MS-DEFCON 3: Get patches installed, except for a couple

Topic

New Reply

We have more than a hundred patches sitting on the back burner, since the last foray to MS-DEFCON 3, three weeks ago. For those of you staring at a bu
[See the full post at: MS-DEFCON 3: Get patches installed, except for a couple]

Reply | Quote

Replies

@Woody,

Given we’re 4 weeks before the next Patch Tuesday, why are we rushing into patching now? Too much backlog?

P.S.
I passed on your advice regarding my friend installing IE11 from Windows Update. She was nervous, but all went well. Thanks for the advice.

Reply | Quote

Yep. They’re backing up like cars on a Seattle freeway. Better to get them cleared out while it’s safe.

Reply | Quote

Woody,

Please clarify the blog entry to indicate that both the USB driver patch and the Kernel mode driver patch are equally applicable to Vista. T

We wouldn’t want Vista holdouts to be caught unaware thinking that they are not in the crosshairs for these two patches.

Reply | Quote

Does the ‘ad’ only show up if you use IE as a browser?

Reply | Quote

As for unchecking updates, I just hide the darn things.

Reply | Quote

What about KB3138612? Install or hide?

Reply | Quote

Woody, I have been doing patching for few years, primarily using WSUS and paying a lot of attention and I noticed that now we don’t have a clear delimitation between Security Updates, Critical Updates and the so called Recommended Updates. Even more, a lot of the initially released Optional Updates are moved after a while into the Critical Updates category. There are now Recommended Updates superseding Security Updates or the other way around, so I personally made a decision few months ago to apply them all to avoid the confusion and potential interdependencies after a certain waiting period obviously. Your site has always been very helpful in doing this assessment about when the waiting period should be over. While this decision was mainly based on Windows 2012 R2 (which is largely the same thing with Windows 8.1 for this purpose), I did the same for Windows 2008 R2 and Windows 7. Certainly things are getting more complicated at the moment due to the push for Windows 10 Upgrade.
I am not suggesting you to recommend something different than you would otherwise, I am only sharing a personal experience about trying to simplify the process made more complicated than ever by Microsoft.
Right now, my personal point of view is that everything other that KB3035583 can be safely installed, unless taking the upgrade to Windows 10 offer now or later, in which case even KB3035583 needs to be installed. Also the Optional patches except for those released few days ago are completely safe and reliable, but not needed for most people, unless using the Remote Desktop 8/8.1 functionality.
As you say in your article, ‘P.S. Remember when patching was easy?’

Reply | Quote

I say avoid it. It’s probably another Windows 10-greasing patch. If it were important, it’d be a security patch. One exception: If Windows Update is excruciatingly slow on your machine, you may want to roll the dice and install it.

Maybe someday we’ll get better descriptions of the Windows Update patches. For now, I’d assume it’ll do things you don’t really want or need to have done.

Reply | Quote

That works, too.

Reply | Quote

Nobody’s seen the ad as yet. But, yes, it’s only on an IE new tab.

Reply | Quote

YIKES! I’ll get it updated – and thanks for the correction!

Reply | Quote

Just updated as suggested (Windows 7 Home). Interesting to see a “Download” folder at WindowsSystem32GWX with today’s date. Not sure if this is a new folder or an update to an existing folder. I couldn’t delete the folder but could delete all the contents.

Reply | Quote

Speaking of IE as a browser, just a little humor. Nowadays if someone asks someone else what browser they use, & someone #2 says Internet Explorer… around 99% of the time (guessing on the percent) someone #1 will laugh & say, “That’s not a browser.”

I get the joke, but then again considering IE is part browser and part internet ‘link-up’ (could be wrong, feel free to correct) the quip about IE not being a browser is technically only half right.

Reply | Quote

Regarding new Windows 7 kernel patches, such as the two Woody said in this blog post to wait on –

“Windows 7: There were two patches released earlier this month that still need some time to stew before they’re ready: KB 3139398, the Windows 7 and 8.1 USB driver fix; and KB 3139852, the kernel mode driver patch… given the headaches we’ve had in the past with kernel patches, it’s worthwhile to wait.”

I am wondering if missing out the windows 7 kernel patch last year that was included in a get-windows-10 patch (KB3068708) – that most people have said to avoid because of the get-windows-10 stuff in it –
might start causing any problems if there are later windows 7 kernel patches that we do install (either deliberately, or by mistake), such as these two recent ones that Woody mentions today.

I’ve asked about this in article comments on this site a couple of times already, but there haven’t been any opinions expressed about it, and I don’t know if that means that missing an interim kernel patch is no problem and it’s silly for me to be concerned about it, or if most people don’t realize that KB3068708 included a kernel update for windows 7.

My first mention of it was within the discussion that started with this post:
https://www.askwoody.com/2015/ms-defcon-4-get-windows-and-office-patched-but-watch-out-for-kylo-ren/comment-page-1/#comment-71189

then: https://www.askwoody.com/2016/bad-patch-lists/comment-page-1/#comment-76864

then: https://www.askwoody.com/2016/bad-patch-lists/#comment-77001

Quoting my last paragraph from the third link just above,
“I don’t know if it’s bad to go without that kernel update (which I have so far gone without, because I’ve studiously avoided all win10 prep patches),
and
if there is any danger of not installing it, in terms of future kernel updates that might come through in standalone patches and be installed on my machine on top of an “incomplete foundation” in the kernel, since it’s missing the updates of KB3068708.
Or do new kernel updates always include every prior change to the kernel, just for completion’s sake?”

Does anyone know? I don’t know very much about computers, but over the years I’ve seen comments (such as on Brian Krebs’ website) that allude to kernel patches being important and perhaps a little fiddly to install.

Reply | Quote

100-200 patches on win10 a month? Apparently Microsoft can’t get their, well you know, straight.

Reply | Quote

No idea how many in Win10 – Microsoft doesn’t list them out. We’re doing 100-200/month on Win7 and 8.1 machines with Office installed. No one machine gets all of them, of course, but in aggregate it’s overwhelming.

Reply | Quote

I don’t know, but the patches are not necessarily incremental (meaning a newer one doesn’t necessarily fix an older one).

I should think that, if the newer patch requires an older patch, Windows Update would handle it as a “dependency.” Dependencies are commonly pulled in when needed.

Reply | Quote

Yep, there are pieces of IE that lurk in various parts of Windows itself. I think it’s used in Office, too.

Reply | Quote

Good reason to run GWX Control Panel. It’ll zap that folder out for you.

Reply | Quote

I had installed KB 3139398 prior to reading your article, no problems yet…on Windows 7×64 home

Reply | Quote

Already. I’ll wait till the Monday before April’s Tuesday Patch (like always)

Reply | Quote

KB 3103709 seems to be an update for the Microsoft Active Directory Services component, “NTDSAI”- and “DSPARSE”-functions to be more specific. Seems safe to install.

The other “mystery patch” without Knowledge-Base-entry, KB 3115224 seems to be revoking several crypto certificates.

BUT: No absolute guarantee on These infos, since I’m not *that* deep into Windows’ deepest inners
This is just what I discovered by downloading these patches separately (without installing them), unpacking them and looking into their manifest-files.

//Spike2

Reply | Quote

There is a definition update for Microsoft Office 2010 that you told us to hide a little while back (KB3114887)is it okay now to install that one or should it still be avoided?

Reply | Quote

What does it mean that WU would handle it as a dependency, which would be pulled in when needed? I don’t know what this terminology is describing — what would that look like to me, as the computer owner who is interacting with WU?

If I hid KB3068708 last year, even though it was checked, and I wish to avoid installing it in any case due to the get-windows-10 stuff in it,
then if I tried to install a new kernel patch that needed KB3068708 to have been installed first for the kernel’s sake,
what would Windows Update actually DO as it tries to “pull in” the dependency? Would it unhide KB3068708 and put it back in my list of active updates?

There was a time a couple months back when three Win 7 patches needed to be installed in a certain order (if they were being installed one-by-one), and MS didn’t explain that except to put it in an obscure footnote somewhere, and fortunately I saw that noted on a discussion forum, so I made sure to patch them in the right order. I don’t think there was any behavior of the updates or anything in their WU description that would let the computer owner know that those 3 needed to be installed in a certain order, if doing them one-by-one or in small groupings — my impression was that they would “let themselves” be installed in other orders, even if that was going to lead to problems later. So I don’t know if I could trust Microsoft to make smart-enough patches that they would self-monitor and flag up to me in an obvious way to let me know that I must install a particular, hidden old one before installing a certain new one.

Plus, if KB3068708 did have to be installed for future kernel patches to work correctly, and if WU conveyed that information to me in such a way that I would be aware of it, but I really didn’t want to let any get-windows-10 instructions inside my computer, what ought I to do? Leave the kernel unpatched from then on, to be as it stood as of late 2015? Is that okay, or is that dangerous?

—-
More generally, I’m also worried that hiding/declining so many updates is going to lead to a situation one day with my Windows 7 where the underlying structure has too many missing pieces and might go haywire.

Heck, they might even BUILD IN something like that by rigging some of the important and innocent-looking updates, to force more of the determined Windows 7 hold-outs to finally give in to Windows 10.
—–

Since so few other people seem to be concerned about this patch KB3068708, I wonder if I’m making a mountain out of a molehill.

It just seems odd; I don’t know why they put a kernel update for Windows 7 in that get-windows-10 patch, if they didn’t do anything to the Windows 8 kernel in that patch, and why most Win-7 people who are trying to avoid being moved to Windows 10 say to hide that patch, and do not mention that there is a kernel update in it.

Reply | Quote

For update KB3068708 on your own “normal” Windows 7 machine(s) (if you still keep some going), did you install it and just rely on the third-party anti-get-Win-10 program (I forget the name of it just now, maybe it’s GWX Control Panel) to fight the get-Win-10 actions of that patch?

Reply | Quote

Hanging on creating a restore point, that’s a first

Reply | Quote

Hi Woody, so – here’s your ad, captured from 2012 R2 server – a domain controller (!!!)

BTW, the page you see under the overlay: that’s another result of latest batch of updates. It pops up in a default browser (does not matter whether Chrome or IE or FF) everytime you login or when you disconnect and reconnect to network. Previously described as “NCSI bug” here: Never seen it anywhere until now. Happens reliably on any computer with the offending patch installed: https://answers.microsoft.com/en-us/ie/forum/ie10-windows_8/windows-8-goes-to-bing-by-itself-all-the-time/386e9a25-8149-4ee6-84b4-65332022c2a7?page=1&tm=1438785006806

This stuff is pure malware, designed by MS. Incredible.

Reply | Quote

The ad you see is generated by msn.com. It doesn’t come from Internet Explorer.

I’m still looking for a blue banner ad on a new, blank tab in IE. Doubt that I’ll ever see one. Microsoft has almost certainly decided that it wouldn’t be wise to turn the ad on.

Reply | Quote

Sorry. I should’ve explained myself better.

Some patches rely on other patches – it’s called a “dependency” when Patch B requires Patch A before it can be installed. The Windows Update installer is smart enough to recognize dependencies, so when you ask to install Patch B, if you don’t have Patch A, it’ll get installed, too.

I haven’t seen that happen much nowadays, but it used to.

The other force at work retiring old patches is supersedence. Many patches supersede older patches.

I think you’re making a mountain out of a molehill.

Reply | Quote

I hope I haven’t recommended hiding Office “definition updates.” Those are just junk filter updates. No need to hide them. They install themselves, and they’re just fine.

Reply | Quote

THANKS!

Wonder if MS will ever document them….

Reply | Quote

Did go through eventually, just slow, thanks Woody.

Reply | Quote

Don’t have any “tab ad”. I still have all my browsers on all my computers hijacked with the unwanted “NCSI” pop-up never seen before for years and years, anywhere.

Reply | Quote

(W7 x64 Pro)

I took a system image first and then installed KB3139398 and so far I’ve not had any problems either.

I’ll report back if anything untoward occurs

Reply | Quote

Woody – I keep seeing your comment to “just run GWX”. I have that installed with the Monitor Mode turned on. What do you mean by “running” it – isn’t it supposed to be doing it’s thing in the background or am I supposed to be actually doing something to make it work? Sorry to be so dense about this!

Reply | Quote

@Daniel,

“Hanging on creating a restore point….”

How was that resolved?

Reply | Quote

I’m seeing the MS Server too busy to even install the Definition Update. Not unusual, however it appears that the Server is presently overloaded. And it’s only a little over a week since the last Black Tuesday. It only seems to get worse!!

Reply | Quote

If you have monitor mode turned on, GWX Control Panel runs itself whenever it’s needed. You’re covered.

Reply | Quote

Try looking on any page other than msn.com.

It’s possible your other browsers are hijacked to start on msn.com. Reset the home page and you’ll be fine.

Reply | Quote

Reply | Quote

Woody,
When you say install all security updates, does that include Office ones?

Reply | Quote

Yes. Office, too.

Reply | Quote

That is what I am nervous about. I am worried that installing 3139929 means the adware will be shown on the computer because of those pieces of IE in the windows. I managed to keep all of the windows 10 stuff off my computer and I am worried that this patch will open a path for win 10 stuff to come in without me being able to do anything about it.

I have a question for you, woody. If I wait on IE security until the April black patch Tuesday, would it still have that malware in the security? Would it be likely to be even worse then? I don’t want to install this patch now but I am worried that if I don’t, I am stuck without March security fixes.

Reply | Quote

With reference to KB 3068708, I show that it appeared as “recommended” way back on June 2, 2015.

Also show that there was a post to not install it at that time.

There were 2 other references about this one as follows:

Sept. 3, 2015, and January 1, 2016.

What is its current “status”?? I still have it as “hidden”. Thank you for any current information on this one.

Reply | Quote

In re: KB3068708

The dates I referenced are not necessarily the “original” dates they were posted, because there are so many are posted in the ensuing “comments”.

My apologies for any confusion about the specific dates, other than the one on June 2nd which I feel confident is the date it was posted. Have not had time to “verify”.

It’s hidden, and still shows “recommended”.

Reply | Quote

I think you are right. On various computers right now I see Office 2013 and Office 2016 Important Updates unchecked without much information from the logs but I assume they are throttled due to load – Security Updates which have higher priority when it comes to throttling went through. Other issues are throttling of unidentified patches for Windows 7, or no information but still going unchecked for other patches.

Reply | Quote

Be aware that previous certificate related patches created problems, those related to ciphers in particular. I think is better to wait until it becomes more mainstream.

Reply | Quote

The KB article is up to version 6:

https://support.microsoft.com/en-us/kb/3068708

It’s a telemetry patch. Unless you have the “Give me recommended updates the same way I receive…” option checked, I’m 99% certain KB 3068708 isn’t checked. If it isn’t checked, don’t check it!

Reply | Quote

I have no idea what evil lurks in the mind of Microsoft…

Seriously, install the patch. You may see ads at the top of new tabs in IE — but you never use IE anyway, do you?

I still haven’t seen an ad, and I fully expect Microsoft abandoned any plans they may have had as soon as we blew the whistle on them.

Reply | Quote

Interestingly, and unusually, the only update I’m being offered as an important update for Office 2010 (KB3114887) is unchecked. I’m holding it anyway until Susan Bradley’s further Patch Watch later in the month, but it is certainly a change from the norm for my Office updates to be unchecked.

Reply | Quote

There’s a theory going around that either (1) Microsoft’s servers are overloaded, or are expected to be overloaded, so they didn’t check those updates and/or (2) that Microsoft isn’t confident they’re really necessary or ready.

Lots of unknowns. Best choice is to ignore them unless and until they’re checked by Microsoft.

Reply | Quote

Hi Woody,
When I went to install this time, I was faced for the first time with a consent form for the Malicious Software Removal Tool. I did not install it because it had this language.
================================
….Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it. For more information about this feature, see http://www.support.microsoft.com/?kbid=890830. By using this feature, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you.
Computer Information. The following feature uses Internet protocols, which send to the appropriate systems computer information, such as your Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software. Microsoft uses this information to make the Internet-based service available to you.
* Malicious Software Removal. Before execution of the software, the software will check for and remove certain malicious software (“Malware”) from your device, which is listed and periodically updated by family at http://www.support.microsoft.com/?kbid=890830. When the software checks your device for Malware, a report will be sent to Microsoft about any Malware detected, specific information relating to the detection, errors that occurred while the software was checking for Malware, and other information about your device that will help us improve this and other Microsoft products and services. No information included in these reports will be used to identify or contact you. You may disable the software’s reporting functionality by following the instructions found at http://www.support.microsoft.com/?kbid=890830. For more information, read the Windows Malicious Software Removal Tool privacy statement at http://go.microsoft.com/fwlink/?linkid=113995.
===========================
Isn’t “Internet-Based Services” Microsoft speak for nosey-parker ware?

I poked around among the articles they linked to to try to figure out what “internet-based services” they were talking about and how to disable them. You can disable this information going back to MS in the “enterprise environment.” Meaning, if you have Win7 Home Edition like I do, you can’t disable it because you don’t have the necessary control panel.

Curiously, in the “enterprise environment” is a hook for ads. Pretty sneaky? Yes? Or am I just getting a little too paranoid?

Anyway, I didn’t download it. I am going with an outside vendor that service now I guess. Hitman Pro for now. Thought your readers might be interested.

(Be sure you upgrade the GWX control panel to the latest version first thing. The new version is spiffier.)

Reply | Quote

I’ve never heard of snooping problems with MSRT.

Some people, though, are more sensitive than I. (For comparison, I use Chrome and Google’s still my number-one search engine.) I think the benefits of MSRT outweigh its potential for snooping – but everyone should make that decision for themselves.

Reply | Quote

I just ran MSRT on two devices and got non EULA or other consent page. It just ran. Windows 10 Pro on both devices, and MSRT is not part of any Win 10 CU.

One of my devices also got an update for ASP.Net. I don’t remember where I picked that up from, but it’s not bothering anything, so the update ran and installed with no problems. The CU went smoothly on both devices.

Reply | Quote

Just did a web chat with a Microsoft ‘Tech’. I was asking specifically about KB3103709 since there is still no article up as of 22:00 3/18/2016. I was told that KB3103709 is a “Free upgrade for Windows 8.1 users to Windows 10”

If true, at least it is still in the optional updates…

Reply | Quote

Oy. Oh no. I hope that isn’t the case…..

Reply | Quote

No that is definately not true, the Microsoft supporter was wrong.

In the meantime I did some further Investigation and after I said that I can’t guarantee my infos in my first post, now I can say that I’m 100% sure about them.

After installing the patch KB3103709 (which may be uninstalled easily, so no risk here), it did what I expected:
It wrote new files “ntdsai.dll” & “dsparse.dll” (both are part of the Microsoft Active Directory Services) and backuped the older ones to sub-directory in c:windowsWinSxS. Nothing that has the slightest thing to do with Win10.

(Btw: the patch would be rather too small to be Win10, too… )

You can verify that for yourself, by either…

– …installing the patch and check file dates for both said files and / or run in a command prompt in the c:windowsWinSxS-directory the following: “dir /O:-D /P /S /T:C” and you’ll see by the date & time of the backup-directorys for ntdsai.dll & dsparse.dll that those dates correspond to the time you installed KB3103709 and that the folder name gives a clear info that it belongs to Microsoft Active Directory Services

AND / OR

– …you download the single patch, extract it and check in the manifest-files and XML-file for yourself that this patch only touches the Active Directory component of Windows 8.1.

While KB3103709 might be useless for home users not using MS ADS, it won’t hurt to install it.

Best regards,

//Spike2

P.S.: Sorry, if some sentences may sound strange in my posting – english is not my native language and my school-english got a bit rusty over the years.

Reply | Quote

Question about the 3 NET FRAMEWORK updates.

Is it “safe” to install all 3 of them at the same time? Normally I install only one patch at a time, however in the past there was one reference about the sequence in which these should be installed.

Any advice on this one? Thank you in advance for all of your outstanding help.

Reply | Quote

Let Windows Update handle the sequencing. They’re checked, yes?

Reply | Quote

Woody, yes, they are checked, and hopefully I can install all three at the same time, without having any problems.

Wonder of wonders, I turned on the “search for updates”, and after waiting an inordinate amount of time, I was actually able to download and install several so I’m making progress.

Thank you, Woody, for the fantastic amount of help you always provide for us all. You are absolutely “the best”!!!!

Reply | Quote

You betcha.

Reply | Quote

@Walker,

If you are interested, in early January I did a search of all the mentions that I could find about that patch in Woody’s InfoWorld column and on this site, and I quoted from many of them and included the hyperlink to them, especially if they expressed different points of view as time went on.

Those are here:
https://www.askwoody.com/2015/ms-defcon-4-get-windows-and-office-patched-but-watch-out-for-kylo-ren/comment-page-1/#comment-71189

(After clicking on that link, start reading at the post you are first taken to — which is by a different person, not by me — then scroll down from there to see my comments and others’ comments in that discussion).

Reply | Quote

@Spike2,

“…english is not my native language and my school-english got a bit rusty over the years.”

Your “school English” is better than a lot of native-English-speakers’ English!

In other words, it’s very good.

Reply | Quote

I haven’t done my updates yet, but I just looked at my 18 choices.

Interestingly, I did not get the choice in the Optional Updates to move to Windows 10 Pro–I am somewhat relieved, and at the same time feeling like there is a hidden move yet to come.

Did anyone else not get the offer to update to Windows 10 Pro in optional updates?

In the list of important updates, KB3083710 (released in October, 2015) was offered–it is not a security update. I hid it. If I was ever offered it before it was in optional updates and I hid it. Has anyone seen that rear its head again?

Reply | Quote

Woody my system had both of those already installed. After both were uninstalled Windows 10 advertisements in IE disappeared. Don’t these guys ever quit?

Reply | Quote

Had both KB3139398 and KB3139852 on my Windows 7 system. After both were removed the advertisement for upgrading to Windows 10 in IE completely disappeared. Thanks so much for everything you do!!

Reply | Quote

Hi,
we deinstalled KB3139852 after experiencing huge problems with external connections with RRAS (NAT), Remote Desktop Services (login-problems) On Windows Server 2012 R2.

Reply | Quote

Odd. What kind of advertisements did you see?

Reply | Quote

Upgrade to Windows 10. Start Now.

Reply | Quote

More of a nag screen everytime IE was opened.

Reply | Quote

First of all, thanks for the tips!
In a netbook with Win 7 Starter, the “check for updates” procedure would hang forever after installing the KB3139852 patch. Checking for updates worked again once that patch was uninstalled.

Reply | Quote

Better to hide the two patches which appear to be the only ones remaining that could possibly cause problems? Referring to KB 3139398 and 3139852. With Black Tuesday coming up, it would get these out of the “mess” so there would be no chance they could get installed in error. Thank you for you for your guidance with these, Woody.

Reply | Quote

You can hide them if you want – but if MS re-releases them (as is becoming increasingly common) they’ll get unhidden.

Thank you, Microsoft.

Reply | Quote

In case some of you are unaware we are now blessed with TWO Black Tuesdays each month.

Starting this month (April 2016) the first Tuesday each month will see the release of NON Security updates and the second Tuesday each month will be for Security updates only. I saw this new schedule mentioned someplace a couple weeks ago but I don’t remember where I saw it now.

Myself and everybody else I’ve spoken to so far that has a supported version of Outlook received a junk mail update yesterday.

Reply | Quote

Sorry to disappoint you Ed but I saw nothing released on the first Tuesday of April 2016 (aka 4/5/2016), at least according to Microsoft KB article 894199.

that’s weird woody. I have both KB3139398 and KB3139852 updates installed on my Win7 & Win8.1 machines and have not gotten any Win10 upgrade advertisements in IE so far. Perhaps a non-security update (which I think is not installed) could be triggering those ads.

Reply | Quote

I haven’t seen the ads either. The info I have is based on internal Microsoft documentation – and it looks like MS didn’t go ahead with the rollout.

The patches Ed saw were for Office – and there’s a ton of those. http://www.infoworld.com/article/3052307/microsoft-windows/heres-the-rundown-on-microsofts-latest-non-security-office-patches.html?nsdr=true

Reply | Quote

Woody, thank you for the advice – – – – I’ve had other updates, which have been hidden several times, such as KB 2952664 & KB 3035583 and they have reappeared (and were hidden again).

I try to keep a close eye on all of the updates.

As always, your advice is “first on my reading list”. Thank you again for all of the help you provide to everyone!!

Reply | Quote