What every Windows customer should know about last week’s deluge of malware

Topic

New Reply

It’s not as bad as you think – but you need to keep a couple of things in mind.

The full story is  here:

What every Windows customer should know about last week’s deluge of malware

4 users thanked author for this post.

walker, AJNorth, MrBrian, Elly

Reply | Quote

Replies

Not a huge fan of the teaser headline Woodster : / …..looking forward to the article all the same 🙂 Thanks Woody

Reply | Quote

I think I was showing considerable restraint with “deluge.” The term “spitstorm” came to mind. 🙂

In retrospect… “malware” isn’t quite correct. There was malware aplenty with the Word 0day. But the Shadow Brokers leaks were, more correctly, vulnerability exploits, with code ready to be turned in to malware.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I am not sure whether MS really says that three exploits are unpatched in Vista: EnglishmanDentist, EsteemAudit, and ExplodingCannone. They said that these three exploits were not reproduced on supported platforms. They may however also not reproduce on Vista, but MS simply will not state that as, I assume, they only make announcements about supported platforms. MS is sneaky enough to issue patches for Vista on April 11th and then state on April 12th that it is unsafe, while not supported. This would only be true to the extent that Vista did not receive an update that would otherwise have been released. normally that would be the next Patch Tuesday.

I am trying to evaluate my situation, as my migration from Vista to Windows 7 takes a bit longer than anticipated and therefore am still running Vista. How much hurry is there for me to upgrade to Windows 7 ASAP, even when that means not fulfilling some of my other obligations towards clients on time, or should take it a bit more relaxed and if I upgrade over the next 2-3 weeks or so, it will be all right?

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

2 users thanked author for this post.

woody

Reply | Quote

I don’t see anything forcing you to upgrade from Vista to 7 right now.

You won’t “miss” any Vista patches until next month anyway.

By the way… the details about Vista are in Efrain’s spreadsheet. Click on it to enlarge.

2 users thanked author for this post.

radosuaf, Pim

Reply | Quote

It’s still unclear whether Vista is vulnerable to the three exploits named by Microsoft as not reproduced on “supported systems”.  At this point, I haven’t seen any definitive statements by anyone that has tried to reproduce the exploits on a fully patched Vista system.  For all we know, the chart above merely assumes that Vista is vulnerable due to the lack of a definitive statement by Microsoft.

Reply | Quote

I believe that’s quite correct.

Reply | Quote

anonymous wrote:

For all we know, the chart above merely assumes that Vista is vulnerable due to the lack of a definitive statement by Microsoft.

The vulnerabilities in the chart only has a Y for issues that have been fixed (see the Notes column that states the corresponding bulletin which describes the issue and the released patches). The three vulnerabilities I was referring to do not have a Y for Vista, but neither for Win7. Please also note that the tweet states “based on public info”.  In other words, it is a summary of public info, but not the result of a separate investigation that was carried out.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

Pim, I would certainly not panic over this. It should be done but not urgently. The process is not that difficult. I strongly recommend you do not use the “upgrade” path in the install process. Choose the “Custom” path and delete all partitions. Back up all your data and be prepared to re-install your aps. Check you hard drive to make sure it is sound. Chances are, if your system came with Vista, it is more than 5 years old and could be a lot older. Chances are the drive is a 160. A $70 investment in a new 500G 7200rpm drive might be a very prudent thing to do. Many people think if chkdsk reports OK, the drive is OK. Not true! That does not check the drive hardware. Download and run the drive tester software offered by your hard drive manufacturer. It is usually thought of as a warranty claim kind of thing, but is very good at checking to see if your drive is beginning to fail. If yours is a laptop, 5 years or older, just replace the drive. Odds are high, that drive will fail in the next year.

CT

2 users thanked author for this post.

Pim, HiFlyer

Reply | Quote

Thanks for your reply. I was trying to estimate the urgency of my migration, not panicking fortunately.

I am familiar with the upgrade process and do know that a fresh install is better. However, since I have a lot of software and adjusted a lot of settings I want to go the upgrade route. I plan on a fresh install somewhere in the future, but because this is my main machine, everything has to work to keep my business running.

The installation already was from a computer that crashed some time years ago and I restored it on a newly bought Dell Latitude laptop, which originally had Windows 7 on it. It was quite a challenge to restore Vista on that machine, but Dell had published most drivers for Vista and the ones missing I downloaded from Intel and Nvidia. My efforts have really proven to be a life saver.

I have both a Samsung 850 Pro SSD and a 2 year old hard drive for data in that laptop, so the current status is fine. But thanks for your tips, I appreciate it much. Since about 5 years or so I have Hard Disk Sentinel on my systems to continuously monitor the status of my hard drives and SSD’s. It has proven to be a good investment on a few occasions where I replaced a hard drive after a warning. In most cases it was only a pending sector and after performing a surface test these sectors appeared to be good, as they were not flagged “bad” after the test but were restored. In other cases it was a faulty hard drive and another case I still have to investigate. That hard drive is not in use until I finish that investigation.

And last but not least: I do have a strict backup policy for both my data and systems. Ever since I started doing that I never lost data and have always been able to recover my system in case of an error. I can absolutely recommend having a good discipline and preferably backup “system”. I never panicked when something happened, I have only been frustrated because of the time lost 🙂

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

The fixes were delivered in March 2017, not April 2017.

Reply | Quote

I know, but MS’s statement re Shadow Brokers was made after April 11th (Vista EOL). That is the reason why MS does not state anything about Vista, because as far as MS is concerned they do not care anymore about unsupported OS’es. The point I was making that even though Vista has been patched on April 11th, on April 12th MS gives up on it. It is just like Security Essentials stopped working right after April 11th. In theory Vista would still be versions (sort of) as secure as other Windows until the next patch is issued for those other Windows versions, which Vista then misses.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

The chart at https://twitter.com/etlow/status/853439288926777344 appears to be accurate for all three of those exploits.

See:

hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Explodingcan-2.0.2.0.xml

hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Englishmansdentist-1.2.0.0.xml

hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Esteemaudit-2.1.0.0.xml

Reply | Quote

I looked at the xml on github for the three exploits and was unable to discern how they establish that Vista (fully patched) is vulnerable.  Unless I’m mistaken, none of the three even mentions Vista as a targeted OS.  Can you clarify your comment?

 

Reply | Quote

Apparently Vista isn’t vulnerable to those three exploits :).

Reply | Quote

But do bear in mind that, according to the tweet, the chart is base on public info. It is not the result of testing done by Efrain Torres.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

Word 2010 has the macro settings recommended by default. In other words, those are the settings on the vast majority of users installations unless they specifically changed them, which is highly unlikely.

CT

1 user thanked author for this post.

HiFlyer

Reply | Quote

What I find interesting, these exploits are blocked by a march patch. And the exploits are just now coming out… Did the calendar change to where March comes after April?

Reply | Quote

No, Microsoft apparently got advanced warning prior to the March Patch Tuesday activities. See the article.

Reply | Quote

Hi Woody,

If I have a Windows 7 machine that’s in Group Wait, i.e. I haven’t installed any security update since a clean install earlierlast year, should I apply the security-only patch for this one, and if so, is it suffice to install KB4012212 (MS17-010)?

Reply | Quote

Yes. If I were you, I would install the March Security-Only Win7 patch, KB 4012212.

Edit to correct KB number

 

Reply | Quote

Woody,

Did you make a typo? Should it be KB4012212? I just downloaded the file (not installed) and it said KB4012212 and not KB4102212.

George

Reply | Quote

You are correct. The March Security Only Update is KB4012212

Reply | Quote

Re. Word Zero-Day – there is no Protected View if you are still using Office 2007

1 user thanked author for this post.

woody

Reply | Quote

It’s not “malware” woody, or any other individual using the term.

NSA had these tools for a very long time for a very good reason.

The problem now is… some dumb kid distributing these tools to shadow brokers for a profit which failed… they didn’t profit -boohoohohoo- so they again distributed them to the public realm, which script-kiddies can get their hands on and thus now can cause malicious intent.

Reply | Quote

anonymous wrote:

It’s not “malware” woody, or any other individual using the term.

The Word 0day is malware.

The Shadow Brokers dump is not, in fact malware, as you say. It’s a set of tools apparently meticulously assembled by the US government that will enable many malware writers to add additional “features” to their wares. Script kiddies are the most obvious candidates, but clandestine services in other countries are all over them.

Reply | Quote

Tweet from Ryan Hanson:

“Protected View is a great protection mechanism against the Word RCE, but it can be chained with the bypass I discovered.”

(RCE = Remote Code Execution)

From https://twitter.com/ryHanson/status/851852981213331456:
“CVE-2017-0204 (Protected View Bypass)”

From CVE-2017-0204:

‘Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to bypass the Office Protected View via a specially crafted document, aka “Microsoft Office Security Feature Bypass Vulnerability.”‘

Microsoft’s CVE-2017-0204 page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0204.

Ryan Hanson is ackknowledged by Microsoft for CVE-2017-0204 at https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments.

Reply | Quote

From the first link in my last post:

“[Dan Goodin] Does this mean exploits can execute code without a target having to actively disable Protected View?

[Ryan Hanson] yes, that is correct. When this is combined with the RCE, protected view is bypassed”

2 users thanked author for this post.

Elly, woody

Reply | Quote

But the vuln. described in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0204 have been patched, haven’t they? In last weeks Patch Round?

Reply | Quote

CVE-2017-0204 was fixed in April 2017 patches.

Reply | Quote

@Woody:

Link to your ‘article’ about Windows and Office hacks on InfoWorld come up “Page not found”

http://www.infoworld.com/article/3190412/malware/fact-or-fiction-the-truth-about-the-windows-and-office-hacks.html

 

Reply | Quote

It’s back after some editorial changes. To see the full story, look at the main AskWoody.com page.

1 user thanked author for this post.

Elly

Reply | Quote

http://www.infoworld.com/article/3190637/malware/fact-or-fiction-the-truth-about-the-windows-and-office-hacks.html

1 user thanked author for this post.

woody

Reply | Quote

DOes anyone know if using LibreOffice or OpenOffice to view a MSWord doc would be a solution?

Additionally, I suspect opening a Word document in Notepad is also possible if you wade through the formatting text.

Just looking to options for those who do not have (of want to have) a Google account.

Reply | Quote

From Downloads and the Mark-of-the-Web:

“Windows uses a simple technique to keep track of which binary files were downloaded from the Internet (or a network share).

Each downloaded file is is tagged with a hidden NTFS Alternate Data Stream file named Zone.Identifier. You can check for the presence of this “Mark of the Web” (MotW) using dir /r or programmatically, and you can view the contents of the MotW stream using Notepad:

[…]

Microsoft Office documents bearing a MotW open in Protected View, a security sandbox that attempts to block many forms of malicious content.

[…]

With such a simple scheme, what could go wrong? Unfortunately, quite a lot.

[…]

The first hurdle is that Internet clients must explicitly mark their downloads using the Mark-of-the-Web

[…]

One simple trick that attackers use to try to circumvent MotW protections is to enclose their data within an archive like a .ZIP, .7z, or .RAR file.

[…]

Mark-of-the-Web is valuable, but fragile.”

2 users thanked author for this post.

Elly, Noel Carboni

Reply | Quote

The significance of this is that some Office documents that one would have wished were opened in Protected View are not actually opened in Protected View.

Reply | Quote

Adobe Reader doesn’t propagate the “mark of the web” for Word files embedded within PDF files.

Also, malicious Word documents are being distributed embedded within PDF files.

Source: Malicious Documents: The Matryoshka Edition.

Reply | Quote

Background info: What is Protected View?

2 users thanked author for this post.

Elly, woody

Reply | Quote

Q: Is the Word document exploit a threat only to Word, or would it also be dangerous to open an infected document in LibreOffice Writer? Writer doesn’t seem to provide anything equivalent to Word’s Protected Mode.

— Bill Bruner

Reply | Quote

I’m no expert, but the other Word wannabes – Google Docs, LibreOffice, and the like — don’t have the kind of linking that’s supported in Word on the desktop. For that matter, Word Online doesn’t either. So all of those should be safe.

Reply | Quote

Thanks Woody — that was what I was hoping to hear. Of course, I would never tempt fate by opening an unsolicited or suspicious attachment, but I do occasionally receive Office attachments that I have to deal with in the course of my business (always something expected, from a university or government lab I have been corresponding with regarding an order — and of course, I always scan them with my AV and Malwarebytes before opening).

Thanks very much for the info.

— Bill

Reply | Quote

Just received KB4015552 a major  update to correct KB4015549.  I still won`t down load it.

Reply | Quote

@Geo:
April 18, 2017—KB4015552 (Preview of Monthly Rollup)

This non-security update includes improvements and fixes that were a part of Monthly Rollup KB4015549 (released April 11, 2017) and also includes these new quality improvements as a preview of the next Monthly Rollup update:

Addressed issue to improve the reliability of dual-controller storage systems.
Addressed issue that prevents V2 Message Queuing (MSMQ) performance counters from returning data after a clustered resource failure or failover.
Addressed issue to updated time zone information.

It’s the preview, I don’t think it includes any additional security fixes.

Reply | Quote

woody wrote:

It’s not as bad as you think

Very true.

So far I haven’t received any unsolicited eMail with Office attachments in my inbox at all this month, even though my eMail has been public for decades. Beyond that, MalwareBytes scans tell me no threats have made it onto any of my systems.

Perhaps being hacked is not as inevitable as some might suggest, though it’s always good to be wary.

To be fair I haven’t detected any problems with the April updates on my test systems so far either. I guess I’m having a good week.

-Noel

Reply | Quote

Hi Woody,

I guess I’m in Group W? I no longer update my Windows 7, but had posted to ask you about the safety of that seeing that I only use my computer to watch stuff on-line on network/cable tv sites, check Gmail, and access doctor chart stuff, and you had stated that I should be fine not updating. So I just wanted to verify that’s still the case with this whole new thing going on I just found out about. Also, I don’t even have any Office products on my laptop (so no Word, etc.), and never download/open any kind of Word documents anyways (and would always look at them via Gmail viewer, if the need were to arise). So I’m guessing I’m still good as is considering all that, but just wanted to make sure. Thanks!

Jack

Reply | Quote

Woody said, “If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version.”

In my opinion, even Group W users should install MS17-010.

1 user thanked author for this post.

woody

Reply | Quote

@ MrBrian

Can you guarantee Group W users that the March 2017 Rollups do not contain any hidden Telemetry updates(not referring to KB2952664) from MS ?

To some Win 7/8.1 Group W users, MS’s Windows Update is the greater malware, spyware, ransomware, etc than the Word 0-day exploit-ware, esp for those who do not use Office/Word.

The Spybot Anti-beacon and O&O Shutup programs indicate that the Win 7/8.1 Rollups very likely contain hidden Telemetry updates, the same ones already mandated by MS for Win 10 Home and Pro.

Reply | Quote

The March Security Only Quality UPDATE (not Rollup) should provide the fix without added telemetry. A link to the download is here
Be sure you get March and the right bittedness.

1 user thanked author for this post.

Elly

Reply | Quote

As PKCano mentioned, you can also use the March 2017 security-only update.

The March 2017 monthly rollup installs Diagnostics Tracking Service (as all of the monthly rollups since I believe November 2016 do). KB2952664 is an update that gathers telemetry. I can’t guarantee that Diagnostics Tracking Service by itself doesn’t also gather telemetry. More tests will be done soon on this matter.

Reply | Quote

@ MrBrian

Group W users have so far also avoided installing ALL monthly Security-Only “Quality” Updates since Oct 2016, ie besides avoiding all the Security Monthly Quality Rollups. It makes little sense for them to only install the March 2017 Security-Only Update and not install the other monthly Security-Only Updates.
FUD and trickery from MS … push them into Group B?

“To each, his/her own.”

Reply | Quote

I don’t think it’s FUD and trickery from MS. I’ve looked at it hard, and think that installing that one Security-only patch is your only hope for protecting Win7 and 8.1 systems.

https://www.askwoody.com/2017/time-to-get-off-the-group-w-bench-at-least-for-a-few-minutes/

Reply | Quote

Unfortunately, Group W is becoming a less-valid option.

I’ll have an update tomorrow…

Reply | Quote

I am wondering what exactly is the risk for me in my specific situation as described? I do not have MS Office on my laptop, I don’t surf the web randomly, but only go to specific sites for watching shows (ABC, Fox, USA, FX), a secure website to view medical chart info, and another secure website where I post family related messages to one specific person. That’s all. I do no other web browsing. And any document or attachment viewing (which is pretty much nil) is done via Gmail viewer and/or Google docs. Honestly, I don’t receive documents from anyone to view at all, really. And would only ever look at anything if necessary via Gmail’s document viewer. I’m on-line only for 15-60min at a time, and that only maybe every few days at most, and only in the way described above.

I stopped doing MS security updates (Windows 7) when they switched how they were offered, so have not updated at all since that time. (And more for the reason of not willing to risk issues of my laptop not working due to bad bundled updates and the whole headache of that new process, more so than the whole telemetry thing, because I simply can’t lose access to my laptop and my ability to access those sites listed.) Unless there is still a series risk factor involved with continuing to not update even with my limited computer/internet use as described, I definitely do not want to have to risk starting to do updates again.

I hope that all makes sense, and I appreciate the feedback and thoughts. Thanks!

— Jack

Reply | Quote

If there are other local devices on your network, I recommend that you consider installing the March 2017 security-only update to fix MS17-010.

Reply | Quote

Not sure if that response was for me (? — if so, thanks!). No other local devices on network that I know of (?). I share a secure wireless internet connection with a few other computers and probably Netflix in the house, but there is no server.

Reply | Quote

Other local devices on your network = computers, phones, TVs, tablets, routers, as well as servers.

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

Jack: it was for you indeed. Also see PKCano’s reply.

Reply | Quote

Ok, I see.  But what is the risk there?

Thanks!

Reply | Quote

A device in your local network that has malware could spread malware to other vulnerable Windows computers in your local network, just by virtue of having the vulnerable Windows computers on at the same time as the device with malware on it.

Reply | Quote

Posted too soon. Sorry!

I don’t want to start up again with doing updates, because it’s too problematic and I can’t risk my laptop not working any more. I’m looking at what Woody posted in the InfoWorld article here: http://www.infoworld.com/article/3191897/microsoft-windows/more-shadow-brokers-fallout-doublepulsar-zero-day-infects-scores-of-windows-pcs.html

…and I want to make sure I’m understanding correctly. Please note, I have not done any security updates (or otherwise) since MS changed the way they offer them, and I have had Windows Update turned off since then. I really do not want to turn that back on. But am I to understand that I can/should manually install the following?

Mar 2017 KB 4012212 – Download 32-bit or 64-bit

(It would be 64-bit for me, I have Windows 7 Home Premium SP1, 64-bit.)

And that I can do so without by just right clicking and downloading, then running the downloaded file from this link: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

…is that correct? I do not need to turn on Windows Update to do so? It has no bearing that I have had no updates of any kind since the month prior to MS changing their update process? And manually installing this will not cause any issues on my laptop for any reason?

Thanks for the continued help — it is much appreciated!

Jack

 

Reply | Quote

Jack,
Here’s what you need to protect yourself against the current set of exploits:
The manual installer will not work if you have the Windows Update Service DISABLED.
1. Go to Windows Update and “Change settings.” Choose “Never check for updates” then OK.
2. Control Panel\Administrative Tools\Services – scroll down and and double click on Windows Update Service. Set it to “Manual”
3. You need to download for Win7 64-bit to your PC – KB4012212 (March) AND KB4015546 (April) security only patches. Put them on the desktop or some place easy to get to.
4. In Services, highlight the Windows Update Service, then in the upper left, click on “Stop”
5. After the WU Service stops, double click on the March update. When it finishes click close and double click on the April update.
6. Reboot when asked.
Keep Winsows Update set on “Never” and the WU Service set to “Manual”

If you have any version of MS Office on your PC, you also need to do the updates for it. You can find instructions on this Microsoft website

Edit Security only for March KB4012212

Reply | Quote

Thank you for the reply. But I’m confused because the article says, “[…] at a very minimum, you should download and install KB 4012212. Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B.” The KB’s you are suggesting appear to be the full security updates for those months, and that’s what I actually want to avoid doing. I don’t want to start doing security updates, nor install everything I may have missed up until this point. I just want to install (if need be, even) the bare minimum needed, which the article seems to say is KB 4012212. Know what I mean?

(See my OP, https://www.askwoody.com/forums/topic/what-every-windows-customer-should-know-about-last-weeks-deluge-of-malware/#post-109680 for reasons, actual computer use, etc.)

Thank you!

Reply | Quote

KB4012212 and KB4015546 are the SECURITY ONLY patches are the MINIMUM you need to protect you system from the current vulnerabilities. Without them you are exposed. They are not the full March and April patches.

Reply | Quote

@PKCano: Which vulnerability caused KB4015546 to be mentioned here?

Reply | Quote

I was quoting you
https://www.askwoody.com/forums/topic/time-to-get-off-the-group-w-bench-at-least-for-a-few-minutes/#post-110293
KB4015546 is the April SO patch for Win7

Reply | Quote

@PKCano: That is the fix for CVE-2017-0199, the Office and Wordpad issue. I believe that Woody has not declared that Group W users must patch CVE-2017-0199. If one desires to patch CVE-2017-0199 for Office, both the Windows April 2017 update (either monthly rollup or security-only update) and the relevant Office update must be installed.

Reply | Quote

Okay, I was also confused because you had posted the wrong KB number at first (but you fixed it, thanks!). So now it sounds like I only need to intall KB4012212, correct?

I do not have any Office products, though I do have Wordpad. *However,* I only use Wordpad for documents I create. I never open any other files of any kind not of my own creation in it (and, honestly, I never open any files not of my own creation at all, other than in Google doc viewer via gmail).

Also, if I follow that process to install KB4012212, at the end I’m back to where I started with my system not updating nor every checking for updates, correct?

And just to verify, to make sure there’s no confusion, installing KB4012212 even though I’ve not installed anything since the month prior to the MS bundle update change fiasco, will not cause my system any issues?

Is KB4012212 just a single security update for this one issue, or is it a bundle of everything up until March? (Which I don’t think I’d want, as that’s why I stopped updating in the first place and would be fearful for issues caused by installing all those bundled updates.)

Thanks again for the help!

 

Reply | Quote

KB4012212 is not cumulative.
If you leave Windows Update set to “Never check for updates” and the Windows Update Service on Manual, you should not have a problem.
You will have to “stop” the Windows Update Service to manually install the update.

Reply | Quote

PK, I just installed KB4012212 on about 100 computers and never set WU on manual.

CT

Reply | Quote

You don’t HAVE to. I just use that as a precaution.

Reply | Quote

Thanks, PKCano! KB4012212 successfully installed. (Interestingly enough, in the list of installed updates, it only shows it as being “Important” not “Critical.”)

Just wondering why we’d want to leave Windows Update service set to “Manual” instead of “Disabled?” (For some reason, it was previously set to “Automatic – Delayed Start.”)

Also, I have always had Windows Update set to “Never Check for Updates” since stopping updating, and have it still set at that.

Reply | Quote

If the Windows Update Service is DISABLED, you cannot do a manual install of updates b/c the installer uses that service. If it’s on manual, it still works. For ME, it’s just an extra precaution.

Reply | Quote

Jack, if you don’t have a good ad blocking and antimalware solution you could be subject to “drive by” malvertising.

In short, what that means is that any site that puts ads on the page you’re looking at could inadvertently host one that installs malware on your system.

You can be sure that the media sites you mentioned getting shows from DO try to monetize your visits by not only showing you their own commercials but by putting ads on their web pages. They are anything but trustworthy sites.

I don’t know what the probability of getting “drive by” malware is, but certainly people are getting malware from somewhere… I have an extremely effective multi-layer ad blocking setup myself and have had no malware try to get into my system ever.

I’d suggest considering adding ad-blocking, whether or not you feel you surf the wild internet. I presume you at least use Microsoft Security Essentials already. If not, you probably should.

-Noel

Reply | Quote

Not a blocking tool but a very good clean up tool: ADWcleaner

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

CT

Reply | Quote

Hi Noel,

I do have MS Security Essentials. I don’t think it’s the most recent version because I believe there was a problem with whatever latest build that was offered right before the whole MS updates thing changed, but it is definitely kept up to day with definitions. I also only use Firefox and use AdBlock Plus (although I actually have to disable it on certain show sites in order to get the shows to play, unfortunately). I also have the free version of Malwarebytes Anti-Malware. I don’t run it often to scan (it’s not real-time, just a scanner), but when I do, I update the definitions and it always comes up clean. However, it is an older version (1.70.0.1100) and I know that there is at least a 2.0 out, as it’s mentioned on the update tab in the program itself. I was hesitant to update it not knowing if it’s still a “safe” program, and if it’s an ok idea to just do so through the program itself. But that’s where I’m at, basically. Let me know what you think. Thanks!

— Jack

Reply | Quote

(Win764bit)”If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version”

I originally planned to stay in group A but ended up drifting into group W just by being overwhelmed by the whole thing.

I did work out by going through the exploit list and update solutions that I needed and could update the MS17-010 March security only update prior to your article being published but……..

……is there a simple list of group A update’s month by month or should I just do a Group B rollup in April (when it’s safe) and accept that I’m not group A material?

This shadow brokers thing was a wake up call that I need to stay proactive with my security updates.

Thanks Woody & valued askwoody.com contributors 🙂

 

Reply | Quote

My Windows 7 updates recommendation: Run Windows Update. When you get the results, leave everything at defaults except uncheck these updates if they are checked:

kb2952664

kb3021917

kb3068708

kb3080149

3 users thanked author for this post.

JDeC, ch100, woody

Reply | Quote

@MrBrian

The recommendation to avoid KB3068708 and KB3080149 seems to be obsolete, as updated functionality seems to be included in further updates.
Those two patches are offered to all server versions and are core functionality for all versions of Windows now.
For those interested in having a fully functional and supported system, please install everything which comes on Windows Update including all Optional Updates EXCEPT:

KB971033
KB2952664/KB3150513
KB3021917
Preview Updates

There is no big issue if either of those updates above are actually installed, but they are the only true Optional updates released and which do not impact functionality.

PS Please stop messing around with the Microsoft Catalog if you are interested in a properly functioning system and use Windows update instead, as intended. Those who can correctly handle the Catalog updating style (Group B) are not those taking advice from posters on this forum, but those using Enterprise tools for this purpose.
Those in Group B, please ask yourselves what is your reference to know at any time that your installation is fully up to date when using the Group B updating style? Various lists compiled by posters on Internet sites do not qualify as reference.

3 users thanked author for this post.

JDeC, MrBrian, woody

Reply | Quote

Excellent. So what do you say to Win7 users who don’t want to participate in Microsoft s telemetr y/snooping activities?

We have a list of the 1699 data items Microsoft collects, as a minimum on Creators Update machines. But we haven’t a clue about fully patched win 7 machines.

7 users thanked author for this post.

samak, Pepsiboy, Elly, SueW, PKCano, Canadian Tech

Reply | Quote

woody wrote:

Excellent. So what do you say to Win7 users who don’t want to participate in Microsoft s telemetr y/snooping activities?

We have a list of the 1699 data items Microsoft collects, as a minimum on Creators Update machines. But we haven’t a clue about fully patched win 7 machines.

I think there is a Group Policy which can redirect telemetry data collection to an internal server, which can be fake. This applies to those with KB2952664 installed on Windows 7. Windows 10 comes with the equivalent functionality built-in and I believe it can be configured in the same way.
For those without KB2952664 on Windows 7, CEIP configured to not report should be enough as proved on the old site by MrBrian’s exhaustive testing.
Even so, the telemetry is over-rated as being dangerous and the Basic configuration for Windows 10 Pro should suffice in general.
There was not long ago a post in relation to Windows 10 Enterprise being fully compliant with HIPAA and if that OS can be made compliant with the HIPAA or Department of Defense requirements worldwide, I don’t see why it cannot be used safely by any John Doe.

Reply | Quote

Group Policy isn’t available to Win 7 Home… so one option that would make that kind of configuration possible, would be to upgrade…

Doesn’t leave much for Win 7 Home users that don’t want telemetry or to mess with the system that they have and is working perfectly well…

I’m successfully updating with the security only updates every month. Thank you Woody, and PKCano for helping to make that a breeze.

Non-techy Win 10 Pro and Linux Mint experimenter

1 user thanked author for this post.

samak

Reply | Quote

Thank you for your input, and welcome back :).

When I wrote that post, I thought about mentioning that, of Windows 7 updates that are checked by default, only KB2952664 and probably also KB3021917 should be avoided, but I want to test KB3068708 and KB3080149 further before saying so publicly. I didn’t mention KB3150513 because it is offered only if KB2952664 is already installed, if I recall correctly. I didn’t mention KB971033 because it’s unchecked by default now; I recommend avoiding KB971033.

About Optional updates: in my Windows 7 update history, I have installed 5 Optional updates but avoided some of the other Optional updates.

In my opinion, Windows 7 users who want to avoid the telemetry additions of the past few years would be better off installing updates through Windows Update than by being in Group B.

About recent Windows telemetry additions: see Knowledge Base article 2952664: Telemetry in Win7/8.1 – KB2952664, KB2977759, KB2976978, & KB3150513.

1 user thanked author for this post.

ch100

Reply | Quote

KB3021917 is also unchecked now if Recommended are to be considered as Important.
I am in favour of installing all Optional updates offered which are unchecked, except for those already mentioned.
The classification of Security, Critical, Update Rollups, Recommended, Optional, Feature Packs is purely arbitrary and all updates are equally important, if Windows 10 is any indication of the current approach.
I think this was mentioned few times by @abbodi86 and it is my view as well.

Reply | Quote

In my opinion, Windows 7 users who want to avoid the telemetry additions of the past few years would be better off installing updates through Windows Update than by being in Group B.

It is not only you.
This issue is getting out of hand and while it was fun to observe for a while, it is beyond ridiculous now after more than 6 months of so much non-sense.

1 user thanked author for this post.

Reply | Quote

I wonder if you have Group A and Group B mixed up.

Group A installs everything that is already CHECKED (except the telemetry patches as mentioned by @MrBrian above). This is the easiest for non-techies.

Group B does NOT install the “Security Monthly Quality ROLLUP for Windows” that is offered through Windows Update. Group B instead downloads from the MS Catalog the “Security Only Quality UPDATE for Windows” and the Cumulative update for IE11 and installs them manually.
If you need the Group B patches, they are listed here every month

Edited to add link

1 user thanked author for this post.

JDeC

Reply | Quote

^^^

I wonder if you have Group A and Group B mixed up.

Group A installs everything that is already CHECKED (except the telemetry patches as mentioned by @mrbrian above). This is the easiest for non-techies.

Group B does NOT install the “Security Monthly Quality ROLLUP for Windows” that is offered through Windows Update. Group B instead downloads from the MS Catalog the “Security Only Quality UPDATE for Windows” and the Cumulative update for IE11 and installs them manually.
If you need the Group B patches, they are listed here every month->

 

Thanks PKCano – 100% correct – I did indeed mix up group A&B – Thanks for the link <3 Love you guys !!

Reply | Quote

Bill C. wrote:

{edit} Additionally, I suspect opening a Word document in Notepad is also possible if you wade through the formatting text. Just looking to options for those who do not have (of want to have) a Google account.

If you can’t fit it into Notepad, Wordpad should be able to handle it. But you will have to scroll through it to excise the non-textual data.

Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.html

Reply | Quote

I’ll just leave it here:

https://twitter.com/taviso/status/860679110728622080

ASUS PRIME Z270-K * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 21H2 64-bit

Reply | Quote