MS-DEFCON 3: Patch but watch out

Topic

New Reply

With Patch Tuesday just around the corner, it’s time to get caught up again. This month, making your machine right is much more difficult than applyin
[See the full post at: MS-DEFCON 3: Patch but watch out]

Reply | Quote

Replies

I’d like to run GWX Control Panel to block OS upgrades, but the last time I did that, my modem stopped working. I’ve since gotten that fixed, but I’m reluctant to try it again. Then again, I did it right after installing a Windows update (I forget which one). Would it be safe to reboot, then immediately disable OS upgrades either through GWX Control Panel or regedit? I’m running Windows 7 Home Premium 32-bit SP1, haven’t installed KB3035583, and GWXCP isn’t detecting any other Win10-related items.

Reply | Quote

Woody, I have the GWX installed, however don’t see a reference to:

. Run GWX Control Panel and set it to block OS upgrades.

Everything says I appear to be safe. Is there still something else that I must do now? I’m really confused (not to mention insecure).

Reply | Quote

I’ve had the .NET upgrade to 4.6.1 sitting in my Update queue since late January. Any word on this version? I’ve had 4.5.2 running with no adverse effects.

I’m also seeing some new “improvements” to Windows updates that are getting hidden. At least one was a new KB number along with the usual rereleases of old bad ones.

Reply | Quote

Come to think of it, losing Internet access is an absolutely guaranteed way of disabling OS upgrades. LOL!

Reply | Quote

Woody, this sounds like such a basic question, but I’d rather ask than be confused:

I have one PC, Windows 7. I have the GWX Control Panel (thanks to YOU), and I run it in Monitor Mode.

Your instructions for this update state that, after downloading the updates and doing the restart, I should “This one’s important” RUN GWX CONTROL PANEL AGAIN.

My question: If I am in monitor mode, isn’t it already running? Or am I missing some other step that I am not understanding?

Thanks again for all you do.

Reply | Quote

Followed your advice to the “T”, Woody, but I have one question: The Microsoft .NET Framework 4.5.2 update was listed on my Win7 SP1 64-bit machine as Optional, not Important. Since you said to not check any Optional Updates, I left the box unchecked. Should I go back to MS Update and install this update even though it is listed as optional?

Thanks.

Reply | Quote

Hi Woody,

I also have a Microsoft .NET Framework 4.6.1 update KB3102433 for Windows 7…..should I only install the 4.5.2 update? Both of these appear in Optional Updates.

Regarding your warning to uncheck items that only say “Update” – does this include Update for MS Visual C<++ 2012 Update 4 Redistribution Package KB3119142? It shows up in Important Updates.

Thx so much,
Gail

Reply | Quote

Security Updates Only. Glad to see you get onboard with this.

Reply | Quote

Hi Woody,

I noticed when I went through the process for 8.1 that the Recommended updates had been rechecked from last time I unchecked it. Also, the Microsoft Update box was checked. I’m presuming it’s also wise to uncheck that box at this point. Particularly as the Note below states:

“Windows Update might update itself automatically first when checking for other updates.”

The way things are going at the moment who knows what those updates could include!

Thanks,
Shanfan

Reply | Quote

Well here’s one to be wary of right from the start:
https://support.microsoft.com/en-us/kb/3135445

Windows Update Client update for Win7, etc.

“…contains some improvements…”

Call me very jaded, but for whom?

Reply | Quote

Note the insidious statement at the end of windows 7 update settings –

“Note: Windows Update might update itself automatically first when checking for other updates”

Reply | Quote

Woody,

I’ve got Windows 7 and use Firefox (not IE, which is only at IE 9 for me — never bothered to update it because I don’t use it, but I do install the Cumulative Security patch for IE 9 each month).

What about this update?
https://technet.microsoft.com/library/security/3123479

Looks like it’s only if you use IE or something called Microsoft Edge? I installed the rest of the Security Updates for this month, but not this one… Thanks for the help.

— Jack

Reply | Quote

Hi Woody,
Just downloaded 15 “security updates” plus “malicious software removal tool”.
I followed your protocol to the letter on your article.
I do have an outstanding patch:
Definition update for Office 2010, KB 311 4563.
Is this one good to install?
OS: Win7 home premium.
Thanks Woody! AR

Reply | Quote

@woody: Updates KB2952664 for Win7 and KB2976978 for Win8/Win8.1 have been revised again on Feb. 2.

Also, forget Microsoft .NET Framework 4.5.2. Get either .NET Framework 4.6 or 4.6.1 instead, which either one is offered at Windows Update.

Reply | Quote

That’s the Junk Email Filter update. Yep, good to install.

Reply | Quote

You need to upgrade to IE 11. Sorry to say it, but IE has its hooks buried so deeply into Windows that you need to keep IE updated – and the only version of IE that’s getting updated is IE 11.

(Edge is the browser in Windows 10. Some day it may be worthwhile, for now it’s underwhelming.)

Reply | Quote

Yep, 3123862 is even more of a mystery…

Reply | Quote

I’ve changed my tune – unless it’s a security patch, I say don’t touch it.

We may get some worthwhile non-security patches, but Microsoft’s tossed so much drivel into the mix that it’ll have to be very convincing.

Reply | Quote

Sorry, I goofed in the original article! 4.6.1 is the good one. Leave 4.5.2 unchecked.

Reply | Quote

If you’re in monitor mode, yes, it’s already running, and you don’t need to start it again. It’ll take care of you.

Reply | Quote

My original article was wrong – the good .NET update is 4.6.1. Sorry about that!

Reply | Quote

It’s “disable OS upgrades” – but if GWX CP says you’re safe, you’re fine.

Reply | Quote

I don’t think there’s any way GWX Control Panel could’ve knocked out your modem. Most likely it’s a coincidence. GWX CP switches around some registry settings, but they aren’t connected to your modem.

Reply | Quote

I see GWX Control Panel mentioned and recommended a lot. While this may be an easy solution for the users of the Home Editions instead of editing Registry keys, Windows 7 Pro and Enterprise have a supported option to block upgrades as a Group Policy.
All the details are here https://support.microsoft.com/en-us/kb/3050265

Reply | Quote

The Vista fuzzy font issue dates from February 2015. I do not see why you have mentioned it now in relationship to the January 2016 updates. KB3037639 also dates back to February 20, 2015. In short, I think there are no issues with Vista updates except that you have to be aware of the End Of Support of April 11, 2017.

Reply | Quote

I run Windows 10 Pro on both my laptop and my tablet now. Cumulative Updates 7 and 8 for January, 2016, plus MRT for Jan. 2016 went well, except:

At some point along the way, my tablet only (Win 10 pro, 32-bits) got its SmartScreen Filter settings changed from disabled to enabled for the OS. (Probably not for Edge or IE 11, but I seldom use either, so who knows.)

I went back in, and restored the SmartScreen settings to disabled.

I found out about this when a legitimate source for downloading Glary Utilities Free Edition (MajorGeeks) got the popup and was almost blocked before I figured out what had happened and allowed the download. I can understand the same issue with Nir Sofer’s ProduKey, as many antimalware programs also mistake this tool for a hacker tool, but Glary Utilities?

This is why I don’t trust reputation services and whitelists.

Anyway, one of the CUs seems to have changed the setting. And only on the tablet, not in my laptop, which is 64-bits.

Reply | Quote

Strange.

I take the reputation services as a guideline. They make me think twice before installing something. That’s not a bad thing.

Reply | Quote

Thanks, Pim. I think you’re right, but wanted to err on the conservative side. I’ll modify the post momentarily.

Reply | Quote

Sure, but using gpedit doesn’t do all of the other stuff that GWX Control Panel does – remove the GWX subsystem, turn off the scheduled tasks, remove the hidden folder, etc. Using the Group Policy sets the DisableOSUpdate in the registry, but as far as I know, that’s it.

Reply | Quote

Woody
In your response to RCPETE you say that net update 4.6.1 is the good update and not 4.5.2. I have 4.6.1 hidden and not checked. Should I now check it and run the update and make sure that 4.5.2 is unchecked and hide it?
Thanks
Sam

Reply | Quote

Yes. Sorry about that.

Reply | Quote

On a Windows 7 64 bit system, I got KB 2952664 in the queue again, and it was checked. KB 3123862 came in as an unchecked optional update. I can’t recall the number of times I’ve hidden KB 2952664. It keeps coming back like a bad penny.

Reply | Quote

Well, here’s a new twist for you. Watch out for your anti-virus program updates. I have McAfee Live Safe and have just discovered that it is including some of Microsoft’s non-security updates (silly me, I thought an anti-virus program was about PREVENTING malware, which is what I think of Microsoft’s forced Windows 10 downloads. I went back and looked at my downloaded/installed list of KBs and found a boatload of them installed on 1/22, particularly for Microsoft Office Pro. Should I follow the same “playbook” for MSP updates as Windows and uninstall any that are not security updates? Also, Woody, do you have any opinion on KB3133431 for 8.1? Thank goodness for the GWX Control Panel!

Reply | Quote

I haven’t seen any problems with Office non-security updates. Hope it stays that way.

I think 3133431 is OK. http://www.infoworld.com/article/3022165/microsoft-windows/microsoft-tries-new-version-of-kb-3133431-flash-player-fix.html?nsdr=true Haven’t heard of any more problems.

Reply | Quote

Does Microsoft hide updates so you can’t see them? I’ve checked my updates, and the ones you mention aren’t there. I have Win 7 pro.

Anything to worry about?

Reply | Quote

Hi Woody
As always thanks for the great work you do.

A suggestion – in your boilerplate section, add something about updates for Office. With the new approach of only installing security updates, how that affects Office updates should be highlighted.

Reply | Quote

@woody Just trusting what Microsoft says on this one as Group Policy (local or domain based) is supposed to be used by IT Administrators too. It may not be the complete solution after all and in this case the GWX Control Panel is the real thing.
My concern is that any custom third-party solution using undocumented Registry settings can be easily deactivated by subsequent updates as we have seen in the past while a Microsoft supported solution is supposed to work with later patches unless advised differently by Microsoft. KB3123862 could be one of those.

Reply | Quote

“security update” – I’m guessing those words are a tempting trojan horse for the new microsoft.

Reply | Quote

Hi Woody,

Thanks for the reply, but I’m confused. You said only IE 11 is getting updated, but I install the Cumulative Security Patch for IE 9 (which is what I have) every month, which is always offered with the security updates. So as far as I can tell, they are providing an IE 9 security patch every month. Am I not understanding this correctly?

Also, you didn’t say whether or not it’s necessary to install the security patch I listed that I was asking about:
https://technet.microsoft.com/library/security/3123479

If you read what it says it’s for, it sounds like the security issue is only if you use IE or something called Microsoft Edge. Should I install this?

Thanks again,

Jack

Reply | Quote

IE 9 is updated on Vista – and I was under the impression that it’s ONLY updated on Vista.

The SHA1 deprecation patch shouldn’t be a problem. Although it’s SmartScreen related, and SmartScreen is an IE or Edge feature, there may be times when Windows itself looks at it. (Edge is Microsoft’s new browser.)

Reply | Quote

Could be. We’re all concerned that Microsoft will pull a GWX Control Panel killer out of its hat.

Reply | Quote

I haven’t seen any problems (at least, generic problems) with installing Office non-security updates. Have you hit any?

Reply | Quote

Not worth worrying about. I am constantly amazed at what Windows Update decides to show on any specific machine.

Reply | Quote

SmartScreen also seeks to protect the operating system, so popovers and alerts do occur even when Edge and IE are not used. Especially if you attempt to install anything not on the whitelist. Been there, seen it in action, disabled the whole SmartScreen mess for this reason.

Also, Smart Screen has two different settings switches. One is for IE and Edge, the other is under more general Windows settings.

Reply | Quote

It’s bad when I can’t download or install a utility which is useful but not whitelisted. Sometimes SmartScreen doesn’t give me a choice to allow the download or to install the updated utility.

Reply | Quote

Never had problems with Office updates. But I am running Office 2010.

This month on my Win 8.1 PC, the ONLY important, non-security updates are for Office.

It sounds from your response that you are ok with installing important non-security updates for Office, and if so, makes sense to add that clarification either to your boilerplate or to Step 2.

Interestingly, Update did not offer me the .NET you mentioned (though 4.5.2 is listed as Optional, unchecked.

Reply | Quote

@Woody
Just an FYI…

Installed 8 security updates today on a W7 x64 machine.
No problems or issues and Windows Update setting was left Unchanged [Check for updates but let me choose…].

Reply | Quote

I noticed your comment about updates for IE9 only being provided for Vista. All my Win7 machines are still getting them. They are a mix of Pro and Home, and all 32-bit. This month’s is KB3124275.

Reply | Quote

Sorry to sound dense, but I want to make sure I get this right (I have Windows 7, x64):

1. For me, the only .NET update listed (4.6.1, KB3102433) is in the Optional tab and is unchecked. Your instructions say to check it, but they imply that it would be in the Important tab. Should I leave it unchecked if it’s in the Optional tab?

2. My current IE, which I never use, says it’s version 10. You say I need to update it to IE 11, but how exactly should we do that? (I’ve looked through several articles and can’t seem to find the answer; sorry if it’s one that I missed.) There is currently an update in my Optional tab (unchecked) that says it’s for Internet Explorer 11. Is that the best way, or is there another way? Finally, should I do this before I go through the current DEFCON-3 patches (which include an IE 10 update) or after? I’m guessing before, since one of the articles recommended doing it weeks ago, but I just want to make sure.

Please be as exact as you can regarding the IE 11 upgrade; I get the feeling certain things should be obvious but they really aren’t obvious to me. Thank you for your consideration.

Reply | Quote

On my Win7 system I got that one important update did not install.I opened the “new updates are available” and saw “Important System Update Readiness Tool for Windows 7 for x64-based Systems (KB947821)[October 2014]” was involved “offered because an inconsistency was found in the Windows servicing store which may prevent the successful installation of future updates, service packs, and software. This tool checks your computer for such inconsistencies and tries to resolve issues if found.” I unchecked it and went on to the next steps, rather puzzled.

Reply | Quote

Postscript to my Feb 7 comment: Unchecking KB947821 and OK’ing that does no good. It gets checked immediately.

Reply | Quote

To upgrade a Win7 machine from IE 10 to IE 11 in the most reliable way possible, go here:

http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide-languages?tduid=(922ad9a2a2ed224b7565f710f9061dff)(256380)(2459594)(TnL5HPStwNw-KMuATTD50NK11yArz3gYdw)()

If the .NET update is unchecked, I’d say leave it unchecked. You don’t need it.

Reply | Quote

I didn’t realize that! Interesting. I’ll try to run it down.

Reply | Quote

Again the stupid patches cause a malfunction on my sound. I will not patch anymore

Reply | Quote

Hi Woody (and rc),

Just FYI, Woody, I installed this update for IE9 and do so every month. It is offered every month in the Critical Security Updates.

Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB3124275)
https://support.microsoft.com/en-us/kb/3124275

And I went ahead and installed that SHA1 thing.

One other question, are we still not installing KB3011780 from way back when?
https://technet.microsoft.com/library/security/MS14-068

Thanks again!

Reply | Quote

I think Kerberos patch KB3011780 has had the problems ironed out.

Reply | Quote

Woody,

Windows 7 Home Premium + GWX Control Panel here. I have followed your last MS-DEFCON advice, no problem (yet).

However, I have reinstalled recently, therefore I had (and still have) quite a backlog of non-installed optional updates, going back to 2013. Any thoughts ?

Reply | Quote

Woody,
On my desktop still with Win 8 (will upgrade to 8.1 after I get through the headcold and can think straighter) and an Important update is listed that is not on any other of our computers (running Win 7).
Visual C ++ Redist for Visual Studio 2012 Update 4 Redistributable Package KB3119142 dated 12 Jan 2016. It was checked and I unchecked it till I hear back from you. Thank you for the help.

Reply | Quote

That one’s OK. The Visual C++ Redistributable is something you don’t need to be worried about.

Reply | Quote

Woody,
I see an update titled “Cumulative security update for Internet Explorer 11 for Windows 7” – KB3124275.

Have you heard anything about this one? Is it ok to install?

As a side note, is it ok to install the new Windows defender definitions? I don’t use defender, just curious.

Reply | Quote

Always OK to install Windows Defender updates.

I haven’t seen any problems with KB3124275, but of course, I advise you against using IE.

Reply | Quote

Given the games that Microsoft seems to be playing, would it be advisable to set Windows Update to “never check for updates” and then change the setting to check but don’t download when you tell us what to do?

Reply | Quote

I have KB3124275 as well but it states that it’s an update for IE11, which I have on my Win7 laptop. (Installed all my security updates on 2/7; it seems that this process takes more and more time every month.)

Reply | Quote

Just wanted to say that I had had KB3102433,
the visual C ++ one sitting as an optional and
after reading your comments was going to install it………. but this morning it’s not
there!! Gone! Anyway I’m not overly concerned as I’m sure MS will resend sooner or later…. but just wanted to add that to the list of ‘strange behaviour’ that we are witnessing lately!!! LT

Reply | Quote

Woody:

I do not know what this “SmartScreen” thing is. However with the patch KB 3123479 (SHA -1 etc.) I had a problem with one e-mail after clicking on a link. A message popped up that stated “ERROR ESTABLISHING CONNECTION”. Closed the e-mail program. I then went to the Internet, and checking this same title, it too had the same message pop-up.

After a short time, these messages no longer appeared. Since I don’t know what this “SmartScreen” thing is I wondered if it had any relationship to this patch. I haven’t noted anyone else having problems with this one.

I’ve been too sick to get the patches done sooner. Thank you so much for all of the help you always provide!

Reply | Quote

SmartScreen is a security feature in Internet Explorer and Edge. http://windows.microsoft.com/en-us/windows7/smartscreen-filter-frequently-asked-questions-ie9

Not sure why you got the Error Establishing Connection message, but the best advice I can give about SmartScreen is to use Chrome or Firefox instead of IE…

Reply | Quote

Yep, you want KB3124275

Reply | Quote

Naw. There’s no harm done with “Notify but don’t download.”

Reply | Quote

Woody: I use Firefox as my browser, and “never” use the IE. I’ve been following your excellent advice from the first day I found it.
We are so fortunate to have you!

Thank you for the clarification about the “SmartScreen”. Hopefully these updates to the IE 11 will not cause any problems.

Thank you once again for your help. 🙂

Reply | Quote

My laptop was repaired, and now I have a list of 150+ updates to reinstall for Windows 7 Pro. I believe these go back to the “birth” of Win 7. I’ve read your boilerplate advice re not installing anything that doesn’t say Security. Are all Security updates reliably free of anything relating to Win 10 or telemetry/snooping? I’m not keen on looking up every KB individually, but will do so if necessary to keep my machines running well.

Thanks, Woody!

Reply | Quote

Don’t know if they’re ALL free of snooping enhancements.

My recommendation with a new Win7 installation – and I just installed Win7 last week – is to install ALL outstanding (checked) patches. Go back through Windows Update several times, if need be. Then run GWX Control Panel and turn off the Get Windows 10 stupidity.

I don’t know which patches increase Microsoft’s snooping. Rather than suffering through some very bad updates (some of which trigger very long update wait times), I recommend that you just go ahead and install all of them, and live with the increased snooping.

Reply | Quote