MS-DEFCON 1: Don’t apply ANY Windows or Office patches

Topic

New Reply

I sure hope you folks followed my advice and locked down Windows Update prior to yesterday’s debacle. Going through the reports of Windows 7 and 8.1 m
[See the full post at: MS-DEFCON 1: Don’t apply ANY Windows or Office patches]

13 users thanked author for this post.

Elly, David F, JDeC, wdburt1, Pepsiboy, Karlston, BobbyB, Bill C., AJNorth, HiFlyer, MikeFromMarkham, Noel Carboni

Reply | Quote

Replies

It’s good to see that MS-DEFCON 1 can be fired up on occasion. I believe it’s the right call.

Thank you for keeping a cool head and bringing reason to the game, Woody.

I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day. I only late last night learned that a recipient has to actively run an eMail attachment in order to be infected by it. Many sites, in their haste to sell their security packages, didn’t bother to dispel the worry that just having one of the bad eMails arrive in one’s inbox was enough to get the malware.

-Noel

7 users thanked author for this post.

Elly, walker, JDeC, Karlston, BobbyB, 212louis

Reply | Quote

Noel,

I’d like your take. I sent Woody an email re: the April .NET Security Only update x64. (I’m group C since the patchocalypse and I do only .NET Security Only updates when available ).

When searching the April 2017 Security Only .NET update in the MS catalogue, the  search result provides a “Download” link for KB4014985…that  Download button  opens a window that provides 4 links that seem to NOT correlate to the KB4014985.

Do you have any thoughts on this? Do you know which of those 4 links are actually the April Security Only .NET update for Windows 7 x64?

(Could MS make this anymore confusing??)

(Not updating anything yet, just preparing)

TIA

Download

Download Updates

April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB4014985)

ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe

ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe

windows6.1-kb4014573-x64_12e4991474e5150382f317efd3fcbd8a13090ce5.msu

ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

 

Original Search results link:

http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20update%20Windows%207

1 user thanked author for this post.

walker

Reply | Quote

212louis wrote:

I’d like your take.

(Not updating anything yet, just preparing)

I think you’re taking the right stance. Weigh the risk and make the “go” decision when you feel you understand it well enough.

How quickly you feel you have to install security updates depends on your confidence in your own security landscape. If your computing practices and technical perimeter keep you from knocking heads with malware much if at all, then you can guess that having an unpatched system isn’t that risky. Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

Regarding keeping an older system up to date with the latest functionality updates, then again you have to use your judgment. How often do you expect to install/use new software that requires the updated functionality?

Personally I have two different systems for which I have made two different decisions. I have a Win 7 system that functions as a server that I have chosen to stop at a mid-2016 level of update, because I don’t actually need to install new software and it runs for as long as needed without a glitch. I also have a Win 8.1 workstation that I use interactively and conservatively keep up to date. Right now it’s up to date with general updates from January and some more current security patches, and I’m waiting to see whether the April functionality (group A) Updates bring unacceptable downsides.

I’m also continually evaluating whether I need functionality from Windows 10 in order to continue doing business. So far I haven’t needed it, but if I should I already know the downsides and rewards because I have outfitted test systems with Windows 10 and gotten to know them.

TL;DR: Do what you can to gain knowledge, both directly and by reading what others write, then use your best judgment.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

Noel Carboni wrote:

Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

How do you know when they got the code fixed (and tested)?

Reply | Quote

b wrote:

How do you know when they got the code fixed (and tested)?

They don’t just fix their security holes only once a month, right before Patch Tuesday.

How do you know they tested it?

-Noel

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

Does this apply to the older ones?  Either way, I am uninstalling the patches as I usually trust the “security only” patch and the .NET framework patch.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

You have to do what you’re comfortable with, but regarding changing a system that’s already got patches from before and has been running okay… I suggest a healthy dose of this should be applied:

If it works, don’t fix it.

-Noel

4 users thanked author for this post.

walker, JDeC, Pepsiboy, woody

Reply | Quote

I suppose so.  I don’t even know what processor I have to know whether or not I’m at risk.  I’ll post a reply when I find out… restarting to uninstall in 3… 2… 1…

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

Try using CPU-Z.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Didn’t need to!  I looked at system info and found out I have a 5th generation processer 🙂

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

Noel,

Appreciate your response, thanks.

That said, do you have any idea on the Update catalogue providing FOUR links in the download window that do not correspond to the <span style=”color: #000000; font-family: ‘Helvetica Neue’, Helvetica, Arial, sans-serif; font-size: 14px;”>KB4014985 update.</span>

In trying to keep this simple, a user searches the MS catalogue for the April .NET Security Only update for W7 x64, the search returns the update but the download link shows FOUR different active links. Which link is the KB 4014985 ??

(Both the search result link and the result(s) of the Download link are included in my original response and included below. If you could, click through these links to see what I’m talking about. Something is not right.)

Search result…

http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20only%20Windows%207%20×64%20

 

Download

Download Updates

April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB4014985)

ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe

ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe

windows6.1-kb4014573-x64_12e4991474e5150382f317efd3fcbd8a13090ce5.msu

ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

 

1 user thanked author for this post.

walker

Reply | Quote

Noel,

Do you know which of the FOUR links in the Download window is the correct April .NET Security Only update for Windows 7 x64??

(Seems my 2nd response got lost in the “internet of things”)

Reply | Quote

I would guess that the number after the “ndp” is indicative.

1 user thanked author for this post.

walker

Reply | Quote

I wish Microsoft would just make their stuff work. I mean what’s next? Are going to block drivers from working?

Reply | Quote

Don’t give them any ideas. 🙂
Technically, that’s just about what they’re doing here. The CPU kernels/architecture updates aren’t being allowed in anything other than 10, even though 1) AMD/Intel are willing to provide them (evident by these pieces of hardware working in Linux) and 2) Win8.1 is not in Extended Support phase yet (meaning feature updates are supposed to still be provided).

People call them “Microshaft” for a reason. 🙂

2 users thanked author for this post.

BobbyB, Karlston

Reply | Quote

The current state of (lack of) info available from Microsoft for security updates …….
https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

Reply | Quote

No problem with Defcon 1 , group W since November of 2016.

Reply | Quote

I’m starting to lean more that way myself.
Every month, you have patches released that cause nothing but problems for several weeks, and then after, things just quiet down like they’re “fixed”. At this point I’m more concerned about what they’re trying to sneak in than what they’re trying to actually fix.

The CPU microcode detection update, for instance – that shouldn’t be something that anyone receives on 7. That’s not a security update, that’s a feature update. I thought we weren’t getting those? [sarcasm] Oh, but they’re making an exception for this one, because it provides for further OS version prodding and forceful upgrades.

Reply | Quote

In my way of thinking, whether you have an older machine or a newer machine with Win 7 or Win 8.1 the safest thing to do is click on ‘Services’ go down the list and double click on Windows Update then click on ‘disable’ then click ‘apply’ then if not stopped click on ‘stop’ then click on’OK’ then exit Services.  When it is OK to apply updates just reverse above.  What do you all think? (to Woody and Noel Carboni)

Reply | Quote

Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

Reply | Quote

– Make a backup, just in case. Always backup before you sc**w up!

– Download the stand alone installation (or update) for the Windows Update Client. If you can find a version previous to all these shenanigans, even better. You might eventually need it in the future, even if just for some manual installation of selected updates.

– Delete the Windows Update service.

– For the overkill, get lost on the C:\windows\winSxS and have fun butchering traces of Windows Update Client there. And Media Player. And Windows Mail. And IE. And that ton of Chinese, Japanese and Korean trash that should have never been stuffed into that install.

 

There! If it’s not there at all of if it is, it’s in such a broken state that I dare Micro$oft to try to do something out of this. If they can brake it, why can’t I? 😉

 

(another anonymous)

Edited for content

Reply | Quote

The problem of the update client is not a complicated as that. Go to this thread.

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

It was published last August and has been used by literally hundreds of thousands. Note the length of the string. It goes on for over 120 pages. It works just fine. I use it at least once a week. It is a one time thing. Make certain KB3020369 is installed first, then install KB3172605. From that point onward, WU works quite well — of course that depends on how much you really want to use it, which of course is the subject of this forum.

CT

3 users thanked author for this post.

HiFlyer, walker, MrBrian

Reply | Quote

anonymous wrote:

Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

It CAN happen. I’ve personally seen it happen.

This year, for example, at the time I installed TurboTax on my Windows 8.1 workstation I shortly thereafter found unexpected entries in my firewall log that showed Windows Update had been started – even though I had set it to Disabled – and was trying to contact Microsoft (it failed, because I also reconfigure my firewall to disallow updates).

Sure enough, when I looked, I found this situation:

Looking at the details in the Windows event logs, I saw that when the TurboTax installer was started it changed my setting from Disabled to Manual, started the service, then changed it back to Disabled! Not at all what one would expect of an application installer. Coincidence? Maybe. In any case, something changed the startup type of the Windows Update service.

Moral of this story: Settings are just that – settings – and some software vendors have been losing their compulsion to heed them.

Secondary observation: A multiple layer security strategy can in some cases actually be necessary.

I myself keep the Windows Update service Disabled and my firewall configured to disallow communications with the list of servers below except when I want to apply updates. I do this on all my systems, running Win 7, 8.1, and 10, and I recommend it for those who want to retain control. I can verify that Windows Defender / MSE do keep themselves up to date without Windows Update running.

List of update servers/domains I only allow when actually doing updates (the items starting with “WU”):

-Noel

4 users thanked author for this post.

HiFlyer, walker, Elly, Karlston

Reply | Quote

I am following PKCano’s guide, but only up to and including February (non-existent.) I am adding Office patches BEFORE March only. This is the first time my clients have had updates since last October. It may be the last time ever — ala Group W.

Note, my clients’ newest Office is Office 2010. Not one of them has bought a more recent version.

CT

1 user thanked author for this post.

HiFlyer

Reply | Quote

Ouch, pre-alpha patches in the wild. Not good.

Reply | Quote

Following on from a previous post. I look at this logically (and very non technically), and what I am seeing is that there is something not right about a patch from last night loading on Win 7 Professional with Office Pro 2010. After loading and rebooting the machine hangs on restart.

Win 7 and Office 2007 or 2016 do not seem to be affected.

I have 68 workstations with different clients that have brought me to these conclusions. I should have waited!!!

A local switch off / on seems to fix the issue.

Hopefully this helps one of you more technically minded helpers

Reply | Quote

Bigpaul, you would be wise to follow Woody’s MS-Defcon advice. Do NOT update.

CT

3 users thanked author for this post.

HiFlyer, walker, Bigpaul101

Reply | Quote

I assume that Windows Defender and Malicious Software Removal Tool are OK to install?

iPhone 13, 2019 iMac(SSD)

Reply | Quote

pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

CT

11 users thanked author for this post.

HiFlyer, walker, Elly, David F, Ascaris, JDeC, BobbyB, Microfix, Karlston, zero2dash, AElMassry

Reply | Quote

CT is absolutely spot on.
https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/

2 users thanked author for this post.

HiFlyer, Microfix

Reply | Quote

Thanks, CT.  I have a good antivirus plus Malwarebytes, but I’ve always thought if MSRT catches one more infection, it’s worth it.  As long as it’s not breaking my PC.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

The problem is that… I’ve never had MSRT pick up any problems.

That said, I don’t see where this MSRT is any worse than its predecessors. And Defender updates are always OK.

2 users thanked author for this post.

Noel Carboni, HiFlyer

Reply | Quote

Woody, in years and years of applying MSRT to hundreds of machines, I can recall ONE instance of it turning up anything. We’re talking of thousands of instances. I strongly suspect that my choice of AV has been the reason.

That sure tells me it is pretty worthless. Why would I risk MS installing spyware in MSRT? No value to it.

CT

3 users thanked author for this post.

HiFlyer, walker, Microfix

Reply | Quote

MSRT is just another means of ‘accepted via EULA’ telemetry since July 2016 IIRC

As CT has pointed out, a good up to date AV/Antimalware is suffice if you’re in the anti-snooping camp.

Windows - commercial by definition and now function...

2 users thanked author for this post.

Canadian Tech, HiFlyer

Reply | Quote

MSRT has never done anything bad to any system I’ve seen run it, NOR has it turned up any unexpected malware. If it potentially could catch something in the general case, so why not let it run?

I suspect it’s more of a “for dummies” malware mitigation, and folks in-the-know have other, better means to keep malware out – which is why we adept computer managers don’t see MSRT catch anything on our systems.

The one thing no one really discusses much regarding the unsaid philosophy of “security is good and more security is better” is how much time is being wasted checking for malware.

• Does everyone wait a few minutes longer for their updates to finish while MSRT runs?
  
• Does everyone have a computer that’s half as powerful as it could be if only it weren’t constantly checking to see if malware has sneaked in and infected it?

I’ve recently done some testing with and without Windows Defender and with and without MalwareBytes v3, and the amount of responsiveness and compute capacity lost just to run the anti-malware software is not insignificant!

What price security?

-Noel

Reply | Quote

I suspected there was something wrong with MSRT along time ago by virtue of the fact I must always “Agree” to run it… Case in point, I never had to “Agree” to run an antivirus scan. By the way I never agree to allow MSE send suspicious files to Microsoft or join MAPS. The term “suspicious files” is too vague… Microsoft and their friends at the NSA think every file is suspicious.

Reply | Quote

woody wrote:

don’t open any Word docs attached to email messages!

In the real world, can this really be better advice than applying the patch?

Waiting to see how many millions get hit?

Many combinations of Microsoft Word and Windows support “Protected View” for documents downloaded from the internet or opened directly from the email. In these cases, the user needs to “Enable Editing” before the exploit runs. However, most users are accustomed to enabling editing.
https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

1 user thanked author for this post.

NetDef

Reply | Quote

b wrote:

In the real world, can this really be better advice than applying the patch?

Waiting to see how many millions get hit?

There is no room for hype on this forum.

If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here. Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system? Or do you just not care whether other folks’ computing experiences are disrupted.

Not to mention the elephant in the room…

If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week? The vulnerability has been known since when?

Lastly?

Have you already installed the updates on YOUR personal machine? I see that you haven’t offered your personal experience about whether your system(s) are working after the update.

In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

-Noel

4 users thanked author for this post.

walker, Elly, HiFlyer, AElMassry

Reply | Quote

Noel Carboni wrote:

There is no room for hype on this forum.

No hype from me. Woody posted yesterday about millions potentially affected:

woody wrote:

WOW. It is the same vuln I talked about on Saturday, but it looks like somebody figured out how to do it, and sent copies out to millions of people around the world:

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Noel Carboni wrote:

If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here.

I have. I do.

Noel Carboni wrote:

Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

How do you know what testing Microsoft have (not) done? They’ve been working on it for weeks.

Noel Carboni wrote:

Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system?

I trust them to do what they can to protect my system from harm by others.

Noel Carboni wrote:

Or do you just not care whether other folks’ computing experiences are disrupted.

That’s crucially important to me. Do you just not care whether folks’ computing experiences are disrupted by malware attacks during the normal course of their business?

Noel Carboni wrote:

Not to mention the elephant in the room…

If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week?

Because it wasn’t public until Friday/Saturday.

Noel Carboni wrote:

The vulnerability has been known since when?

A week or two longer than that (according to FireEye).

Noel Carboni wrote:

Lastly?

Have you already installed the updates on YOUR personal machine? I notice that you haven’t offer your personal experience about whether your system(s) are working after the update.

I didn’t realize my personal experience was so important to you. Yes, I’ve installed yesterday’s Office and Windows updates on MY personal machine and I have not experienced any ill effects.

Noel Carboni wrote:

In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

-Noel

I always install ALL updates on my “production” system immediately and then for others as soon as possible if I don’t suffer a catastrophic failure. In the last 22 years I can only remember one or two minor glitches easily rectified after updates.

Reply | Quote

b wrote:

I didn’t realize my personal experience was so important to you. Yes, I’ve installed yesterday’s Office and Windows updates on MY personal machine and I have not experienced any ill effects.

Thank you kindly for contributing something useful here.

-Noel

2 users thanked author for this post.

MrJimPhelps, HiFlyer

Reply | Quote

From the article Woody linked:

Microsoft, which according to McAfee has known of the remote-code vulnerability since January

I can understand they didn’t want this publicly known, but a fix should have been pushed out long by now; there’s no excuse for that.

Reply | Quote

zero2dash wrote:

From the article Woody linked:

Microsoft, which according to McAfee has known of the remote-code vulnerability since January

I can understand they didn’t want this publicly known, but a fix should have been pushed out long by now; there’s no excuse for that.

McAfee didn’t say that in their article on Friday. They said, “Yesterday, we observed suspicious activities from some samples.”
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

Reply | Quote

@ b

Excerpt from ……. http://www.pcworld.com/article/3187800/security/email-based-attacks-exploit-unpatched-vulnerability-in-microsoft-word.html
…

“By searching back through its data, McAfee has tracked down attacks exploiting this vulnerability to late January.”

Reply | Quote

Does that show that Microsoft was aware of it in January?

Reply | Quote

Microsoft, which according to McAfee has known of the remote-code vulnerability since January, has yet to issue any sort of public advisory. It’s hard to excuse the silence given the scope of the exploit campaign reported by Proofpoint, which is now at least the third security company to publicly warn of the critical vulnerability since Friday.

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Reply | Quote

“Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.”

Neil,

What is the basis for your comment? 27 years in IT and having used Microsoft products since DOS 1.0 it has always been my understanding Microsoft has test labs to run their code, lots of test labs. While I understand Microsoft can’t test every possible scenario and borks a lot of systems the above statement seems unlikely. Do you have some information to the contrary? For the record I’ve taken updates on about 30 computers today and have had no issues.

Reply | Quote

Perhaps I stated that in a bit of an extreme fashion, but the fact is that Microsoft no longer has the professional testing organization they once had. This says that our decades of experience aren’t necessarily valid (yes, I have had a long career of applying Microsoft Updates mostly successfully too).

One of many reports easily found online about the changes at Microsoft:
http://www.businessinsider.com/microsoft-just-laid-off-2100-people-2014-9

Testing will no longer be done by a totally dedicated team, but will be rolled into the developer team. Nadella believes this will reduce bureaucracy and let Microsoft deliver products faster.

-Noel

Reply | Quote

Noel,

A lot of the people who take part in this forum have had one or more experiences in their past when they worked for a major success story like IBM, NCR, DEC, HP. If you were watching, when the exodus began, the first out the door were the best. Those are the guys who have the most portability. Over time, the ones who remained, were not the strongest of the team.

I believe that is what has and continues to happen at Microsoft. That is borne out by the track record we see in Windows Update. It has been one disaster after another. Patches to the patches, etc.

So, Noel, I completely agree. The quality of product from Microsoft today is not even close to what it was a few years back.

CT

4 users thanked author for this post.

walker, Elly, Noel Carboni, HiFlyer

Reply | Quote

Noel Carboni wrote:

I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day.

I’m going to install on my clients’ machines today due to potential liability if I ignore/delay it. I will explain that we’re installing without fully testing the patches. So far, the ones I’ve spoken with are appreciative and prefer to get the patch early.

Have installed on all of our test machines and haven’t noted any issues… yet.

Reply | Quote

You have to follow your best judgment of course, but…

Do you have any liability issues by accelerating the install? Or can you just comfortably say, to someone who has had their setup scrogged, “That was Microsoft’s fault” – even though you are already aware of problems?

Remember, as the expert your clients are trusting you to do the right things for them. If you consider their data and uptime no more important than what Microsoft considers them, how are you adding value. I’d suggest whatever you choose to do for yourself you do for them.

-Noel

1 user thanked author for this post.

Karlston

Reply | Quote

Noel Carboni wrote:

– even though you are already aware of problems?

What problems in this case?

Reply | Quote

b wrote:

What problems in this case?

Do you know what “havoc” means?

-Noel

Reply | Quote

Noel Carboni wrote:

b wrote:

What problems in this case?

Do you know what “havoc” means?

-Noel

Yes, I have access to a dictionary thanks.

What was the point of the screen shot?

No known problems so far then?

Reply | Quote

The point was (and is) that there is not enough accumulated positive experience to advise people to go ahead yet.

Do you know what’s interesting?

That I’ve actually just discovered a new and potentially serious problem in my own testing:

Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.

I don’t know why it fails; I’ve put out some queries to see if it’s a known issue. In fact, I may not learn why. I don’t even YET know whether it’s a common problem or something specific to just an updated Win 10 system, to version 1703, or even just to one test system.

There is no question Microsoft is a different entity today than it has been in the past. It’s not important to people who care about the integrity of their computing environment what folks did decades ago or even 5 years ago. It’s important what Microsoft is delivering now, today.

Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

Ask instead: What evidence do we have that the updates don’t break something new?

And finally, please consider the meaning of this phrase: Healthy skepticism.

-Noel

4 users thanked author for this post.

MrJimPhelps, walker, Elly, HiFlyer

Reply | Quote

Noel Carboni wrote:

Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

Noel Carboni wrote:

Ask instead: What evidence do we have that the updates don’t break something new?

You’re expecting proof of a negative again. I don’t think anyone can provide that.

Reply | Quote

b wrote:

Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

Quantify both risks and one can easily make a decision (though I seriously doubt that you or anyone else can come close to quantifying the risk of being targeted by that Office zero day malware in the next few days or weeks).

Even if one were to accept that there’s a more well-defined risk of getting a malware attack than getting a b** patch, there’s no way to weigh the latter without more experience.

A few more days/weeks of A) personal testing without uncovering problems, and B) others not reporting meltdowns and it will be a better time to make a decision. And I’ll just bet Woody will change the MS-DEFCON level up to some higher number at some day in the near future.

Essentially I see this conversation as you advising making rash decisions, while I’m suggesting gathering more information and making informed decisions.

Why such a push to rush to a decision to take updates without knowing more about them? We are here, in a connected world, with an ability to learn from others’ experience. Just keep yourself from double-clicking on .rtf attachments a little longer.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

Noel,  seen that error a few times on 1607 and older Win 10.  Not sure if this applies to the new CU but worth a try perhaps?

Try the steps here https://forums.adobe.com/message/7996709#7996709

Noel Carboni wrote:

Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.  I don’t know why it fails; I’ve put out some queries to see if it’s a known issue.

 

~ Group "Weekend" ~

Reply | Quote

Not a lawyer, and didn’t stay at a holiday inn express, but I would think my liability would be higher if I didn’t install an update for an exploit actively being abused and reported across many tech sites.

Yes, we did install on 10 of our machines and noticed no issues so far. We give the client the choice but advise, based on our results so far, to go for it. We do have backups of all machines too 🙂

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

Thank you for the clarification. Involving the clients is a reasonable approach.

Regarding updating clients to Windows 10 version 1703, please see my post above… If you have any clients specifically who use Adobe software, you might want to do a bit of additional testing.

-Noel

Reply | Quote

The caveat for us is we manage updates with WSUS . . .  so the following should be read with that in mind.  This is not quite the same scenario where you accept updates directly from MS with only the native client update management tools (which for Win10 is pretty much not much at all.)

We responded to the risk of infection from the Word 0-day vulnerability last night.  We allowed the April security only roll-up on all Win 7 and the cumulative April update for Win 10 machines.  We also allowed all Office security updates including the fix for CVE-2017-0199.

As of this writing, we had zero problems with any of our client workstations during and after last nights update on Win 7 Pro or Win 10 Pro or Win 10 ENT.  We run a mix of Office 2010 and 2016.  A rough count of workstations across all our office sites = 350.

EDIT:  For Win 10 machines we are on the 1607 CBB and are (for now) rejecting the Creators Update until it becomes CBB.

~ Group "Weekend" ~

6 users thanked author for this post.

walker, Elly, Karlston, woody, MrBrian, Noel Carboni

Reply | Quote

THANK YOU for sharing your actual experience. That is arguably one of the most valuable things about this forum, and certainly one of the prime reasons I read it.

-Noel

4 users thanked author for this post.

walker, HiFlyer, samak, Kirsty

Reply | Quote

Update:  Most of the day now — our workstations have been in heavy use — still no problems from our user base, no complaints.  We’re not seeing much fallout from forcing everything to patch last night. (Other than a lack of sleep.)

I updated my ancient (6 years now – Sandy Bridge CPU) and beloved Lenovo Laptop this afternoon and it failed to patch. Got the dreaded roll-back error on bootup. It’s running Windows 10 Pro 1607 and Office 2010.  This would be the machine I abuse on the road the most.

Fixed it by running sfc /scannow followed by a DISM /Online /Cleanup-Image /RestoreHealth and a second sfc /scannow.  All current patches for 1607 and Office 2010 installed with no problems afterwards.

This was very likely self-inflicted . . .   🙂

~ Group "Weekend" ~

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Thanks Woody as always for the prompt advice, and to Noel for his detailed observations.

Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year.

All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

Reply | Quote

Seff,

To get your “missing” Office updates, start Windows Update and look at the left side panel of the window. You should see a link that says “Change settings”. Click that link.

On the new page that just came up, make sure the box labeled “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” is checked. It will be listed under the “Microsoft Update” heading below the Important Updates drop-down box. It is NOT one of the choices in the drop-down box itself, but a separate heading below the drop-down box.

Once you’ve done that, make sure you haven’t changed ANYTHING ELSE on the page and click the OK button at the bottom of the window. That should do it, allowing you to now see the updates for Office as well as those for Windows every time Windows Update is run.

I hope this helps!

Reply | Quote

Seff, some people have trouble getting the “Microsoft updates” to work. If that happens to you, here is what you need to do:

Start Internet Explorer, click the gear (upper right) in IE11 and select Compatibility settings and enter Microsoft.com in the list

CT

Reply | Quote

My previous comment about turning off windows update : Woody says that ‘I don’ t advocate turning off Windows Update’. I have to do this on my own machine because I can’t adjust how I get updates, for some reason. It very easy to do and restart. It keeps Microsoft from injecting any update onto your machine before you can get a look at them. This is for individual home machines not tied to company servers. You can turn updates back on when Woody gives the “all’s clear” with Defcon changes, otherwise just sit, read this forum and learn. I am.

Reply | Quote

IE patch KB4014661 breaks MBSA.

While testing, we installed ie11-windows6.1-kb4014661-x64.msu.  After rebooting we run MBSA to verify the patch.  MBSA starts but then fails, complaining about a bad signature file.  Now we don’t have a good way to verify that the vulnerability has been closed until MS either puts out a new signature file or they update kb4014661.  This is on Windows Server 2008 R2.  Have not verified on other supported OS platforms.

-Dan

2 users thanked author for this post.

AElMassry, woody

Reply | Quote

Well…we have performed some isolation testing and it seems that KB4015546 may be the real culprit. Once we run Windows6.1-KB4015546-x64.msu we receive the following MBSA results:

Security assessment: Incomplete Scan
Computer name: WORKGROUP\V-HELLIUM
IP address: //snip//
Security report name: WORKGROUP – V-HELLIUM (4-12-2017 8-31 PM)
Scan date: 4/12/2017 8:31 PM
Scanned with MBSA version: 2.3.2208.0
Catalog synchronization date: 2017-04-10T21:31:59Z
Security Updates Scan Results

Issue:  Security Updates
Score:  Unable to scan
Result: Cannot load security CAB file

2 users thanked author for this post.

Elly, walker

Reply | Quote

Ha! I didn’t even get the March updates… had a look back then and “meh”…

Fun fact: my Windows 7 is an original install originating some two years after release, probably 2011? Had same problem back then on giving up good running stuff! 😀

But this install has been running ultra smooth and rock steady ever since installed! Not a hitch, break-down or what not. As good as I could ever wish for.

Nothing has threatened the stability, no virus, trojans, scripts. Nothing. And I’ve visited place, I’m not that proud of… never had a problem.

But lately? Not so much luck… started with the brilliantly executed Get Windows X campaign. Took quite some manhours to get the system back to it’s old stable state.

The irony? The only thing that ever has caused problems and that really, really scares me and is a very serious threat to my system’s stability – and my sanity – is… microSoft.

Waiting with updates and Noel’s article of how to lock down the Windows 7 system…

2 users thanked author for this post.

walker, Noel Carboni

Reply | Quote

When you get deep enough into this forum and read up on the Group A/B and W(C) theory, you may just realize, like I did, that the risk of applying MS devastating patches is much greater than not applying them at all. At minimum, do NOT apply ANY patches till Woody recommends it through his MS-Defcon rating system. For example, anyone applying those patches today is playing with fire.

If you must choose Group B, do not apply any until they have aged at least one month and better yet two.

CT

4 users thanked author for this post.

walker, Elly, Microfix, wdburt1

Reply | Quote

The first time I booted up my Win7 x64 laptop computer today (04/12/2017), Windows Update ran and I saw there were three important Windows 7 updates:  the April, 2017 Security Monthly Quality Rollup  (KB4015549), the April, 2017 Security and Quality Rollup for .NET Framework (KB4014981), and the Windows MSRT (KB890830).   This afternoon, when I rebooted my laptop after lunch, I see there are now four important Windows 7 updates; the three I saw this morning, plus the March, 2017 Security Monthly Quality Rollup (KB4012215).  I am in Group B and apply the Monthly Security Only Quality updates and therefore, did not install the March, 2017 Security Monthly Quality Rollup.  Rather, I installed the March, 2017 Monthly Security Only Quality update, KB4012212.  Has anyone else in Group B experienced this problem?

 

So glad to see Woody has moved to MS-DEFCON-1.  Well-deserved!

Reply | Quote

Did you by any chance HIDE the Monthly ROLLUP. If you hide this month’s Rollup, last month’s will reappear. It is not recommended to hide updates. UNCHECK them and they will not get installed. Next month’s Monthly ROLLUP will replace it and it will disappear. If you hide them, the one that was superseded will become important and CHECKED.

1 user thanked author for this post.

woody

Reply | Quote

Take some really good advice, Anonymous, set your Windows Update setting at Never and leave it there, forever.

CT

2 users thanked author for this post.

walker, HiFlyer

Reply | Quote

^Easy^ Saves the misery most toil over every Tuesday.

If one is not yet exhausted reading the triads Go here and get a laugh or two.

https://forums.theregister.co.uk/post/reply/3152185

Reply | Quote

No, PKCano, I did not hide the April Monthly Rollup (KB4015549).  I wrote about this issue  because,  due to supersedence,  I should not see both the April Monthly Rollup and the March Monthly Rollup at the same time.  The April Rollup should supersede the March Rollup.  Therefore, I ask again:  Has anyone else experienced seeing both the March and April Rollups displayed in Windows Update?

Reply | Quote

Well, do you have them both? a screenshoot would be helpful 🙂

1 user thanked author for this post.

walker

Reply | Quote

D**n talk about back fires. And anyone care to explain the word exploit ? (I tried reading but couldnt understand). Does just avoiding spam mail with attachments subside ?

Edited for content

Reply | Quote

https://www.welivesecurity.com/2015/02/27/exploits-work/

Reply | Quote

April 12, 2017, update for Word 2016 (KB3085439)
https://support.microsoft.com/en-us/help/3085439

1 user thanked author for this post.

woody

Reply | Quote

We might be in MS-Defcon 1, but since Microsoft has released Windows 8.1, all this beating we’ve been having on our side has in fact been quite lucrative for their stocks:

https://finance.yahoo.com/chart/MSFT#eyJtdWx0aUNvbG9yTGluZSI6ZmFsc2UsImJvbGxpbmdlclVwcGVyQ29sb3IiOiIjZTIwMDgxIiwiYm9sbGluZ2VyTG93ZXJDb2xvciI6IiM5NTUyZmYiLCJtZmlMaW5lQ29sb3IiOiIjNDVlM2ZmIiwibWFjZERpdmVyZ2VuY2VDb2xvciI6IiNmZjdiMTIiLCJtYWNkTWFjZENvbG9yIjoiIzc4N2Q4MiIsIm1hY2RTaWduYWxDb2xvciI6IiMwMDAwMDAiLCJyc2lMaW5lQ29sb3IiOiIjZmZiNzAwIiwic3RvY2hLTGluZUNvbG9yIjoiI2ZmYjcwMCIsInN0b2NoRExpbmVDb2xvciI6IiM0NWUzZmYiLCJyYW5nZSI6IjV5In0%3D

[ by the way, Woody, the graph is not zeroed on the vertical scale 😉 ]

 

So yeah, we’re dying in here, but out there they are quite well. No wonder they won’t listen to us, Nadella has stocks and Dollars stuffing up his ears.

Reply | Quote

Points well taken.

At some point I start feeling like a Volkswagen Bug enthusiast. There was a long period of decline, when it was fun and challenging to keep the old beasts running. But sooner or later, for most of us, reality set in.

1 user thanked author for this post.

HiFlyer

Reply | Quote

1962 (bug eye) and 1966 bus/campers. 1200cc. Jack up the back and drop the engine out on broomsticks. And you could change cylinders individually.

Reply | Quote

This was my bible for many, many years:

https://www.amazon.com/How-Keep-Your-Volkswagen-Alive/dp/0912528001/ref=sr_1_7

 

1 user thanked author for this post.

BobbyB

Reply | Quote

@Woody OMG its still in print? and “ringback/wirebound” too? thats a walk down memory lane 🙂

Reply | Quote

As a former Beetle owner, a ’64, ’65 and ’69 (with overbore), I now know why I stubbornly suffer with Win7-64Pro SP1 and Office 2010.

Just as I moved to the ’77 VW Rabbit with FI and never looked back (kept the ’69 Beetle for a few more years then gave it to my sister), I have began acquiring the parts for the Linux PC build. As with the Beetle, I will keep the Windows 7 machine for certain tasks and gaming probably past EOL, but I have already started to do more browsing and email on Linux (and iOS) than Windows.

I wonder if years later, I will look back at Windows like the Beetle. I sincerely doubt it. With the Beetle, the memories of the leaking running boards and humid defrosters are now ‘character.’ It is a car that when I sit in one today I wonder how I ever had so much fun in a car. They werer so easy to repair and maintain.

Naah, I will NOT look back that way on Windows (or more accurately Microsoft’s misfeasance and sabotage of a decent operating system.)

Reply | Quote

I still have a 1974 Volkswagen Beetle in the garage here at the domicile. It hasn’t run since 1992 (I think). But it will be restored at some time in the future. I have a lot of other things to fix here before that, though. :-I

Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.html

Reply | Quote

Stock prices can change quickly.  AOL was once so big that it got top billing in a merger with vaunted Time-Warner, but it came crashing down shortly thereafter.  Today, it’s a free email provider used by two (2) people worldwide, and that merger is regarded as one of the biggest blunders in business history.

Irrational exuberance can keep things like real estate bubbles afloat for many years, but sooner or later, reality once again shows its dominance, and it all crashes to the ground.  That’s not to say I think this will happen with MS… only that it might. Sometimes the latest, greatest thing really is all it’s cracked up to be, but more often, it ends up being a dud.

I don’t know whether MS deserves its current market capitalization or not. What I do know is that I keep hearing about how now Microsoft is now the innovator, how it’s the new Apple, all that kind of thing, but the only innovation I see here at ground level is new and innovative ways to make a rude finger gesture at its own customers.

The rest of the stuff is oversold hype, a la The Emperor’s New Clothes, as I see it.  I think that anything including the word “cloud” is part of a fad right now, and while there is obviously some value in what they’re now calling “cloud” (as was the case when all those things were being done without the term “cloud” attached), it’s not any more innovative than it was during the 90s when they called it “thin client” or during the mainframe/terminal era when they called it “computing.”  It’s still having your stuff stored on someone else’s server and having some or all of the computation delegated to someone else.  It’s nothing new– it’s older than the PC, in fact.  The decentralized, client-focused PC was the innovation that did away with all that stuff decades ago, but that’s the status quo now, so everything else begins to look innovative and new, even if it’s the same old stuff.

Business investors seem to really have a weakness for buzzwords and hype.  If you throw in a few “thinking outside the box”es and a few “paradigm shift”s, it must be good!  Now those terms are worn out, but there are always new ones to replace them.  “Innovation” and “cloud” are big ones now.  Sprinkle a few of the buzzwords into the prospectus and watch as the investors salivate on command…

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Elly

Reply | Quote

Ascaris, one thing I learned a lot of years ago: There is no correlation what so ever between the real value in a company and its stock price. Think IBM, as it was dying, it still had a huge stock price. I have not checked lately, but I think it still does.

I have worked for some of these over-valued companies. Worked in positions in which I knew full well where all the warts were. It never failed to amaze me how gullible stock investors are, and what makes matters worse are stock peddlers who know even less about what they are shouting about.

Think the tech bubble of 2000!

CT

1 user thanked author for this post.

Elly

Reply | Quote

Its a little bit off topic but for the average user and probably quite a few power users as well. maybe time to check your mail settings. Yes I know this about Word attachments but if your ISP supports it may be switch from a POP acc (full download). to IMAP (stays on the server normally), For M$ Office Outlook users that have an outlook.com account may be “rejig” your settings to download headers only or any other account. That way before the thing gets to your machine you can actually check or trust the sender, check your mail rules are there any candidates in there that are trusted if there are can you enable automatic download? Do you share you mail app/machine? Sounds like old tired advice ehh? well yes but many’s the time stuff has been downloaded and potentially infected Word Doc’s have been opened inadvertantly. Do you use Macro’s? do you enable them? sounds like this exploit isnt about Macro’s but thats a regular target.
Got a couple sitting in the inbox right now, one who I know, one that I am not sure of as they both have attachments. Its now a consciously made effort on my part to take a leap in to the unkown and decide to download or not. Got to admit over the years I have got a little “lax” purely for convenience and speed. Ahh but apparently the “malware merchant’s out there never sleep and with M$ offing a fix in an update that is the proverbial “poison chalice” may be time to trade expediency for security 😉

2 users thanked author for this post.

Elly, Bill C.

Reply | Quote

One set of items I forgot to mention: Along with disabling windows update, I disable Diagnostic Policy Service, Diagnostic Service Host and Diagnostic System Host.  This seems to insure that Windows update does not turn on with you turning  it back on. Sorry I omitted these facts.

Reply | Quote

Seff wrote:

Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

My Win 7-64 Hm Prem showing (1) 2010 Excel, (2) Office, & (1) Outlook (which I don’t have) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

Is any Intel i5 processor fine even with the update?

Reply | Quote

That’s a surprisingly complex question.

If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

If your i5 is a Kaby Lake (only released very recently), you’ll get zapped.

There’s a list of processors here that may help. Use Speccy to see which processor you have.

1 user thanked author for this post.

JDeC

Reply | Quote

woody wrote:

If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

All Skylake’s are OK until June or July? I can confirm (as a Skylake owner) that you can install Aprill rollup and still be able to search for updates on 8.1.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Actually, MS has not communicated anything about Skylake computers that are not on the list, as far as I can tell. I am in the same boat as you and have been reading a few weeks ago what I could find about those computers. What they said was that Skylake computers on the list will be supported until 2020 (Win7), but absolutely nothing about other Skylake computers. That is why I am following the Kaby Lake issue with interest, as the block may well happen soon and unexpectedly for Skylake computers that are not on the list too.

But what I have been wondering is if and how MS is able to check whether a computer is on “the list”. I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

1 user thanked author for this post.

woody

Reply | Quote

Pim wrote:

I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

They can check ID string of the mainboard (I guess that’s where they’d be looking) – not sure if these are so unique you can easily distinguish between supported and non-supported OEM.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

1 user thanked author for this post.

Pim

Reply | Quote

So any chips that are 5th generation or lower are safe for now? I have 3rd generation chip.

Reply | Quote

All 5th gen and lower chips are safe, only some of the 6th gen are.

Reply | Quote

And we aren’t certain which 6th or 7th gen chips are safe.

Windows Update roulette, anybody?

Reply | Quote

What’s unclear from the Lifecycle Policy FAQ excerpt you published today?

Reply | Quote

Right!  I read this and decided NOT install the April important updates.  I have just clean installed Windows 7 on my laptop, done all the other Windows updates (except some optional ones I have hidden, including 4012218).  Luckily I had done a system image but was about to do a second image after re-installing all my files and programs.

Windows has installed the 5 April updates WITHOUT MY PERMISSION!  I still have Windows update set to download but let me choose what to install, after my clean install.

I turned off the laptop and it said Windows is installing 5 updates – what?!!!!  I turned it back on and looked in installed updates and they weren’t there.  They were still sitting there waiting to be installed.  I turned off the laptop later that night.  This morning I turned it on and now they actually have installed themselves!

I am furious – especially as I have a nice new clean install.  I haven’t seen any issues yet, but do you think I should remove them again and turn Windows updates OFF?!

1 user thanked author for this post.

walker

Reply | Quote

“Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.
You need to set it to “Search for updates but let me choose whether to download and install” of “Never check for updates.” The former searches but doesn’t download until you say so. The latter puts searching on manual and it doesn’t happen until you click on “search for updates.”

1 user thanked author for this post.

walker

Reply | Quote

PKCano wrote:

“Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.

I’m not a native speaker, but this somehow goes against my understanding of English 🙂

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

1 user thanked author for this post.

samak

Reply | Quote

Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. The only way to get out of that is – when you see the yellow “!” in the Start “shutdown” button, you don’t shutdown. You go to WU and uncheck/hide what you don’t want. AND you change the setting to one of the two safe ones because the updates are already on your machine.

2 users thanked author for this post.

walker, woody

Reply | Quote

I have been explaining this for more than a year now. The bottom line is the only sensible setting is NEVER>….

What happens with that setting is that once you start up, updates are downloaded. Some or all of them are pre-checked for installation. If you do not uncheck them before shut down, they will have your permission to be installed by virtue of those check marks.

CT

3 users thanked author for this post.

walker, JDeC, Bill C.

Reply | Quote

Thanks for that info.  Yes it is news to me after donkeys years lol!  I did notice an exclamation mark in shutdown.  Still – never happened to me before.  Sneaky  – it also goes against my understanding of English – and I’m English lol.

1 user thanked author for this post.

samak

Reply | Quote

Also – during my clean install I had it set to download but let me choose to install.  I had over 200 updates and chose to install some 5 or 6 at a time with reboots in between.  It didn’t install things I hadn’t chosen then – they just sat there until I selected the ones to install and clicked “install”.  It didn’t install all the others as well.

Reply | Quote

Because you probably intervened. You probably unchecked all then checked the few you wanted to install. Unchecked updates don’t get installed even they are in the “important update” list.

1 user thanked author for this post.

walker

Reply | Quote

PKCano wrote:

Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. 

I don’t agree with this at all. In the dodgy MS world of misinformation, the words “Download but let me choose what to install” might mean “download in the background and install on next reboot/shutdown if you don’t intervene.” To any native English speaker it means “download in the background and then I will choose a time and place when I will install these items, if I choose to at all.”

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

2 users thanked author for this post.

SueW, 212louis

Reply | Quote

I think it’s dodgy too – typical Microspeak. But that’s the way it works.

2 users thanked author for this post.

SueW, 212louis

Reply | Quote

Before this months patch Tuesday,  I changed my Windows update setting from “check for updates but let me choose” to “never check for updates”.  On Wednesday I did a manual check for updates and had 3 updates, monthly rollup, preview, netframe, plus MSRT. I think I just let them be and didn’t uncheck them.
This morning, after reading this thread,  I did a manual update again.

All the previous updates are gone. It says my computer is “up to date”.
Did MS pull all the patches?????

Windows 7 Home Premium 64 bit 2008 R2
Group B
seriously considering Group W

1 user thanked author for this post.

walker

Reply | Quote

The Preview is never checked, and should be avoided at all cost.
Rule of thumb – DO NOT check anything that is already UNCHECKED. That includes all the updates in the “optional updates” list (the Preview was here) and those in the “important updates” list that are not checked by default.

To see if the updates were installed, in Windows Update click on “View update history.” If the ones you don’t want are there, you can go to “Installed updates” and uninstall the ones you don’t want. They will reappear in the update queue.

2 users thanked author for this post.

walker, dgreen

Reply | Quote

CraigS26 wrote:

Seff wrote:

Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

My Win 7-64 Hm Prem showing (1) 2010 Excel KB3191847, (2) Office KB 2589382 & 3141538, & (1) Outlook KB3118388 (my Ofc = No Outlook) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

PKCano  I know about the “preview” update to leave uncheck.
I follow closely what is posted here, Woody’s advice, Ms-defcon,
with one exception…  I am guilty of hiding updates.
However, this is just what happened.
I went to check my “hidden updates” since my last post and they were all gone.
I thought, WTH????
So I went back and changed my update settings back to “check for updates but let me choose”.
I rebooted my computer.
The Windows update did the checking…
and this is what happened..
I now have 77 important updates, and 47 optional updates. WTH?
Checked my “hidden” updates and there aren’t any.
So my “hidden” updates were now switched back to unhidden without me doing anything??
How the heck did that happen?

Couldn’t update my MSE  definitions as it was getting hung up earlier.

BTW My processor is Intel I3-3240 (3rd generation ivy bridge)
Seriously, this is getting very unsettling.

 

 

 

 

1 user thanked author for this post.

walker

Reply | Quote

If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

2 users thanked author for this post.

walker, dgreen

Reply | Quote

PKCano wrote:

If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

PKCano  Thanks!  I’m not sure if I hit “back” or “ok”.
oh well……
So now I have 77 important patches from the past couple years (many are netframe).
I guess I will uncheck them and turn over a new leaf…
I won’t hide them.

Reply | Quote

The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003

For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

2 users thanked author for this post.

walker, dgreen

Reply | Quote

PKCano,

Windows 7 SP1, x64, with .NET 4.5.2

OK…I’ve posted this a couple of times and thus far no one seems to have an answer.

Can you indicate which one of the 4 links in the Download window for April’s .NET Security Only Update is the correct update?

When April .NET Security Only Update Windows 7 x64 is searched in the catalogue the result shows KB 4014985.

http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20Update%20Windows%207%20×64

When the Download button is clicked, unlike in the past where there was one active link to download, there are 4 active links. And those links do not correspond to KB4014985. As you can see, one is an MSU and the other 3 are EXE’s. Can you indicate which is the correct KB for a W7 x64 machine looking for the April .NET Security Only update? (4.5.2)

My guess is KB4014566 based on the MS “support” page, but I’m not certain. Description of KB4014566, the security update for the .NET Framework 4.5.2 for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1: April 11, 2017

Thanks for any help you can provide.

https://support.microsoft.com/en-us/help/4014985/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4

Download

Download Updates

April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB4014985)

ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe

ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe

windows6.1-kb4014573-x64_12e4991474e5150382f317efd3fcbd8a13090ce5.msu

ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

Reply | Quote

In the past, when you were searching for a .NET patch, the KB pointed to a specific flavor of .NET. For example, 3.1.5 or 4.5.2.

With the new rollup system that MS is deploying there is no specific MS, just the monolithic KB; in your example KB4014985.  The four individual downloads you see correspond to a specific .NET version:

4014573 = .NET Framework 3.5.1
4014566 = .NET Framework 4.5.2
4014558 = .NET Framework 4.6, 4.6.1
4014552 = .NET Framework 4.6.2

You need to download the version of .NET supported on your systems.  .NET 3.5.1 was patched via .msu files while .NET 4x use .exe files.

r/Dan

2 users thanked author for this post.

Elly, 212louis

Reply | Quote

dan (pmacs33) – But how do I know which versions of .NET I have on my Win 7 Pro 64-bit machine?

Belarc Advisor says I have
Microsoft – .NET Framework Version 2.0.50727.5483 (32/64-bit)
Microsoft – .NET Framework Version 3.0.6920.5011 (64-bit)
Microsoft – .NET Framework Version 4.0.41210.0 (32/64-bit)
Microsoft – .NET Framework Version 4.6.1087.0 (32/64-bit)

BUT Control Panel – Programs and Features lists only 4.6.1 and 4.6.2
However, Windows Features indicates I have PART OF 3.5.

Why has MS made this so complicated?

EDIT – I just downloaded and ran Raymondcc .NET Detector.  It says I have
2.0 SP2
3.0 SP2
3.5 SP1 and
4.6.1

Is it accurate?

Reply | Quote

If you go to the Catalog and click on the “Title” instead of “Download'” it pops up a screen with a link “More Information.” That takes you to an explanation of which is which. “ndp45” is .NET 4.5 – check out the rest.

3 users thanked author for this post.

Elly, pmacS33, 212louis

Reply | Quote

Thank you for this! Finally figured out which update to install on Vista. 🙂

Reply | Quote

PKCano wrote:

The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003 For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

None of those KB’s were listed.
IIRC they were removed from my “hidden” updates a while back.  I believe I posted here about it.  I assumed MS removed them.

My XP went kaput (blue screen of death) after an update in 2013.
When I got  this computer with W7 I deceided to only update with “critical” updates.
You could say I’ve been in Group B since 2014.
I found this site last year.

Thanks again for your responses.

Reply | Quote

Until recently I was in the B-group, but finding the ‘right’ and avoiding the ‘wrong’ updates in MS’ enigmatic labyrinth is too much of a hassle every month, so I switched back to ‘Inform me about new updates’ (only).

This time I did NOT wait for the green sign from Woody and -after making a back-up- installed two updates on my stand-alone Fujitsu i5 Windows 7 Pro SP1 x64 without problems so far:

KB3141529 Security Update for Microsoft Office 2007 suites
KB890830 Windows Malicious Software Removal Tool x64 – April 2017</span>

Not installed yet, but presented by Windows Update:

KB4015549 Security Monthly Quality Rollup for Windows 7 for x64-based Systems
KB4014981 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64

Thanks Woody, Patron X

Edited to remove HTML content

1 user thanked author for this post.

TJ

Reply | Quote

Thanks for the info and need to be supervigilant about settings!  Ok so now I have the April updates is there a test I can do to see if they are causing issues?  I noticed someone above said they tried to run a couple of programs and they didn’t work.  Apart from the update to block future Windows updates for 6th generation onwards processors, what other issues are there with them please?   (I have 1st generation processor).

Reply | Quote

Ok – so here’s my second issue with the April updates (apart from them installing themselves).  I now have a pop-up telling me to activate Windows and it is showing as not activated.  It was activated days ago.

Reply | Quote

DO NOT install them!  I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.  But I am the anonymous who unwittingly installed the April updates.  I have issues already.

1) My laptop is now showing as not activated.  I have owned this laptop for over 7 years, it came with Windows 7 on.  I did a clean install with a Windows 7 disc and used the product key from the base and it activated no problem – days ago.

2) I am unable to remove the 5 April updates.

3) I did system restore back to 2 days ago and the 5 updates are still installed (and I am still showing as not activated).

At this point I am not even going to attempt to activate again, but will reinstall from my system image made a few days ago, before the April updates were installed (and when I was activated).  Which means I have to put all my xxxxx ing files and programs back on again!

The five updates I had, which installed are:

KB4015549 April 2017 Security Quality monthly roll-up

KB973688 Update for Microsoft XML Core services 4.0 Service pack 2 for x64 based systems

KB954430 Security update for Microsoft XML Core Services 4.0 Service pack 2 for x64 based systems

KB4014981 April 2017 Security and Quality roll-up for .NET framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008R2 for x64

KB890830 Windows Malicious Software removal tool x64 – April 2017

Regarding Windows installing these updates because I shut down the laptop – I am still surprised it could do that when normally you have to agree to having the Malicious Software tool before it’s installed!

Reply | Quote

Anon #108310

anonymous wrote:

I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

To not be anonymous, you can register here – it’s particularly painless, then we will be able to see your other posts easily too 🙂

Reply | Quote

Lol!  I now have my nice system image reinstalled, updated to the point just before the April updates.  I was still showing as not activated, so activated again without problem.  Just copying all my files back on yawn.  Windows Update is now turned to NEVER.  Before I turned it to NEVER I set it on the third option, just to see what came through.  Only three April updates came through so maybe they have pulled two of them?

Reply | Quote

anonymous wrote:

I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

Are you logged in prior to posting your comments?  If so, and you’re still showing as ‘anonymous,’ then maybe someone else can suggest how not to be [just another] anonymous.

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

Reply | Quote

Something new I’ve noticed on my Win 8.1 test system with Office…

LinkedIn (and other) eMails in Outlook 2010 now no longer show embedded images, but rather little [x] indicators and “Right-click to download pictures” nessages. Across the top are two messages in black on dark gray that seem to be pertinent…

I think the images just showed in the preview pane before the patches.

This may be considered by Microsoft to be a trifecta: It degrades the integration of an older version of Office, claims to improve user privacy, and (presumably) improves security – all at once. Makes you wonder, though, why not just fix the image display logic so it can’t be a vector to infection.

Clicking to browse in the browser, by the way, produces this:

-Noel

Reply | Quote

What does File, Options, Trust Center, Trust Center Settings, Automatic Download, Don’t download pictures automatically in HTML e-mail messages or RSS items show?

(You can also unblock pictures for a particular sender or domain by adding them to the Safe Senders List.)

Block or unblock automatic picture downloads in email messages

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Did the patch just change these settings?

-Noel

Reply | Quote

I have been fighting that problem for over a year. It just keeps getting worse and worse. No changes seem to affect the problem. Not safe senders, not the Trust Center, nothing I can find.

I finally installed Mozilla Thunderbird. According to Thunderbird it is remote content that is being blocked. If it is a trusted email source, I just open it in Thunderbird.

I also set my server setting to allow messages to remain on the server until I delete them. I just delete them once I have them all downloaded. I did that so when on the road with a laptop, I did not have to boot it up to see those emails. I just started the desktop and they all came down. Now I just use my iPhone to delete them from the server.

1 user thanked author for this post.

Elly

Reply | Quote

Canadian Tech wrote:

pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

Notice the MSRT stats in this blog post:

https://blogs.technet.microsoft.com/mmpc/2010/05/21/msrt-may-threat-reports-and-alureon/

2 users thanked author for this post.

SueW, b

Reply | Quote

Does anybody know what the “speed-up” patch for Vista is this month?  Last time I will ever have to ask this question 🙂

Reply | Quote

https://answers.microsoft.com/message/9366cc04-59d6-4b37-bee9-dffcdc7c602a

so for this month, it’s KB4015195 + KB4015380 + IE9 KB4014661

 

Server 2008 is still supported, you can use its updates manually for Vista 🙂

4 users thanked author for this post.

HiFlyer, walker, woody, PKCano

Reply | Quote

I hope someone can help clear something up for me.

Win7 Pro 64-bit
i5-6600 (google tells me this is a Skylake, however I can’t remember the manufacturer)

The way I read the various articles, only some Skylakes will continue to get updates, and I’ll have to download Speccy to find out who made mine. I’d honestly prefer not to download/install something I know I’ll never use again.

Furthermore, I have never seen a Speccy screenshot that listed the CPU brand, only the MOBO brand (ASUS in my case).

Will I get update blocked if I install the April patches?

I’m not going to actually update before Woody gives the clear, but I’d really like to get this cleared up.

Reply | Quote

I believe you can get the information:
Start\Run – type in msinfo32 – Enter
The Processor identification is on the first “System Summary” page.

Reply | Quote

Thanks for the replies everyone.

It seems I will get blocked if I update, since I bought my PC ~1.5 years ago, from a shop that offers various customizable standard rigs. This leaves a somewhat sour taste in my mouth, since I paid extra to get win7 instead of 10 and I still had to settle for an OEM key.

Seems like all I can do is either stop updating, or hope MS will start actually honoring their 2020 promise (fat chance).

I’m curious as to wether or not I’d be able to update normally, if I uninstalled the blocking update.

Reply | Quote

If you are blocked from installing updates, you can uninstall the blocking update(s) to become unblocked.

Reply | Quote

Unless your computer was purchased from a major manufacturer, chances are you will end up being blocked. I have the same Intel processor and built my own. I have no plans to accept any further Microsoft updates — Group W — I recommend it.

Reply | Quote

The CPU brand is Intel.

http://ark.intel.com/products/88188/Intel-Core-i5-6600-Processor-6M-Cache-up-to-3_90-GHz

Unlike the motherboard, which can be manufactured by anybody using Intel chipsets, the processors are only made by Intel.

Windows 10 Pro 22H2

Reply | Quote