MS-DEFCON 2: Block Auto Update to avoid non-security Office patches

Topic

New Reply

First Tuesday of the month means it’s time for a slew of Office non-security patches. Traditionally they roll out as Optional, Recommended. Last month
[See the full post at: MS-DEFCON 2: Block Auto Update to avoid non-security Office patches]

Reply | Quote

Replies

I am more and more convinced that part of the problem of slow scanning for Windows 7 is related to Office scanning. There are far more updates for Office any version than for Windows 7 and their metadata seems to be much larger.
Those who experience slow scanning should try to disable temporary Microsoft Update leaving only Windows Update active to check if this makes any difference.

Reply | Quote

Woody, I was waiting for your instructions on how to speed up the update process before installing the October Patches (following Group B instructions), but it looks like you changed the DEFCON setting to 2 now because of Office patches. Did I miss my opportunity to install last months patches (following Group B instructions) before the second Tuesday in November?

Reply | Quote

Naw. Just be careful to avoid the Office non-security patches.

Reply | Quote

No it is not
if no Office product is installed, none of its updates metadata even received or processed within DataStore.edb

Reply | Quote

I know you are not much into WSUS, but check this
https://blogs.technet.microsoft.com/sus/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010/

The article is from 2008 and nothing has changed at the end of 2016. It is actually worse because of the number of updates and size of metadata. I replaced a WSUS 2012 R2 server with its 2016 equivalent and it takes 10 tries for each client computer with Office 2013 to build the cache and eventually communicate.
If I decline all Office 2013 updates – 1604 valid (including superseded but not expired) in WSUS at the moment – then all WSUS clients with Office 2013 register at first try.
All those machines are fully patched Windows 2008 R2 / Office 2013 clients and you know what I mean by fully patched – all that comes on Windows Update, no Convenience Rollup on any of them.
If you run WUMT with superseded included and check WindowsUpdate.log, you will find few invalid Office updates. In fact I posted about this issue here on this site few months ago.

Reply | Quote

Hi Woody. One of my customers are running Office 365 (Click-to-run) and they have the Excel problem that appeared lately KB3118373. I updated there program to the latest (Build 6965.2092), but still some users are getting the Excel crash problem. Any other tips, Please?

Reply | Quote

Good question!

Microsoft isn’t listing a new version of CtR

https://technet.microsoft.com/en-us/mt465751

For either current or deferred channel. (Looks like you’re on the deferred channel.)

My guess is that they’ll have a current channel update out later today. That’s your best bet for fixing the problem. But if you want to stick with deferred channel, you should roll them back to 6741.2081

Reply | Quote

Thanks. I will revert them and block the updates

Reply | Quote

Woody, Good Morning.

I ran Secunia PSI yesterday on both of my Win7 machines. I have Office 2013 on one and Office 2010 on the other. The 2013 machine says that it automatically installs it’s Office updates, I am not able to find that message on the 2010 machine (probably an improvement on the 2013 machine). Secunia says that I am 100% up to date on all the programs that are installed on both machines.

It also said that my Net was up to date on both machines.

However, when I look at what the installed updates are on both machines, it shows my early October and earlier updates only.

Confusion reigns supreme here. When I go through the Group B process, would I still look for updates for Office and Net when using Secunia?

As K mentioned above, I was busy and missed the Defcon 3 window. So I am understanding that I should wait now for the November Security Update. Is that correct?

When we are using Secunia, wouldn’t their updating take care of the Office and Net components of all this? That would mean we would only have to install the Security Update, and not the Office and Net from the Windows Update. Have I got that right?

I was able to locate the October Security Update directly from your link in the “Careful Updating” article. Can I just download from there without taking Windows Update off Never?

I’m a pretty good operator of the Win7 computers, it’s just that I don’t have the hours that are required to go through all this reading and doing the administrative stuff, or really the interest. I’m not really concerned with telemetry and just want to get on with doing the things I bought these machines for. I didn’t purchase them to become an administrator. I’d like to be part of Group B, but I don’t know, it’s such a pain and hassle. This is just getting so frustrating. I need Win7 for my accounting programs and for SketchUp, although those programs are OK in Win 10. I am waiting before I go to Win 10, to make sure that it is stable. I can wait a couple of years to go there. I don’t mind paying, but I want things to be working correctly before going there. I will go to Win 10 eventually, as I need the Microsoft Answer Desk, as I am going to be operating in a professional capacity and need the tech support.

Group B is great, but is there really a problem with being in Group A?

All the fun seems to be disappearing from this.

Thank you for directing us to Secunia PSI, it’s doing a nice job.

You are so helpful and we all appreciate what you do for us.

Chip

Reply | Quote

Yep, all the fun’s been drained away.

No problem with Group A, but you have to understand that Microsoft can install just about anything. (Of course, you could argue the same about Group B, but I doubt MS will be so brazen.)

Secunia… I don’t know what they’re doing nowadays. Perhaps someone else here has traced through the details?

Reply | Quote

Not saying it was the fault of the latest round of updates but an Excel 2010 workbook I have that uses Macros triggered by Workbook_Open failed after update. The code still ran manually but no amount of debugging started the code working when the workbook was opened.

System Restore (from safe mode) overcame the issue.

Reply | Quote

Wow. That’s bad news.

Any idea which update caused the problem?

Reply | Quote

Symptoms were
I run a file overnight on task schedule. It does its thing gathering information then closes. On the day after I ran I saw the hidden ‘~{filename.xlsm} (gave away that the file had not completed its tasks). After restart and deletion of the hidden file testing the workbook resulted in the Workbook_open code not firing. It gathered no data overnight so, nothing had run.

First suspicion was KB3118390, (20mb so no minor code path). The MS website said, “allow remote code execution if a user opens a specially crafted Office file” so seemed a potential candidate. Uninstalling that update made no difference. At that stage I’d had more than enough of Excel not working as it should and went for the the System Restore solution.

Unfortunately, I had included the monthly roll-up in the update so it could be something in that or one of the other security updates relating to security bulletine MS16-133. The possibility always remains that it was something else.

Reply | Quote

Thanks. I’ll keep my eyes open….

Reply | Quote