• Patch Tuesday patches are up

    Home » Forums » Newsletter and Homepage topics » Patch Tuesday patches are up

    Author
    Topic
    #107559

    There’s a massive list of updates to Vista, Win7 and 8.1 on the Windows Update page. I don’t see any mention of Security Bulletins, but the Security U
    [See the full post at: Patch Tuesday patches are up]

    Viewing 31 reply threads
    Author
    Replies
    • #107561

      You should make a mention that these are the last updates for Vista. R.I.P. Windows Vista. 2006-2017.

    • #107568

      Installed, no problems with searching for updates after this (I have a Skylake processor). Interestingly, under knows issues there’s:

      “If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.”

      Seems the same info is stated under “Security-only”, so there will be no way to avoid CPU block, even when installing security-only updates…

      ASUS PRIME Z270-K * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 21H2 64-bit
      • #107580

        About the

        If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.

        from

        https://support.microsoft.com/en-us/help/4015546

        it also quotes

        Microsoft is working on a resolution and will provide an update in an upcoming release.

        So what should be their official position on this one? They say they won’t support it anymore, they claim it will not work, after all in the end it ends up working but they say they will fix it…

        Is this some quantum computing under psychedelic drugs? Gosh, what Microsoft has turned itself into…

      • #107603

        Yes, Security Only updates for Win 7 / 8.1 contain the CPU generation detection = WU block for new processors

        1 user thanked author for this post.
      • #107608

        Don’t forget radosuaf’s method!

        • #107689

          I wonder if that still works?

          • #107691

            I’m not sure if anybody has posted about trying it, but I believe it should work.

    • #107570

      Win 10 is now up to 15063.138…

      Win1015063.138

      -Noel

      Attachments:
      • #107575

        138? Looks like a MASSIVE update :).

        ASUS PRIME Z270-K * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 21H2 64-bit
        • #107581

          Lots of electrons, maybe, but it still doesn’t weigh very much. 🙂

          -Noel

          1 user thanked author for this post.
    • #107583

      I for some reason can’t install KB4015550 on my laptop.

    • #107594

      One thing I’ve concluded after reading the ghacks link: The younger and more modern a Windows system is, the more vulnerabilities it has.

      So much for that Microsoft propaganda about newer operating systems being more secure.

      Too bad Windows XP updates’ info is not public anymore, I’m dead curious to know how well should it’s security been ironed out for those top notch platinum premium users. Anyone out there spending those gazillions per machine with information to leak out about this? 😉

      • #107606

        I would argue that it doesn’t matter if Windows 8.1 and Windows 10 have more vulnerabilities as long as they still get updates. If they weren’t supported anymore then yes it would be a problem. But they’re still getting updated and these vulnerabilities are getting fixed. Also keep in mind that Windows 7 has been around longer so it’s had more time for vulnerabilities to be discovered.

        • #107644

          I’m not sure I understand this argument at all.

          “it doesn’t matter if Windows 8.1 and Windows 10 have more vulnerabilities as long as they still get updates.”

          So if Windows 10 has 5 critical vulnerabilities and W7 has only 1 and that’s OK because eventually those 5 will get patched? I think I prefer my 1 vulnerability, thanks.

          Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

      • #107634

        Agreed. Glad I’m using W7…

        Windows Vista: 9 vulnerabilities, 1 critical, 8 important
        Windows 7: 9 vulnerabilities, 1 critical, 8 important.

        Windows 8.1: 23 vulnerabilities, 4 critical, 19 important.
        Windows RT 8.1: 11 vulnerabilities, 1 critical, 10 important.
        Windows 10 version 1703: 21 vulnerabilities, 5 critical, 16 important.

        Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

        2 users thanked author for this post.
        • #107638

          Please convert to text before posting. Thanks

          • #107651

            I thought I had, having first copied and pasted the text into a Word doc using the Paste option “Keep text only” and then copied that to the post. Is that not sufficient?

            Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

            • #107652

              You have to make the Word .doc or .docx a text (.txt) document. Anything else carries HTML code

            • #107655

              Thanks for explaining. The last hyphenated word in my signature applies!

              Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

            • #107656

              Just use Notepad instead of Wordpad. Notepad saves in .txt format, so try typing out your message there instead of using Wordpad.  It’ll never put HTML in there.

              2 users thanked author for this post.
        • #107694

          Like I said. Windows 7 is older, so more vulnerabilities have had the opportunity to be patched, I don’t think that makes newer versions of Windows bad.

    • #107596

      What a b***** mess the “Security Updates Guide” is!  Now that Microsoft has decided, in their infinite wisdom, to get rid of MSSB numbers, it has become even more confusing to search for any/all applicable updates for a given operating system or other software product, much less multiples if you are a Systems Administrator type, like me.

      Good thing others are taking more time than I have available to flesh these out.  It was bad enough when Microsoft started rolling multiple updates up into one set six months ago, but this is far, far worse, IMHO.

      1 user thanked author for this post.
      • #107645

        I entirely agree, it’s an absolute headache to navigate now. How can this possibly be better? I couldn’t find the page for the security only .net framework update, surely it should be linked to on the security and quality rollup page? But no, that would be too easy so i found it on that ghacks page.  The update pages are now also awful, with no links to the individual KB articles, just everything crammed into the opening paragraph. Oh and why do the security only pages list internet explorer yet you have to install the cumulative update anyway?

        -T

    • #107597

      I am having major issues with these patches. I load onto multiple Win 7 Pro machines. On reboot around 50% are hanging at “30% installed”.

      It is fixed by switching off machine manually and restarting. Not very useful for remote action

      It does not seem to be hardware dependent

      Can anyone help with which patch is causing the issue?

      • #107620

        We’re at Defcon 2.  I don’t see where Woody gave a go ahead to install these.

        Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

        1 user thanked author for this post.
    • #107604

      Hm…

      From this page we see that there is a Cumulative Security Update for Internet Explorer (KB4014661).

      Reading carefully, I found that the description of KB4014661 on this page states (once the “Nonsecurity-related fixes…” section is expanded):

      Note You must install this Security Update for Internet Explorer 4014661 to have the option to disable VBScript as document in 4012494 on a computer that does not have Windows 10 Creators Update installed.

      I just went through the settings and didn’t find a VBScript as document option in the GUI that I could change. That option sounds like it might be a response to that zero day Office glitch uncovered a few days ago, and the text implies KB4012494 is contained as part of this update, yet there is no visible option.

      I followed the instructions in KB4012494 and made the registry change, but I expected to find a GUI option. Am I misinterpreting what it says?

      Anyone know more?

      -Noel

      • #107617

        I interpret it that VBScript can be disabled but it has to be the more difficult way via registry for home users or easy with a “fix it” pack, as we don’t have a Group Policy Editor.

    • #107609

      @Noel:  I think the word “document” should probably be “documented” which would change the context of the whole statement to make a lot more sense.  “You must install this update (4014661) to be able to make the ‘disable VBSript process’ (adding the new URL action into the registry) take full effect.”

       

      Leave it to Microsoft to confuse us all further.

    • #107612

      interesting after installing KB4015217 for anni win10 windows searches for updates after each restart, thats new

    • #107621

      AKB2000003 Ongoing list of “Group B” monthly updates for Win7/8.1 has been updated.
      https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

      3 users thanked author for this post.
    • #107622

      I’m more concerned with the Office patches at the moment than anything! My clients aren’t what’s considered “high risk” for that Zero Day Word vulnerability but nonetheless I’d feel better if they were patched.

      Does anybody know if this vulnerability in particular was patched with these Office updates?

    • #107623
    • #107633

      https://www.catalog.update.microsoft.com/Search.aspx?q=.NET%20April%202017

      KB4014985 – April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7, Windows 7 and Windows Server 2008 R2 for x64 (KB4014985)

      KB4014987 – April, 2017 Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 8.1,  Windows 8.1 and Windows Server 2012 R2 for x64 (KB4014987)

      and more…..

       

    • #107629

      I saw the ‘show me how to get the creators update’ text after downloading and installing the flash update and the malware scanner in Settings.

    • #107658

      Yes, Security Only updates for Win 7 / 8.1 contain the CPU generation detection = WU block for new processors

      Yes the Windows 7 & 8.1 Rollups and Security Only Updates now include processor detection to prevent updates for machines running Gen 7 processors but the block only applies to using Windows/Microsoft Update to search for and install as follows:

      (Enabled detection of processor generation and hardware support when PC tries to scan or download updates THROUGH WINDOWS UPDATE)

      You cab still search for, download and install updates using the stand alone packages available via the Windows Update Catalog…which you have to use for Security Only Updates anyway.

      • #107704

        Only question is, how will this work via WSUS? Same detection for processors as via Windows Updates, or will corporates who use WSUS be able to bypass this without the need to patch manually?

         

        No matter where you go, there you are.

      • #107768

        You cab still search for, download and install updates using the stand alone packages available via the Windows Update Catalog…which you have to use for Security Only Updates anyway.

        I wouldn’t be so sure, see:

        “If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.”

        It may mean that even if you download from the Catalog, you won’t be able to install.

        ASUS PRIME Z270-K * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 21H2 64-bit
      • #107881

        Unfortunately that is incorrect from my testing. (I have figured out how to spoof a Kaby Lake cpu in a virtual machine.) One cannot install a standalone .MSU update when the latest Windows Update client is installed.

    • #107660

      The fixes in March 2017’s hotfix KB4016446 for Internet Explorer (https://support.microsoft.com/en-us/help/4016446/forms-in-dynamics-crm-2011-are-not-displayed-correctly-after-kb-401307) have been included in the April 2017 monthly rollups and cumulative update for Internet Explorer.

      Source: From https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017:

      “Cumulative Security Update for Internet Explorer (KB4014661)

      […]

      Supersedes:

      • KB4016446 on Windows 8.1, Windows Server 2012 R2, Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2″
      2 users thanked author for this post.
    • #107665

      In the past it had been asked if the code in a given month’s preview monthly rollup could be changed in the next month’s monthly rollup, if there wasn’t a security-related change involved in the given code. We have a possible example that the answer could be “yes”: file wuaueng.dll (associated with the Windows Update client) in the Windows 7 March 2017 preview monthly rollup has version 7.6.7601.23714, while file wuaueng.dll in the Windows 7 April 2017 monthly rollup has version 7.6.7601.23735.

      • #107671

        I would hardly call that a change

        besides, i could argue that there it is a security-related change, since the same WUA is included in Security-Only update 😀

    • #107670
    • #107676

      Tip: When browsing Security Update Guide, make sure that you at least once try the checkboxes “Details,” “Severity,” “Impact,” and “Security Only.”

      1 user thanked author for this post.
      • #107682

        Another tip: Also try the filter textbox. It’s handy to filter by operating system.

      • #107693

        Tip: Combine “Details”=checked with filtering by operating system, and you get a list of vulnerabilities fixed for that operating system, each of which you can click on for more info.

    • #107681

      What is the recommended action for .NET Framework updates for Group B users? Is there anything undesirable in the “quality” portion of the updates?

    • #107706

      There are reports of WSUS servers failing to synchronise with the Microsoft servers (can see it on my own server as well).

      Reported here https://community.spiceworks.com/topic/1983454-wsus-synchronization-failures

      Workaround is to untick the UPGRADES category. Could be the Creator’s Update/Upgrade causing havoc.

      (Sorry, posted this to the wrong thread before…)

      No matter where you go, there you are.

      1 user thanked author for this post.
    • #107717

      It seems that both the Windows and an Office update are needed to make Office invulnerable to CVE-2017-0199. See https://www.askwoody.com/forums/topic/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/#post-107712 for more details.

      1 user thanked author for this post.
    • #107735

      138? Looks like a MASSIVE update :).

      For x64 systems it’s only 114 mb  🙂

       

    • #107703

      What about those who do not have IE11 installed?

      I want nothing to do with IE. In fact, I’ve searched everything I could related to it, including in the WindowsSxS folder, selected them all and pressed shift + nom nom nom. There!

      Question is: even without having IE11 not installed (on Windows 7 it should default back to IE8) and even with (some?) of the left-overs deleted, since IE is so cancered down into the OS, shouldn’t there be some indirect vectors for attack?

      I haven’t seen any security updates for IE8, lately. Are there some around I might have missed / hidden by mistake?

      Any recommendations for keeping this kind of Windows 7 installations secure? Should I install IE11 and keep it updated or instead try to eradicate every sign of it? Thanks.

      • #108040

        Install IE11, and keep it up to date.

      • #108104

        I agree with MrBrian.

        IE has a bad reputation but it has a pretty good security model, actually. The rep is because it’s just not configured to be very secure out of the box for some reason.

        -Noel

    • #107716

      I have an Intel processor so I should be able to download the security-only update just fine right?

    • #107724

      Trying to manually install or find the following lead me down an empty rabbit hole. What am I missing?

      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Security and Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      Additional information about this security update
      The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.

      4014567 Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
      4014555 Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
      4014551 Description of the Security and Quality Rollup for the .NET Framework 4.6 and 4.6.1 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017
      4014546 Description of the Security and Quality Rollup for the .NET Framework 4.6.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      We did not find any results for “4014567”

      Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      We did not find any results for “4014555”

      Description of the Security and Quality Rollup for the .NET Framework 4.6 and 4.6.1 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      We did not find any results for “4014551”

      Description of the Security and Quality Rollup for the .NET Framework 4.6.2 for Windows 8.1 and Windows Server 2012 R2: April 11, 2017

      We did not find any results for “4014546”

      Microsoft Update Catalog

    • #107726

      Aaaargh, I just got utterly lost!

      This update was slipping under Windows Update’s radar, it was never presented to me, but installed when manually downloaded:

      Security Update for Windows (KB4014573)
      Security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: April 11, 2017

      Update type: Important
      Fix for KB4014573
      More information: http://support.microsoft.com/?kbid=4014573

      BTW, under April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB4014985), there were also these updates:

      ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

      ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe

      ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe

      that refused to install – non applicable or locked (two different separate things that can lead you to confusion, as you might dump an important applicable update that refused to install because it might be permanently locked)

      .NET: another thing cancered down into Windows.

    • #107760
    • #107767

      After todays Windows Updates Microsoft blocks security updates on Windows 7 Pro with Intel Celeron Dual-Core CPU T3000  ….

      • #107780

        Nice, another one to your list, Woody :).

        ASUS PRIME Z270-K * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 21H2 64-bit
      • #107791

        I’m looking for confirmation on that right now. Thanks for the heads-up!

        OK. I see the Intel Celeron 3965U listed as a 7th generation chip. That means you’ll only be protected from the update block if you have a machine that’s been explicitly whitelisted by the manufacturer. What machine are you using?

        • #108098

          I’m confused. Where is the Celeron 3965U mentioned?

          Original poster mentioned issues with a Celeron T3000 (screenshot confirms it), which is a Penryn chip released Q2 2009. Intel ARK page: http://ark.intel.com/products/40738/Intel-Celeron-Processor-T3000-1M-Cache-1_80-GHz-800-MHz-FSB

          The false positives from this new processor detection code are mounting. How many average Joes will be screwed from an incorrectly detected processor and be unable to get updates on a previously-working install of Win 7/8.1?

          Oh wait, let me guess–the solution to fix the issue will be a free upgrade to Windows 10! /cynical

          I’m not touching April’s updates with a 10-foot pole until these issues get fixed.

    • #107782

      I am one of those kludges that bough a windows phone about 2 years ago. It ran Win 8.1.

      This week I noticed I could not access my gmail as I was being  looped into entering my Google PW, then an MS PW, with MS requiring blanket authority to access my gmail.

      From the blogs it seems the only solution was a full reset, which I did. Doesn’t MS specify that a reset will restore your phone/system OS back to the time of the original purchase?

      Now, however, rather than re-installing the original Win 8.1 Mobile [where I had benn able to install Opera & Firefox and other things], the reset has produced Windows 8.1 Update 2.

      One is now obliged to use IE, cannot install any other browser, and have Cortana.

      There are a bunch of other changes limiting options. The phone now stinks more that it ever did, and I am having a heck of a time trying to get gmail re-installed.

      Is this what MS is planning for upcoming  Windows 7 & 8.1 updates….Frankensteinisation?

      No more MS and Windows for this just retired victim. Chrome/Android will replace  everything, if, I can get still get some unwitting  MS fan to buy my work systems.

      Will be dropping out Woody! Thank much for all your help over the years.

      2 users thanked author for this post.
    • #107797

      Woody and fans – Sorry, but I’m confused now.

      The first two weeks after Patch Tuesday, I like to install the Security Only updates to my Win 76 Pro 64-bit machines, all of which have IE and some of which have Office.  Then, two weeks later, come back here and see if it’s safe to go back and install all the patches.

      This is the place to come for info, but it’s not clear to a non-tech such as myself.

      Today, April 12, what exactly ARE the security-only patches for my Win 76 Pro 64-bit machines, IE and Office?  (with links, if possible).

      Many thanks!

    Viewing 31 reply threads
    Reply To: Patch Tuesday patches are up

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: