Patch Lady – we have an “out of band” release

Topic

New Reply

https://www.zdnet.com/article/microsoft-releases-out-of-band-security-update-to-fix-ie-zero-day-defender-bug/ We get them so rarely these days it prob
[See the full post at: Patch Lady – we have an “out of band” release]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

abbodi86, jburk07, AJNorth, geekdom, Microfix, woody, Mr. Natural

Reply | Quote

Replies

but we are on MS-Defcon 2.. what gives?

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

[PKCano]

KB4522007 has been added to AKB2000003 for Win7/8.1 for Group B (and whoever else needs it.)

• This reply was modified 4 years ago by PKCano.

2 users thanked author for this post.

abbodi86, Microfix

Reply | Quote

KB4522007 has been added to AKB2000003 for Win7/8.1 for Group B (and whoever else needs it.)

don’t you mean AKB2000003 😉

No problem can be solved from the same level of consciousness that created IT- AE

1 user thanked author for this post.

PKCano

Reply | Quote

However,  Microfix’s question pertained to the fact we’re still on Defcon  Level 2.  And so normally us people in Group B don’t apply the fixes until Woody gives the go-ahead by raising the Defcon level to 3 or higher,  even though PKCano has made them available in AKB2000003 much earlier than that time.  So should we wait until Woody raises the Defcon level to 3 or higher  before installing it?

Reply | Quote

Here’s what Woody says:

If you don’t use Internet Explorer, you can safely ignore all of the hoopla. If you do use IE, rap yourself on the knuckles, click on those links and go diving for the update: You’ll only get it if you manually download and install it

2 users thanked author for this post.

L95, rc primak

Reply | Quote

The release notes say this is only available in the Microsoft Catalog.  I just checked Windows Update and it’s not offered to me on 1903.

Reply | Quote

that’s right – KB4522016 is a Catalog only update. I’m skipping this one since I anticipate a newer patch is coming by either the end of this week or by next Mon Sept. 30

3 users thanked author for this post.

rc primak, abbodi86, woody

Reply | Quote

EP wrote:

that’s right – KB4522016 is a Catalog only update. I’m skipping this one since I anticipate a newer patch is coming by either the end of this week or by next Mon Sept. 30

Why are you anticipating a newer patch?

I’m Group A but do still use IE11 on Windows 7 system so acquired and installed this patch. So far, so good.

As respects my other system with Windows 10 ver 1803, assume Edge browser is OK? As KB4522014 is cumulative and as good as installing the September CU with Defcon 2.
How close are we to raising the Defcon as I have not seem many/any issues with the September CU?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

This particular patch sounds like a patch-immediately-and-avoid-the-virus patch.

Is it a good idea to apply this patch immediately?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Charlie

Reply | Quote

[EP]

no geekdom.
not unless you’re using IE since these out of band updates only deal with a recent 0day problem with IE

plus these updates will NOT be delivered thru windows update. They’re only available thru the MS Update Catalog site. (pay close attention to this statement, Susan – these “out of band” updates are “catalog only” updates)

• This reply was modified 4 years ago by EP.
• This reply was modified 4 years ago by EP.

2 users thanked author for this post.

rc primak, Charlie

Reply | Quote

I don’t use IE, but it’s still part of Windows 7, 8, and 8.1.  Should I get it now or wait?  I’d rather wait unless this 0day poses a real immediate problem.

Being 20 something in the 70's was much more fun than being 70 something in the 20's.

Reply | Quote

If you don’t use IE, you can safely ignore the patches.

There’s a reason why MS made them hard to get.

5 users thanked author for this post.

L95, rc primak, Microfix, AJNorth, Charlie

Reply | Quote

redundant

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

skipping these patches since it deals with a recent security issue with IE

MS may release newer patches than these by either the end of this week or perhaps on 9/30 🙂

1 user thanked author for this post.

Microfix

Reply | Quote

Susan Bradley wrote:

For those of you that use Windows update, you will get a security patch pushed out to your machine and it will demand a reboot.

Not available via Windows Update or WSUS. Catalog download only.

Susan Bradley wrote:

For those of you with WSUS updating rules or quality update deferrals, this will respect those settings.

Not applicable.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

Yup my bad.  I ASSumed that these out of band worked like every other out of band update that we’ve ever had and that they would be released on Windows update.

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

rc primak, Pierre77, woody, b

Reply | Quote

[EP]

it will soon be considered moot that these out of band updates may not be available thru WSUS and windows update as Microsoft plans to release a newer set of out of band updates like the upcoming KB4517211 update for 1903 that is currently in the release preview ring. Unlike KB4522016 for 1903, KB4517211 will get delivered thru windows update and wsus as well as being manually downloaded from the ms update catalog site (just like with KB4512941 last month).

• This reply was modified 4 years ago by EP.

1 user thanked author for this post.

rc primak

Reply | Quote

KB4522007, is this for Windows 7 and an IE11 Cumulative update or is it just a targeted update. So does this supersede the earlier IE 11 Sept 2019 IE 11 Cumulative sec update.

And as usual I’ll wait for any included Telemetry vetting before I’ll install any KB going forward. And I’ve done that since the “July Security” Only updates that had that telemetry included in a surreptitiously done manner.

I’m using Firefox for most of my everyday browsing anyways and I’m not installing Windows 7 September 2019 “Security Only” Updates and usually when I skip that I’ll skip the IE cumulative update for that month as well, since that’s cumulative anyways and can be put off until the following month’s IE 11 cumulative security update.

It’s still DEFCON-2 anyways

Reply | Quote

The IE11 patch is a Cumulative Update.
It is the Rollups/SOs that contain telemetry The IE CUs don’t contain telemetry.

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

One thing that bothers me here is, IE is integral to Windows, whether one uses IE or not, for MSFT to issue an OoB update must be for a valid reason, how often does this predicament happen?
Looking forward to this months ‘Previews’ that may/may not contain the IE patch.
It wouldn’t be the first time I’ve installed previews either, I’ve found them to be more reliable than some of the patch tuesday offerings in the past for W7/W8.1 in situations like this.

No problem can be solved from the same level of consciousness that created IT- AE

1 user thanked author for this post.

geekdom

Reply | Quote

the upcoming preview rollups will contain this recent out of band IE security fix, Microfix.

1 user thanked author for this post.

rc primak

Reply | Quote

It would seem that IE kb4522007 isn’t included (that I can see) in Septembers preview on Win8.1 Holding off for now..haven’t used IE for years anyway

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

Per the folks on the pm.org list, this will be out as a pushed out to the masses update tomorrow.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

rc primak, jburk07, woody

Reply | Quote

[Alex5723]

woody wrote:

If you don’t use IE, you can safely ignore the patches.

There’s a reason why MS made them hard to get.

But everyone is “using” IE one way or the other as IE is embedded in Windows Explorer…

• This reply was modified 4 years ago by Alex5723.

3 users thanked author for this post.

L95, rc primak, Pierre77

Reply | Quote

So they share some DLLs and just what IE functionality used by Windows Explorer(Win 7 Pro) needs internet access, or remote scripting services enabled via IE. If the error is in some scripting engine part of IE is that even used/enabled  in Windows Explorer.

I’ll just keep using Firefox and My installed Security/Firewall software and avoid using IE directly until  the October patches are released and as long as the October Windows 7 Security Only patches have no telemetry they will get installed as well.

All software can make use of the same DLLs and it’s just a matter of if that’s just some shared UI functionality that may or may not be related to IE’s scripting related functionality. So just what permissions are granted to Windows Explorer when making use of any shared DLL code needs to be known and I would think that Windows Explorer should be rather isolated from any Internet scripting pushed out from the web.

Really MS had no business integrating any Web based Browser functionality directly into its OS in the first place as all that needs to be outside of any kernel space or any elevated permissions granted user space. That really needs to be in some sandboxed environment and no DLL code sharing allowed.

When will Chrome Based Edge be available for Windows 7 and 8/8.1 and will MS have taken the time to make sure that it’s safer to use than IE, which was never really safe in the first place.

Reply | Quote

I would think that Windows Explorer should be rather isolated from any Internet scripting pushed out from the web.

Don’t depend on it!

will MS have taken the time to make sure that it’s safer to use than IE

History does not favor such optimism.

-- rc primak

1 user thanked author for this post.

Charlie

Reply | Quote

anonymous wrote:

When will Chrome Based Edge be available for Windows 7 and 8/8.1

Microsoft Edge Insider has been available for Windows 7 and 8/8.1 (and macOS) for three months.

Choice of update channels; Canary (daily), Dev (weekly), Beta (six-weekly):

https://www.microsoftedgeinsider.com/en-us/download

 

anonymous wrote:

and will MS have taken the time to make sure that it’s safer to use than IE, which was never really safe in the first place.

The Microsoft Edge (Chromium-based) Insider Bounty Program welcomes individuals across the globe to seek out and submit vulnerabilities unique to the next version of Microsoft Edge based on Chromium. Qualified submissions are eligible for bounty rewards of $1,000 USD to $30,000 USD.
Microsoft Edge Insider Bounty Program

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

thanks everyone for your comments. I need to update my IE as at least one program I use makes use of it in the background but it sounds like I should wait until the mass rollout is ready sometime today or in the near future. I’ll not use that program until the general release is made sometime soon. Sound like a good plan? Will there be a link to the correct Win Cat page/KB? I see that the current Cat listing also specifies downloading Servicing stack update (SSU) (KB 4516655) and SHA-2 update (KB 4474419). Are these safe? Thanks so much!

Reply | Quote

The two updates are prerequisites. Both are available through Windows Update.

Reply | Quote

PKCano wrote:

The two updates are prerequisites. Both are available through Windows Update.

thanks so much! that’s what I thought.

Reply | Quote

Regardless of in or out of band, maybe it is just me, but I am failing to understand the Windows 10 1903 update settings.  I have one Pause Update setting that I enabled after updating a test machine.  Then I disabled the Pause and it is installing the same updates it already installed.  Does it not know what it already installed?

 

Reply | Quote