechanism.

Reply | Quote

The update that this bug was found in was released originally in July, I think?

It was labelled by Microsoft in July as a “security” patch,
but it was released before the new update system was in place, so it was not distributed through the “Group B” Security-Only Rollup mechanism.

In that case, are you less worried about the July patch’s bug fix not being provided in the October or November Group B Rollups?

Reply | Quote

It is likely so, for example when bugs are found in the preview patch and they get either fixed or the relevant faulty components removed from the next official monthly rollup.
Abbodi86 does this assessment often which is time consuming and we are all thankful for this, but anyone else with the right understanding of the patches can do this, as it is officially published information, at least in most situations.

Reply | Quote

From https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-12815:
‘[Question from] Kannan CS
September 8, 2016 at 9:10 am

Hi Nathan,

Could you please explain the below situation, how MS will proact and react

In the Security update bundle, if there is an issue with update cause the major issue after deployment,

a. can we have an option to uninstall the particular update ?

b. will MS release the bundle or it will update the new bundle ?

[Answer from] Nathan Mercer
September 8, 2016 at 11:31 am

a) you can uninstall the update, but not a single patch from inside the update.
b) If any issues are encountered by the customer, we encourage customers to open a support case right away; we will work to resolve these as quickly as possible.
In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue. Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved. We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update. There’s no single “right” answer.’

Reply | Quote

There are few hotfixes released in the Catalog only. I don’t remember if there was one for the print spoolers, but there were certainly 3 hotfixes released last month for the SCOM issue, for the IE issue and for the LDAP issue. I don’t know exactly if they were included in the next (current) monthly rollup, but one would assume so. In such situations, the Catalog should be seen only as an emergency repository, to be used only by those affected until further testing is performed, like hotfixes (LDR branch) in the old times. Now, according to abbodi86, everything is unified gradually under LDR, which means that all previous hotfixes are getting included in the mainstream Windows Update fixes. This trend seems to have started with the Convenience Rollup KB3125574.

Reply | Quote

@poohsticks;

“including it in a monthly Security-Only Rollup.”

” through the “Group B” Security-Only Rollup mechanism.”

“Group B Rollups?”

The last couple of posts you’ve included the word “Rollup(s)” when referring to Group B UPDATES.

Could cause confusion.

Reply | Quote

Yes, Nathan has cut and pasted his point B a number of times in the past couple of months, to “answer” probing questions!

Reply | Quote

Yep. I’ve done it too.

Reminder to self:

“Rollup” implies security and non-security….

Reply | Quote

MrBrian, I believe you have summed it up correctly. In effect this means Group B strategy is not a practical one for the vast majority of Windows users. It becomes an A or C choice.

I have already started my clients down the B path with October updates. I believe I must now declare to them that B is not a practical option and they have only the two choices.

That being the case, virtually all of them will choose C

Sorry state of affairs because the result is Windows 7 will no longer be supported unless you are willing to let MS gradually, but surely turn our computers into data collection engines to enable advertising in our faces. Given that choice or no changes at all, we will opt for C.

I doubt any of my clients would consider buying another Microsoft product again.

CT

Reply | Quote

Woody, what is your opinion?

Does this mean a B strategy is practical?

CT

Reply | Quote

I think it is. But I’m watchful.

Reply | Quote

I am counting on you to let us know.

Thanks for being there.

CT

Reply | Quote

Although I am in Group A (at least for now), I believe Group B may be a viable strategy also, given the comment from Microsoft employee Nathan Mercer at https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/comment-page-1/#comment-107302.

Reply | Quote

1. In this particular case, no

2. I believe that would happen only if a security issue is identified in the same components that fixed the bug

3. That’s what i ment in 2, security updates include (or supersede) no-security fixes only if the affected components are shared

that’s why both updates type are on the same level for me

Reply | Quote

Exactly, thanks for explaining that clearly 🙂

Reply | Quote

@Canadian Tech,

I appreciate your updates about what you are recommending to your clients.

Please keep us informed about what you decide, how your people respond, how they are getting by with their path choice, etc.

—
As for me, I have not taken any steps since the September normal patches, as I been waiting for an extra month to decide between Group B and Group C/W, to see if any roadblocks to Group B came up.

I don’t know if the current issue is a roadblock to Group B or not.

Given this issue, I will probably not do anything (equivalent to being in Group C temporarily) for one additional month,
to see if the I.T.-savvy people here conclude from their examination of this current issue that the Group B path does still include proper fixes/patches for past security/important updates/patches, and isn’t being deprived of any important patching on the security side of things.

Reply | Quote

AT this point, I am putting WU into a holding pattern (just like you Poohsticks) until Woody confirms whether B is a practical path.

If it turns out it is not, I will be taking C and recommending that to my clients.

I will make a point of updating. You may find other comments from me on the Answers forum as well.

CT

Reply | Quote

@Woody;

Still think suggested abbreviations best.

SOU = Security Only Updates
SMR = Security Monthly Rollup

Then we don’t gag at the gratuitous Q.

Reply | Quote

I only use the gratuitous marketing “Q” when I’m directly quoting something from Microsoft.

I’d rather stick with meaningful names. I had a hard enough time coming to terms with using “Group A” and “Group B.”

Reply | Quote

There are some relevant new posts in that thread.

Reply | Quote

I neglected to mention that I did this analysis only for Windows 7 x64.

Reply | Quote

I have done a different type of analysis for Windows 7 x64. I found that there are no files in common (by filename) between the files in Windows6.1-KB3170455-x64.msu and windows6.1-kb3192391-x64_8acd94d8d268a6507c2852b0d9917f4ae1349b6c.msu, and no files in common (by filename) between the files in Windows6.1-KB3170455-x64.msu and windows6.1-kb3197867-x64_6f8f45a5706eeee8ac05aa16fa91c984a9edb929.msu. In other words, for Windows 7 x64, the October and November security-only updates contain 0 files (by same filename) that are in the MS16-087 update.

Steps to reproduce:
1. Install Microsoft’s CBS Package Inspector. Details: https://blogs.msdn.microsoft.com/windows-embedded/2012/12/05/powertoys-make-life-easier-cbs-package-inspector/. Download: https://twitter.com/tfwboredom/status/561600460654911489. The file is digitally signed by Microsoft, so it should be safe to use.

2. Use CBS Package Inspector to list the filenames in Windows6.1-KB3170455-x64.msu.
Results:
Inetpp.dll
Inetppui.dll
Localspl.dll
Ntprint.dll
Ntprint.exe
Win32spl.dll
Winprint.dll
Wpnpinst.exe

3. Use CBS Package Inspector to search for each of the files in step 2 in windows6.1-kb3192391-x64_8acd94d8d268a6507c2852b0d9917f4ae1349b6c.msu (Rename this file first to windows6.1-kb3192391-x64.msu or else you will get an error). Result for all 8 files: no files found.

4. Use CBS Package Inspector to search for each of the files in step 2 in windows6.1-kb3197867-x64_6f8f45a5706eeee8ac05aa16fa91c984a9edb929.msu (Rename this file first to windows6.1-kb3197867-x64.msu or else you will get an error). Result for all 8 files: no files found.

Conclusion: For Windows 7 x64, the October and November security-only updates do not contain fixes for MS16-087.

Reply | Quote

Potentially bad news from “More on Windows 7 and Windows 8.1 servicing changes” – https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/:

“[Desired outcome] You install all security updates as we release them, and some non-security fixes to address specific problems.

Since the organization will typically be deploying only the security-only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes.”

Is it fair to interpret this as meaning that Microsoft’s solution to bugs in security-only updates is to install a monthly rollup that fixes the bug?

Reply | Quote

Not clear at this point.

Reply | Quote

How do you interpret this about the preview patches from 11/8/16 (link to Technet blogs from @MrBrian above)?

“This will be published to WSUS using the “Updates” classification as an optional update. It will also be available via Windows Update (where all consumer PCs will install it) and on the Windows Update Catalog.”

Does this imply that the previews will eventually become checked important updates that everyone will install and become beta testers for MS? Aren’t all previews cumulative, so that if you install one you also get everything it supersedes (the only non-cumulative being the security-only patches)?

Reply | Quote

Not clear if the previews are cumulative; my guess is that they aren’t.

Yes, the preview released last Tuesday will become the Monthly rollup next month – with security patches added, and any problems with the preview (hopefully) resolved.

Reply | Quote

I think the previews might be cumulative. This from the Win7 update history site:

“This update includes improvements and fixes that were a part of Monthly Rollup KB3197868 (released November 8, 2016). This update also includes these new quality improvements and is a preview of the next Monthly Rollup update. Key changes include:”

Also, I may have misinterpreted, thinking the preview ITSELF would be a checked important. Didn’t think about it as part of the next month’s rollup – which is probably the right interpretation.

Reply | Quote

Yes. They first appear as unchecked, optional, on the 3rd Tuesday.

Reply | Quote

The preview rollups are cumulative. They contain everything from the last monthly rollup (including its security fixes), plus some additional non-security fixes. Those additional non-security fixes will be included unaltered in the next monthly rollup. Source: first diagram at https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/.

Reply | Quote

Absolutely right! I forgot all about that diagram.

Reply | Quote

Regarding my prior statement that “Those additional non-security fixes will be included unaltered in the next monthly rollup”: I meant that at the “chunk” level in the diagram, not at the file level. A newer “chunk” can update a file contained in an older “chunk.”

Reply | Quote

I made a diagram indicating supersedence data for the existing rollups from the Microsoft Update Catalog, as well as my predictions for the next two months of rollups.

Oct PR——–Nov PR——–Dec PR——–Jan PR

Oct MR——–Nov MR——–Dec MR——–Jan MR

Caption:
MR means “monthly rollup”
PR means “preview of monthly rollup”

Rules: If you can travel between any two rollups either east or southeast along the lines, then the earlier-visited rollup is superseded by the later-visited rollup.

Reply | Quote

+1

Reply | Quote

It’s clear 😀
Microsoft is obligated to fix security issues in the Security Only Update, but they are not obligated to fix non-security issues

Reply | Quote

@Clueless,

I am aware of the Rollup and Update difference that MS has coalesced around and I do try to keep it straight,

but in that particular post I had the right meaning in my head while typing the opposite word (rollup instead of update)!

This is why I also try to add the qualifiers “Security-Only” and “Group B” to the name. Or “Cumulative” and “Group A”.

Reply | Quote

abbodi86,

Just help me to make certain I fully understand what you are saying.

Does this mean that if in the process of doing a security update, a problem was created that did not constitute a security issue, then they would not feel obligated to put that fix in the security-only stream?

Critical question to me! Because it means B is a dead alternative if that is the case.

CT

Reply | Quote

That didn’t format as I had intended it. The three ” ” on the second line are supposed to be 3 separate lines:
1. From Oct PR to Nov MR
2. From Nov PR to Dec MR
3. From Dec PR to Jan MR

Reply | Quote

I was wondering about your original description. 🙂

You might try using a Ctrl+Enter to break lines. Not sure if that’ll work or not.

Reply | Quote

Here is the fixed diagram: http://pastebin.com/2cLnbdqh

Reply | Quote

OIC! Yes, that’s the way it should go…

Reply | Quote

I can’t assure this is conclusive for all bugs, but so far that what’s seems to be
either because they want to push users to use Monthly Rollup, or because they simply consider Security Only update is for security fixes only

Reply | Quote

For every operating system with the new update servicing model, there are no files in common (by same filename) between MS16-087 and the relevant October security-only update, and there are no files in common (by same filename) between MS16-087 and the relevant November security-only update.

How to reproduce:
1. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “ia64” of “Windows 7 and Windows Server 2008 R2 file information” to file list https://support.microsoft.com/en-us/kb/3192391 section “ia64” of “Windows 7 and Windows Server 2008 R2 file information.”

2. Same as step 1 except use “x86” sections.

3. Same as step 1 except use “x64” sections.

4. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “ia64” of “Windows 7 and Windows Server 2008 R2 file information” to file list https://support.microsoft.com/en-us/kb/3197867 section “ia64” of “Windows 7 and Windows Server 2008 R2 file information.”

5. Same as step 4 except use “x86” sections.

6. Same as step 4 except use “x64” sections.

7. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “x86” of “Windows 8.1 and Windows Server 2012 R2 file information” to file list https://support.microsoft.com/en-us/kb/3192392 section “x86” of “Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 file information.”

8. Same as step 7 except use “x64” sections.

9. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “x86” of “Windows 8.1 and Windows Server 2012 R2 file information” to file list https://support.microsoft.com/en-us/kb/3197873 section “x86” of “Windows 8.1 and Windows Server 2012 R2 file information.”

10. Same as step 9 except use “x64” sections.

11. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “x64” of “Windows Server 2012 file information” to file list https://support.microsoft.com/en-us/kb/3192393 section “x64” of “Windows Server 2012 file information.”

12. Compare file list at https://support.microsoft.com/en-us/kb/3170455 section “x64” of “Windows Server 2012 file information” to file list https://support.microsoft.com/en-us/kb/3197876 section “x64” of “Windows 8 and Windows Server 2012 file information.”

In each of these 12 steps, there are no files in common (by same filename).

Conclusion: Very likely there are no fixes to MS16-087 in any of the October 2016 security-only updates or November 2016 security-only updates.

Reply | Quote

It was me (MrBrian) that posted that. Apparently I forgot to give my name.

Reply | Quote

If there is a fix included in Security-Only update, Microsoft won’t hide it, they will update KB article to mention that

Reply | Quote

@poohsticks

“but in that particular post I had the right meaning in my head while typing the opposite word (rollup instead of update)!”

Been there, done that. Don’t worry, be happy.:-)

SOUpdate SMRollup

Reply | Quote

What I said above is wrong. I had based it upon supersedence data listed in the Microsoft Update Catalog. However, post http://marc.info/?l=patchmanagement&m=147948904506660 from abbodi86 made me question it. Testing reveals that the supersedence diagram for the existing cumulative rollups is:

Oct MR – Oct PR – Nov MR – Nov PR

Reply | Quote

Possible counterexample?: KB3197867 seems to contain the same non-security fixes as in KB3200006 (by the supersedence data in Microsoft Update Catalog), but this is not documented in KB3197867.

Reply | Quote

@Woody,
re: “Not clear if the previews are cumulative; my guess is that they aren’t.”

Earlier, before the new updating system was put into place, when we were hoping that the new Previews would be a way to get just one particular month’s non-security patches,

without obligating oneself to take all cumulative patches from prior months that are in the main monthly Rollup,

(if a need arose to obtain a particular patch that was “non-security”, even though one generally wanted to be in Group B most of the time) —

I am pretty sure that in September I found some quotes where Microsoft officially said that the Previews were also going to be cumulative, therefore scuppering that idea, and I posted those quotes here at AskWoody.com.

Reply | Quote

Woody, how do you feel about Group B now??

CT

Reply | Quote

@PKCano:

How do you determine that some updates are “Catalog only”? I’m trying to get as much information as possible before I make any moves.

Thank you for any information you may be able to provide.

Reply | Quote

I don’t have any problem with it. But I’m still not completely comfortable with it. The one redeeming social value: It’s very easy to switch from Group B to Group A.

Reply | Quote

I’ll add one more to the list:
6. Microsoft’s policy on including non-security fixes in security-only updates could change in the future from its current policy.

Reply | Quote

You are right 🙂

however, they documented it indirectly in IE update article
https://support.microsoft.com/en-us/kb/3197655

even though it’s ment for Vista, but the listed GDR fixes applies to IE11 and Edge, including KB3200006 fix

this same article would have been for all IE versions if they didn’t decide to include IE11 in the Mnthly/Security-only updates

Reply | Quote

https://support.microsoft.com/en-us/kb/894199

check “Deployment:”

Reply | Quote

Do you think it would be much of a problem to switch from C to A?

CT

Reply | Quote

None at all. And as the rollups get more of the older patches, making the switch will ultimately become just one patch.

Reply | Quote

That’s it! I think that is the best strategy.

Basically, take only .net and office updates in WU and no others. We will see where that takes us in a year or so. If we are experiencing too many problems that cannot be tolerated, we will install the rollup of the month and then be an A. Probably best to switch browsers away from IE as well.

Sounds like a practical and sensible strategy to me. In fact it makes so much sense for the average user, it looks like the only one. So much so, that I think I will RECOMMEND this to my clients.

B is not for the common person. It is too complex and too likely to result in botched systems.

CT

Reply | Quote

If you’re having an issue with a particular security-only update, you can uninstall it, leaving your computer vulnerable. A later month’s security-only update might contain updated versions of the files that fix the issue you had with the earlier problematic security-only update, at which time it would then be ok to install the earlier problematic security-only update to make sure that you have all of the security bits. The problem is how are you going to know when (if ever) the time comes that it’s ok to reinstall the earlier problematic security-only update? That’s the big problem with being in Group B, in my opinion.

Reply | Quote

It is a big problem, although Microsoft has generally fixed bugs in its security patches sooner or later.

Reply | Quote

You’ll also need the servicing stack updates.

Reply | Quote

Too big a problem for 99% of users. In fact, I am at the point of rejecting group B as a viable strategy. Way to many land mines that MS is unlikely to give a hoot about.

At this point, unless someone can point to a flaw in this strategy, my plan is to recommend to my clients they use WU to install .net and MS Office updates, and no other updates other than things like C+.

If at some point down the road, say a year from now, we find serious problems with this, we can switch to group A by just installing the latest WU all-in.

I will also recommend they seriously consider switching to a NON-IE browser.

CT

Reply | Quote

@abbodi86:

Thank you so much for this valuable information! It shows everything!! Wunderbar!!

Your knowledge and expertise are amazing, admired, and appreciated by everyone who reads your posts!!

Thank you once again! 🙂

Reply | Quote

@poohsticks

Back on 23 Oct this thread you discussed Firefox VPN leaks.

Checking my Firefox v50.0 I see the changes ch100 recommended have been made. Not by me.

media.peerconnection.enabled;false

“…To fix it natively, without add-ons, you would have to type about:config in the address bar and in the page with configurations, identify media.peerconnection.enabled and set to false. There are add-ons which would do the work for you, but I prefer to keep the extra software at minimum.”

Reply | Quote

Good news for Group B: Non-security issues introduced in security updates are being fixed in the security-only updates. Example: Look at the list of fixed issues in https://support.microsoft.com/en-us/help/4038779; a WordPad crash issue introduced in a previous security update was fixed in KB4038779, although there appears to be no security-related fix for WordPad in KB4038779 (according to https://www.thezdi.com/blog/2017/9/12/the-september-2017-security-update-review).

2 users thanked author for this post.

walker, HiFlyer

Reply | Quote

MrBrian wrote:

Good news for Group B: Non-security issues introduced in security updates are being fixed in the security-only updates. Example: Look at the list of fixed issues in https://support.microsoft.com/en-us/help/4038779; a WordPad crash issue introduced in a previous security update was fixed in KB4038779, although there appears to be no security-related fix for WordPad in KB4038779 (according to https://www.thezdi.com/blog/2017/9/12/the-september-2017-security-update-review).

New name for you…..Hawkeye!    Many thanks  HF

1 user thanked author for this post.

MrBrian

Reply | Quote

The “Improvements and fixes” section of the security-only updates made its first appearance in April 2017.

Reply | Quote