Patch Watch adds problem-patch update chart

Topic

New Reply

	PATCH WATCH[/size][/font] Patch Watch adds problem-patch update chart[/size]
	By Susan Bradley March’s Patch Tuesday proved a light month for fixing vulnerabilities. That could be either good news or bad. It does give us time to review past patches that gave some of us headaches — and others that needed further testing. You’ll find a new summary chart at the bottom of this column.[/size]

---

The full text of this column is posted at WindowsSecrets.com/2011/03/10/07 (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

This chart is a great idea!!!!!

Thanks, Susan.

Reply | Quote

Patch Watch problem-patch chart is a great idea. Hope it continues. Thanks for improving an already very useful column. Couldn’t have made it thru updating XPSP3 without it!

Reply | Quote

I want to add my thanks to Susan Bradley for adding the chart to her column. This chart is exactly what I needed to keep track of these patches!

Reply | Quote

Thanks also! Your column was already tremendously useful and straight forward and you have made it even more so!

Reply | Quote

Agree, the patch chart is a Good Addition, but (always the BUT), could the rating ( skip, now, etc) come earlier on the line, so the ratings can be viewed on the right of the screen at the same time as the update screen is on the on the left. Just need to see Update ID and rating when doing updates, not description,or date for that matter.

Reply | Quote

Let me add my BUT – I would like the listed items to be in ascending KB # sequence. When I visit Windows Update, I copy the patch KBs and then prepare a ‘watch’ list. I put this list in KB # sequence, so that it is easier to see if I have patches that are being discussed in various forums, etc. When I finally add an update to my PC, I edit the list accordingly and keep a file of my patches, month by month.

Reply | Quote

Let me add my BUT – I would like the listed items to be in ascending KB # sequence..

The solution for me was to copy and paste it into spreadsheet format, then sort on the KB numbers. Made it much simpler.

BJ

Reply | Quote

Outstanding! When I filled out the reader survey, I mentioned that I’d like to see status updates on old problem patches. Thank you for responding with such alacrity, Susan.
Eric Skagerberg
Santa Rosa, CA

Reply | Quote

Thanks for the chart Susan. Much better than keeping a list on a sheet of paper – which can get lost – of patches to avoid for the present.

The colour coding also an excellent idea.

Reply | Quote

Great chart, Susan… It is good to know that somebody at WS is listening!!!

Reply | Quote

A little confused here. Running Win 7 Ultimate x64 on a Lenovo W500 laptop, and was offered Security Update for Windows 7 for x64-based Systems (KB2483614) as an option, but it was not mentioned in the column. Also not mentioned in the column was an offered-to-me update for Microsoft Office Outlook 2007 Junk Email Filter (KB2508979). What’s up? Not criticizing, just wondering. (PS: both installed without problems, reboot pending).

Reply | Quote

Just a note about SP1. Windows Explorer recently would not open when I plugged a Jump Drive into any USB port. I decided to install SP1 and it did fix the problem. But now a have a new problem. Instead of going into sleep mode when I walk away it actually does a hard shutdown. I uninstalled SP1 and my Jump Drive problem came back so I again installed SP1. Continues to do a hard shutdown so I guess I have to live with the lesser of 2 evils until a solution comes along. Love WS

Reply | Quote

Love this chart, it’s always been a challenge for me to keep up with patches that were on a watch/hold status. Thanks

Reply | Quote

two questions:
kb2393802 has already crashed my win7 pro 32 bit box four times when trying to apply. i have no symantec products installed at all, so your reference is of no help. since it now looks that i must choose between a running computer and this “security” update, what do you suggest i do?
kb2483614 is on my list but not on yours, others have asked what to make of this situation?
thanks

Reply | Quote

two questions:
kb2393802 has already crashed my win7 pro 32 bit box four times when trying to apply. i have no symantec products installed at all, so your reference is of no help. since it now looks that i must choose between a running computer and this “security” update, what do you suggest i do?
kb2483614 is on my list but not on yours, others have asked what to make of this situation?
thanks

Please start a thread in the Windows 7 forum for this problem. There is more help there.

Joe

--Joe

Reply | Quote

Just a note about SP1. Windows Explorer recently would not open when I plugged a Jump Drive into any USB port. I decided to install SP1 and it did fix the problem. But now a have a new problem. Instead of going into sleep mode when I walk away it actually does a hard shutdown. I uninstalled SP1 and my Jump Drive problem came back so I again installed SP1. Continues to do a hard shutdown so I guess I have to live with the lesser of 2 evils until a solution comes along. Love WS

I’ve seen some scattered mentions of sleep & hibernation problems after applying SP1. Unfortunately, I’ve not seen any good solutions yet.

Joe

--Joe

Reply | Quote

A little confused here. Running Win 7 Ultimate x64 on a Lenovo W500 laptop, and was offered Security Update for Windows 7 for x64-based Systems (KB2483614) as an option, but it was not mentioned in the column. Also not mentioned in the column was an offered-to-me update for Microsoft Office Outlook 2007 Junk Email Filter (KB2508979). What’s up? Not criticizing, just wondering. (PS: both installed without problems, reboot pending).

KB2483614 is the patch article for MS11-017. See Microsoft Security Bulletin MS11-017 – Important: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062). MS11-017 was mentioned in the last article.

I doubt that the Junk Email filter updates will ever be mentioned. They should always be installed. If a filter update affects your junk filtering, it will be changed again with the next update.

Joe

--Joe

Reply | Quote

Fabulous! Susan’s Patch Watch has been my “patch bible” for a long time, but I really like the inclusion of the column. Makes it even easier to review patches and what to do about each of them. Appreciated advice to install one at a time as I often install them all at once to save time – will change that effective now! Based on her preceding column, I even uninstalled 2 patches I’d gone ahead with before checking Susan’s column. Thank you for your helpful column and its even better inclusions!

Linda

Reply | Quote

Fabulous! Susan’s Patch Watch has been my “patch bible” for a long time, but I really like the inclusion of the column. Makes it even easier to review patches and what to do about each of them. Appreciated advice to install one at a time as I often install them all at once to save time – will change that effective now! Based on her preceding column, I even uninstalled 2 patches I’d gone ahead with before checking Susan’s column. Thank you for your helpful column and its even better inclusions!

If you already applied two patches and were not having problems then uninstalling is a waste of time.

Joe

--Joe

Reply | Quote

If you already applied two patches and were not having problems then uninstalling is a waste of time.

Joe

Oh.Thanks for the further advice. Guess I was being overly cautious. I sort of suspected that, but had never tried uninstalling before and was glad to find it so easy to do – if needed.

Reply | Quote

Brilliant addition to Patch Watch, thanks Susan. Due to time I rely more on Newsletter Patch Watch than Lounge posts; given that pending patches will drop off chart after “install” designation I would hate to miss a single chart. Please make a note in Patch Watch when the chart is moved to the Lounge due to space constraints, so we can follow. Thanks again.

P.S. I am on XP sp3, Msoft update includes kb2481109, which is not mentioned in March Patch Watch. Has it been covered previously?

Reply | Quote

I’m missing something here. I saw the table in the latest newsletter, but I got the impression that there was a place where I could look at the latest edition of the table from here in the lounge. I don’t see it anywhere.

Reply | Quote

I’m missing something here. I saw the table in the latest newsletter, but I got the impression that there was a place where I could look at the latest edition of the table from here in the lounge. I don’t see it anywhere.

The newsletter stated:

“If a patch week has an especially long list of new updates, we’ll move the table to the Windows Secrets Lounge, Patch Watch post.”

There is no promise to always have it in the Lounge.

Joe

--Joe

Reply | Quote

Susan (and others),
I like the chart too. It highlights what we should be doing. I would ask for two things:
a) A place on each line that identifies the impacted systems – eg., XP, 7-64, 7-32, V-32, V-64.
b) Could you add a link to the Microsoft site for each one?
Looking ahead, is the list supposed to identify patches to hold and we should install anything not on the list? Maybe we should have an area in the WS lounge that lists all updates (KBs) and the date they are approved.

BUT… I thought I was doing pretty good – running Windows Update on my Windows 7 Home Premium 64 bit system on a regular basis.

But the Problem-Patch Chart now gives me cause for worry. Perhaps someone can point me in the right direction … or confirm that updating is actually this hard 🙁
I run Windows Update and everything is up-to-date. I check the “hidden” updates and find that I have have only one hidden update (KB2442962 which if installed, causes my system to crash – see http://windowssecrets.com/forums/showthread//134745-Computer-freezes-with-UAC-Admin-password?highlight=). I check the update history and find the KB numbers in different areas of the lines (why can’t Microsoft create a column of the KB numbers and allow us to sort on that?). In the Update History, I find that I only have two KBs from the chart, 2485376 and 2479628.

So I go digging through the Microsoft site to find the patches in the chart marked “install”. I found 947821 – it was never installed on my system. (Why?) I download it and install it. I didn’t time it, but it seemed like 15-20 minutes – there must be an easier way. Now on the next one…

It took a while, but I finally find KB478960, but it is an ISO image with languages and fixing a number of KBs. Do I really need to download that huge file to get the patches? … and then do it all over again for the next one? There has to be an easier way! I thought all I needed to do was to run Windows Update and turn off and on which ones I wanted?

… and I still have two other machines in the house to do.

Am I working too hard? What is the purpose of Windows Update if it doesn’t update all the things I need automatically? Maybe I am not using the chart in the manner it was intended.

Reply | Quote

The chart is very useful as a follow-up, but what about patches that are not listed and haven’t been written about. Specific example — I just installed Win7 Ultimate SP1 on a brand new system. Windows Update is listing 8 Important updates, including one — KB2425227 — that was released on Feb. 8, but was not mentioned by Susan in her February Patch Watch article and is not listed in the March chart (it is a security update for x64-based systems). What is the recommendation for this patch — install or wait?

Reply | Quote

The chart is very useful as a follow-up, but what about patches that are not listed and haven’t been written about. Specific example — I just installed Win7 Ultimate SP1 on a brand new system. Windows Update is listing 8 Important updates, including one — KB2425227 — that was released on Feb. 8, but was not mentioned by Susan in her February Patch Watch article and is not listed in the March chart (it is a security update for x64-based systems). What is the recommendation for this patch — install or wait?

KB2425227 is one of the patches for Microsoft Security Bulletin MS11-013 – Important: Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930). It was mentioned in the February newsletter.

Joe

--Joe

Reply | Quote

I see that, and I see that Susan did mention MS11-013 in the February Patch Watch column. But Windows Update listed the update as KB2425227, and doing a search of the Windows Secrets site turned up nothing for that update number, so I wasn’t sure what her recommendation was. Reading over the description of the update, it sounds like it is not a necessary update for my system, since I am not in a domain environment. But I would have thought that Susan would reference the KB number in her column (and future tables), so I wonder whether this was an oversight on her part. If not, how did she determine not to list the KB number, and is there a criterion for similar patches in the future that we should know about when/if a particular KB number shows up in Windows Update but has never been discussed in Susan’s column?

Reply | Quote

I see that, and I see that Susan did mention MS11-013 in the February Patch Watch column. But Windows Update listed the update as KB2425227, and doing a search of the Windows Secrets site turned up nothing for that update number, so I wasn’t sure what her recommendation was. Reading over the description of the update, it sounds like it is not a necessary update for my system, since I am not in a domain environment. But I would have thought that Susan would reference the KB number in her column (and future tables), so I wonder whether this was an oversight on her part. If not, how did she determine not to list the KB number, and is there a criterion for similar patches in the future that we should know about when/if a particular KB number shows up in Windows Update but has never been discussed in Susan’s column?

There are actually several different KB numbers for patches that apply to different versions of Windows. The KB article she notes is the summary of the issue. It would dramatically increase the length of the patch summary and be very confusing to manage to list individual KB articles for each security bulletin.

Joe

--Joe

Reply | Quote

I am running Win 7 X64 and have installed SP1 (and all other patches to date!) with no problems whatever UNTIL I tried to use XP Mode which was installed months ago and was working fine before SP1. It advised me that Integrated components needed updating but every time I tried, the installation failed saying setup was interrupted. I finally found the thread below and confirm that the solutions from RaviVish and PattieB work. I post it in case some Windows Secrets readers have less hair than before this problem like me!!

http://social.technet.microsoft.com/Forums/en-US/w7itprovirt/thread/803d92e8-f39e-4b8a-9192-115ee4c8d3f3

Reply | Quote

Love the chart!!! FWIW, in the actual column, KB2508062 (MS11-017) doesn’t look like it actually shows up on an update list. In MS11-017, the actual updates listed in it are KB2483618 for RDC 5, KB 2481109 for RDC 6 and KB2483614 for RDC 7. I assume the conclusion that they appear to be benign still holds, though.

Reply | Quote

Love the chart!!! FWIW, in the actual column, KB2508062 (MS11-017) doesn’t look like it actually shows up on an update list. In MS11-017, the actual updates listed in it are KB2483618 for RDC 5, KB 2481109 for RDC 6 and KB2483614 for RDC 7. I assume the conclusion that they appear to be benign still holds, though.

Correct. I’ve seen no dead body reports on these.

Reply | Quote

I agree with most everyone that the new chart is a great idea. In the past I carefully tracked (I thought) patch recommendations, but I have three patches for which I have no information. Perhaps somewhere along the line I missed something. The three in question are KB2475792, KB2454826 and KB2487426. I also wonder why I get MS patch recommendations for Office 2007 when I don’t have the program installed. Any comments would be welcome.

Reply | Quote

I agree with most everyone that the new chart is a great idea. In the past I carefully tracked (I thought) patch recommendations, but I have three patches for which I have no information. Perhaps somewhere along the line I missed something. The three in question are KB2475792, KB2454826 and KB2487426. I also wonder why I get MS patch recommendations for Office 2007 when I don’t have the program installed. Any comments would be welcome.

Do you have Office 2003 installed? I see office 2007 updates come down on systems that have Office 2003 with the 2007 app compat patch. It’s (unfortunately) pretty common these days to get 2003 and 2007 updates.

Reply | Quote

Chart is a big step forward. Three suggestions to make it even better.

[*]Keep the colours , but put in numerical order – or publish as a spread sheet so we can order as we want.[*]Do not delete items until they are a month or more old – people get sick – go on vacation …[*]Include the MS number as well as the KB number.

Thanks again,
Peter

Reply | Quote

MS011-010/012/013/014 were advised as hold off in the February column. Maybe I missed it, but are these yet safe? I need to throw away by Post-it notes and work on you great chart

Reply | Quote

Big thank you – may be late in coming but your advise has already saved me one big headache when it came to kb2393802

Reply | Quote

A little confused here. Running Win 7 Ultimate x64 on a Lenovo W500 laptop, and was offered Security Update for Windows 7 for x64-based Systems (KB2483614) as an option, but it was not mentioned in the column. Also not mentioned in the column was an offered-to-me update for Microsoft Office Outlook 2007 Junk Email Filter (KB2508979). What’s up? Not criticizing, just wondering. (PS: both installed without problems, reboot pending).

I’m probably not going to list patches like the Outlook junkmail filter UNLESS they blow up your system. Those are normal “maintenance” patches that shouldn’t cause issues.

The RDP patch was referred to up above.

The goal of the list is to just keep track of those updates that I’m not ready to give the green light on, or ones that I’ve said I wasn’t yet ready to install.

Reply | Quote

KB2393802 / MS11-011 — Windows System Kernel Patch — My own recent experiences:

Windows XP Pro SP3 32-bit on a laptop. OEM Windows configuration, with Intel drivers never updated until recently.

Patch said it installed, but the installer never completed. Patch reoffered endlessly by MS Updates. Secunia PSI and Belarc Advisor reported failure to install the patch. Details in my Comments to Woody Leonhard’s blog site.

I came across a clue in the Microsoft Bulletin about this known issue. It said to update my Intel Graphics Drivers. I have DriverMax (freeware driver update finder and installer) but it only allows two driver updates per day for free, and I don’t know where they get their driver updates from. Went to Intel and found they have a handy Driver Update Finder search tool, and you can download packages of updatred drivers for a wide variety of Intel OEM hardware if you need to update. This was the tool I eventually used. But there was still an issue.

It turns out that the patch installer (and ones from a year ago and earlier) has code in it which skips overwriting some of the system kernel files in OEM installations of Windows. This is especially a problem in Windows XP systems which have received the SP3 upgrade. The upshot is that you need to download the stand-alone installer for this patch, and run it in Windows Safe Mode after updating the Intel drivders, with a switch for overwriting OEM kernel files. Details at Microsoft Social Answers .

While this scheme may not work for all affected computers, and ovderwriting OEM system kernel files can cause a computer to fail to boot or to Blue Screen or endlessly reboot, in many instances the workaround does work. and it should solve most future issues on the same computers with Windows System Kernel Patches.

Make a full system backup and use something like DriverMax to back up your existing drivers, before trying any of the tips or tricks which may be posted about this type of system kernel patch. DriverMax Free does unlimited driver backups to a single Folder which can be stored outside of the computer being updated, and the DriverMax program can later restore one, some, or all drivers an unlimited number of times for free, from within the free version of the program. I am not promoting DriverMax exclusively, but this is the driver updating, backup and restoration program which I know and use. For full system backups, I use Acronis True Image Home, and again, there are other equally good backup and recovery programs out there.

One other thing: If you use a HIPS firewall (like Zone Alarm or Comodo), you will need to uninstall and reinstall the security program once any system kernel patch is successfully applied. The same goes for many antivirus or security suite programs. These programs may fail to launch with new drivers or changed system kernel files installed, until the security programs are reinstalled and reregister themselves. Neither Comodo nor Microsoft Security Essentials prevented any recent Windows XP patches from installing on my laptop. Your mileage may vary.

-- rc primak

Reply | Quote

Hello all, and a big “Thank you” to Susan for her continual vigilance with regard to Windows Updates.

A suggestion: I would love to see a table that contains all of Susan’s Update recommendations that is kept in one place so it is always available for review.

The reason I feel this would be extremely valuable is that there are some updates that I have not installed and that is almost always because of a caution or warning that I read either in Susan’s column or in one of a couple other blogs that offer similar recommendations about Windows Updates. However as time marches on I often wonder if there is ever a case where a recommendation of “Hold” or “Wait” is finally removed and that we should then go ahead and install the update after all. E.g., I have a few past updates that I have hidden based on someone’s recommendation. As I look at them now I am left wondering if I should still be holding off from installing them. Presently all I can do is search the Windows Secrets site to see if I can find any subsequent recommendations from Susan that I might have missed. Whereas if there was a table that showed the history of Susan’s recommendations I could easily see if a “Hold” or “Wait” recommendation for a particular update was ever lifted.

Thanks!

Jim

Reply | Quote

Question on KB2454826:

I was offered this patch today, but when I looked at my installed patches list in control panel, it shows that it was installed on my computer on 1/13/11. I had already read the Patch Watch prior to that date and marked it to hold and made a note that I did not install it. So I have three questions 1) how did it get there (to which I dont expect an answer and do expect that I somehow installed it accidentally), 2) Why was it offered to me again if it was already installed, and 3) how should I proceed? Uninstall it and install the new one? Uninstall and hold off on installation of the new one? I have seen no mention of this patch in WS Newsletter since Issue #226, 2/10/11, until the post a couple above this one. This is a patch that caused installation problems (BSOD, failure to install, etc.) for many people earlier. Is there an MS11- number associated with KB2454826? I was not able to find one.

Thanks for any help,
Gary

Reply | Quote

Question on KB2454826:

I was offered this patch today, but when I looked at my installed patches list in control panel, it shows that it was installed on my computer on 1/13/11. I had already read the Patch Watch prior to that date and marked it to hold and made a note that I did not install it. So I have three questions 1) how did it get there (to which I dont expect an answer and do expect that I somehow installed it accidentally), 2) Why was it offered to me again if it was already installed, and 3) how should I proceed? Uninstall it and install the new one? Uninstall and hold off on installation of the new one? I have seen no mention of this patch in WS Newsletter since Issue #226, 2/10/11, until the post a couple above this one. This is a patch that caused installation problems (BSOD, failure to install, etc.) for many people earlier. Is there an MS11- number associated with KB2454826? I was not able to find one.

Thanks for any help,
Gary

This isn’t a security update, which is why you can’t find a MS11- number. Not all updates are security updates.

This (if memory serves me right) was released – caused issues on some machines that had certain video cards – was rebuilt, which is probably why you are getting it offered up again.

If you ultimately install IE9, you’ll get this update included. Given that you survived the first update, the second one won’t hurt you and has the later files.

You can either uninstall the first one, or install this one.

Reply | Quote

Thanks, Susan, for solving my problem and for helping me to understand it.

Gary

Reply | Quote