Patch Lady: Preparing for Microsoft’s patch-security changes

Topic

New Reply

Are you running Windows 7 or Server 2008? There are some important updates coming down the pike, and you need to install them if you want to keep gett
[See the full post at: Patch Lady: Preparing for Microsoft’s patch-security changes]

2 users thanked author for this post.

Elly, abbodi86

Reply | Quote

Replies

For years, Microsoft has continued to use SHA-1, assuming that the chances of a valid attack are small. Currently, Windows 10 supports both SHA-1 and the more secure SHA-2, but Win7 systems have supported only SHA-1. Later this year, however, things will change — Microsoft’s entire infrastructure and patching mechanisms will require SHA-2.

When Microsoft switches to SHA-2, there will be some old software what will no longer work, because it will be dependent on SHA-1. I predict that when this happens, there will be a lot of complaints that “Windows 10 broke my software”. That would be one way to look at it. But a more accurate way to look at it, in my opinion, is that you had some old software that the vendor refused to update to SHA-2, and now you are getting bit. In other words, it isn’t Microsoft’s fault, even though they will get blamed for it.

Same thing for SMB v.1. Windows 10-1809 defaulted to a newer version of SMB; there were likely those who blamed Windows 10, but in fact Microsoft was simply plugging a security hole; and it is easy to allow SMB v.1 if you want to.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

The switch is only for signing Windows updates and components security catalogs, OS itself will still support SHA1 signing for whatever other softwares (or Microsoft programs like Office)

4 users thanked author for this post.

Lori, jburk07, woody, rc primak

Reply | Quote

I guess i was too confident

since this November, all Office MSI patches and Office C2R builds are now signed SHA2-only

up until October, they were dual signed SHA1/SHA2

2 users thanked author for this post.

woody, PKCano

Reply | Quote

In the OS itself, you can still use SHA-1 if you have to, but if at all possible, it would be wise to update or patch any software which still uses SHA-1. The older hashes are not considered secure anymore.

-- rc primak

2 users thanked author for this post.

Lori, jburk07

Reply | Quote

Thanks for the article, Susan, most informative as ever. However:-

“I recommend you not install any of these SHA-related updates on the regular Patch Tuesdays (the second week of each month). Rather, add them at the end of the month to ensure they’re installed by themselves and that there’s no interference from feature and security patches.”

Isn’t that contrary to Microsoft’s recommendation (endorsed variously here with this month’s updates) that the SHA-related updates should be installed separately before the usual monthly quality rollup?

Just in the last few days I installed the March updates on both my Windows 7 x64 home desktops by hiding everything so as to be offered KB4490628 which I installed. Then I restored the hidden updates and installed KB4474419 followed separately by KB4489878 (quality rollup). Finally, on the one relevant machine I installed the 5 Important and checked Office 2010 updates, leaving the remaining Important but unchecked Office 2010 update untouched. I followed all appropriate “restart” prompts and left time between the different installations for things to settle down. It all went smoothly.

I hope we can get a clear recommendation in future months as to whether we have to go through this or some other somewhat tortuous procedure, or can simply install the updates in the sequence in which they are offered to us.

Reply | Quote

It is the Servicing Stack Update that should be installed first and separately. That is different from the SHA-2 update. The SSU is an update to the updating mechanism itself.

Reply | Quote

Indeed PK, but both are considered together in Susan’s article with the conclusion – in the plural – that I quoted above, and with no suggestion that the two updates mentioned should be considered and installed differently from each other.

That is why I expressed the hope that there would be greater clarification in future months. There’s clearly confusion on Microsoft’s part in the way the updates are offered otherwise we would be offered the one that has to be installed first before being offered anything else, whereas it’s only when we have installed (or known to hide) all the others that we get offered the one that they say should have been installed first – that’s why I think that we should ensure maximum clarification each month as to how to proceed with these particular updates and any others like them.

Reply | Quote

Well, you’re talking about Microsoft. Seems they still haven’t figured out how to update their own products correctly!

Reply | Quote

OK a question. On my Win 7 laptop, I checked and was offered KB4474419 – which I installed. I rechecked and was then offered KB4490628, also installed.

Then, on my Win 7 desktop, I repeated the procedure and was offered KB4474419 and KB 4493132. Since KB 4493132 is the Win 10 nag update, I hid it, installed KB4474419 and then rescanned to get KB4490628. That never appeared – and Win Update says there are no other updates. I am Group A and pretty much just wait for Woody’s go ahead and install what he says it safe each month.

So – how will I be able to get KB4490628? Should I just download it directly since it isn’t offered – or wait till the end of the next update cycle and see if it is offered then?

 

Reply | Quote

I, personally, try to do as little updating through Windows Update as possible. I’m Win 7 Pro, sp1, x64, Group B. I just download the Service Stack Updates from the catalog and manually install them. That makes it an ‘exclusive install’, as required (make sure you’ve done any required reboots from any previous patch installs and make sure to reboot if required after the SSU install – although I don’t remember a reboot being required). No fuss, no muss, works great, no resultant system issues.

1 user thanked author for this post.

LHiggins

Reply | Quote

Thanks! Guess I’ll reboot to be sure there are no issues and go ahead and download that one. Glad it worked fine! I have no issues on the laptop, which did get both of those this morning – but for some reason, the desktop isn’t showing KB4490628. Weird!

ETA – Just noticed the DEFCON has changed to 2 – so maybe I’ll wait till next month for it – LOL!

Reply | Quote

First time here. Don’t know quite how to use this, and I apologize if I’m in the wrong place!! But here is my question.  I have win7 on a laptop, and have never been offered KB4474419.  Is there a reason that it has not appeared when MS offers its updates??  I have never searched out an update, so is it okay if I go online and download it?  And install it??  (I have installed 4490628.)

Reply | Quote

It’s OK to download it from the Catalog and install it manually.
But first, check your installed updates and see if it’s already there and maybe slipped past your notice.

Reply | Quote

Which brings up an interesting question.

If I deploy a fresh install of Windows 7 after July/September, will it still be able to get to Windows Update to (at the very least) download the patches to update itself to the new SHA2 patch? I assume the minimum would be SP1, a pile of Servicing Stack updates and then 4484071? Or will Windows update just break altogether for PCs that are freshly built?

I guess it’s a good thing I always keep WSUSOffline up to date with a set of patches.

No matter where you go, there you are.

Reply | Quote