Where we stand with the December patches

[woody]

Things were looking pretty good for This Month in Patches — until two days ago. Now, it’s anybody’s guess. But I continue to recommend that you hold
[See the full post at: Where we stand with the December patches]

6 users thanked author for this post.

ch100, abbodi86, Mele20, cesmart4125, Microfix, WildBill

Reply | Quote

[banzaigtv]

I received a notification of this update on Windows 8.1 which is set for manual updates. I will be ignoring this update. Will it go away when the January cumulative update is released?

I am no longer an active member of the forums.

Reply | Quote

[PKCano]

The fix for IE will be rolled into the Jan. Rollups and IE CUs.

9 users thanked author for this post.

ch100, cesmart4125, OscarCP, Microfix, SueW, WildBill, banzaigtv, geekdom, woody

Reply | Quote

[geekdom]

And in January 2019 upon patch release, we will probably be under DEFCON-Wait-to-Patch.

Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr

1 user thanked author for this post.

banzaigtv

Reply | Quote

[banzaigtv]

But apparently we now have less than a week to wait to install Patch Tuesday updates. We no longer have the luxury of waiting two weeks since Microsoft now apparently releases buggy quality updates every few f******’ days. Our peace of mind is going away.

I am no longer an active member of the forums.

Reply | Quote

[geekdom]

The next Patch Tuesday is January 8, 2019, the second Tuesday of each month.

Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr

1 user thanked author for this post.

Microfix

Reply | Quote

[Geo]

Really basic users of W7 Group A  never had a problem except we don’t need the previews.  Enterprise  is another story.  I use Firefox.

1 user thanked author for this post.

ch100

Reply | Quote

[geekdom]

There have been some real howlers with Windows 7 updates. One recent problem update that comes to mind is SSU KB3177467 related. “Here be dragons” holds true.

Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr

Reply | Quote

[ch100]

@geo Actually Enterprise users have never had much of a problem.
It is a common misconception that somehow businesses are impacted by the quality of the Microsoft patches. This is an extremely rare occurrence, but it certainly happens now and then.
I am aware of businesses with 100k + users installing patches less than 48 hours after their release for compliance reasons and which almost never experience an issue with the official patches. I am currently working for one of those businesses and it is not an easy job.
Congrats for being in Group A, the Group B style of patching is a fake.

Reply | Quote

[RTEsysadmin]

It’s “fake” only until you’ve had users complaining that Outlook isn’t working or their documents have disappeared, road warriors call in tears, telling you that their Surface laptops are bricked, and banks of servers have lost their IP addresses.

Group K(ill me now)

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

[OscarCP]

Thanks for enlightening me about Group B patching being fake.

I did not know that and, in my blind ignorance, am sorry to admit that I have been patching as “Group B” from way before it was given this name, for some 20 years by now, and have had not a single problem because of an installed bad patch: never, ever. And in recent years, as things have become more complicated, I have been able to continue without problems in good part thanks to the advice and information provided by other loungers and by MVPs here, at Woody’s.

But now your comment has opened my eyes and am ready to start patching in whatever way you might kindly suggest that one should do this. I am always ready to learn at the feet of true masters.

 

Group B, Windows 7 Pro, SP1 x64.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

[Susan Bradley]

I installed the IE updates and have not seen side effects.  December updates have been installed as well.

Susan Bradley Patch Lady

14 users thanked author for this post.

OscarCP, rc primak, abbodi86, ch100, Mele20, Pixie, AusJohn, cesmart4125, Geo, Mr. Natural, Microfix, AJNorth, woody, WildBill

Reply | Quote

[anonymous]

Susan,
Are you going to add the new KB’s (for IE patch) for Windows 10 versions to the Patch List? And are there also new SSU’s?

Reply | Quote

[anonymous]

And are there also new SSU’s?

Can’t speak for Susan re Master Patch List, but for list of Latest Servicing Stack Updates for each version of Windows, see Microsoft Security Advisory ADV990001 – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Hope this helps.

Reply | Quote

[WildBill]

Thanks for the Computerworld article, Boss. Unless you say “The Sky Is Falling!”, I can wait. Not in a hurry to patch until you move us to MS-DEFCON 3 or above.

2 Machines for Now!
#1: Windows 8.1, 64-bit, back in Group A.
#2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

rc primak

Reply | Quote

[warrenrumak]

This fix for IE11 will probably be included in the upcoming “Preview of Monthly Rollup” release, right?

Reply | Quote

[PKCano]

There are not going to be Previews in Dec. It will be included in the Jan Rollups and SOs for Win7/8.1 and in the CUs for Win10.

8 users thanked author for this post.

rc primak, SueW, abbodi86, Mele20, Hopper15, flackcatcher, Geo, Microfix

Reply | Quote

[warrenrumak]

Because of Christmas / holidays?  Was this announced somewhere?

Reply | Quote

[PKCano]

Yes, MS announced it. There is a link somewhere in one of the latest threads.

https://www.computerworld.com/article/3327564/microsoft-windows/patch-tuesday-breaks-records-some-good-most-bad-and-check-for-updates-still-stings.html

6 users thanked author for this post.

rc primak, warrenrumak, flackcatcher, Geo, Microfix, woody

Reply | Quote

[warrenrumak]

Great, thanks. With any luck, there won’t be any “surprises” before the 2nd week of January.

Reply | Quote

[Hopper15]

PKCano wrote:

There are not going to be Previews in Dec. It will be included in the Jan Rollups and SOs for Win7/8.1 and in the CUs for Win10.

If that’s the case I won’t be installing it.  I’ll just wait for the Jan Rollup.

Reply | Quote

[Lars220]

Thank you Woody for keeping us abreast of the bleeding edge Chicken Little Headlines, I appreciate your ‘cool headed’ response and will wait for your reasoned advice. It is those “poison frog darts” that reallly scare me.

Reply | Quote

[CADesertRat]

Looks like I just got another brand new KB 4023057 waiting for a restart while I was away.

Don't take yourself so seriously, no one else does 🙂
4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

Reply | Quote

[OscarCP]

As far as I can remember from reading, over  a number of years, what has been reported here and elsewhere, nothing really bad has come to Windows 7 users (Group B in particular, I am glad to add) for looking (and waiting) before jumping, no matter how much in need of urgent action, and how scary, things might be made to look. To me, that’s the real trick.

And thanks to Woody and Co. for always helping to lower the temperature from “overheated” to “moderate” in situations such as this…

(“Meteor Crater News”? A really terrific choice of cover picture; is it a still from some movie?)

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

[anonymous]

Rashly installed the December updates yesterday, and immediately began having problems loading Outlook 2010.  Later in the day, had a spontaneous shutdown:  *click* and a black screen.  Attempted to reboot, had another shutdown mid-boot.  Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.  Waiting now for clarity on which updates are suspect.

Reply | Quote

[PKCano]

Could you please give us some information about your computer hardware?
What version of Windows are you running?
What updates were installed? For Windows? For Office 2010?

This information will help pinpoint the problem and help others avoid the problem.
Thanks.

Reply | Quote

[anonymous]

Windows 7/x64

Office 2010 updates:

Security Update for Microsoft Excel 2010 (KB4461577) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB4461570) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB4461576) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB4461521) 32-Bit Edition
Update for Microsoft Office 2010 (KB4227172) 32-Bit Edition
Update for Microsoft Office 2010 (KB4461579) 32-Bit Edition

Windows 7 Updates

2018-12 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4483187)
2018-12 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64 (KB4471987)
2018-12 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4471318)
Windows Malicious Software Removal Tool x64 – December 2018 (KB890830)

 

Reply | Quote

[PKCano]

Thanks for the information.

The Dec patches for Windows have generally been OK. We have had a couple of reports of problems with Outlook and the Dec patches. They have issued a bug fix for Office 2013, and there maybe ones for the other Office products in the offing.

We are still on DEFCON2. Give it a little more time to let the problems shake out before trying to update again. Come back and check on the status here.

BTW, did you check out Woody’s ComputerWorld article linked on the main blog article?

Reply | Quote

[anonymous]

Yes, thanks.  I notice others have reported problems with Win 7 and KB4483187.   Think I’ll just wait a little and see what else turns up; then try installing the other updates one at a time.

Reply | Quote

[ch100]

Is the Outlook patch mainstream, which means on Windows Microsoft Update, or only a hotfix with limited release in the Catalog?
We should not be concerned with commenting about Catalog only releases, although mentioning them is useful for those few who may need to try them to fix specific issues.

Reply | Quote

[anonymous]

If I understand the information correctly, mainly on the CVE page, that IE patch is really a patch for jscript.dll, which IE9 and newer don’t even use by default, but may be used under special circumstances (compatibility mode?) and by other applications, right?

Then again, just a bit ago when I checked the CVE page, there was mitigation information listing that by default IE has measures reducing the risks of such exploits, a way to restrict access to jscript.dll and a notice that doing so shouldn’t normally affect IE9+ since it uses jscript9.dll, but now when I looked again while writing this it says there are no mitigating measures. Weird.

Reply | Quote

[Bob99]

Yes, I saw the same thing…a couple of hours ago there were instructions on how to mitigate the vulnerability via restricting access to jscript.dll, and now the instructions are gone.

However, the instructions were mostly for those running server versions of Windows, as I noticed in the details. Also, the article made mention (under the “Workarounds” heading) of running IE in an Enhanced Security “Environment” (my word, as I don’t recall the exact one) as well for those running servers, complete with a link to instructions on implementing said environment/settings from within IE’s (or the Control Panel’s) Internet Options dialog box.

Makes me wonder why MS took down the instructions: They weren’t that overly complex or technical in nature. They involved two very infrequently used commands used at an administrator-level command prompt to first take ownership of jscript.dll and next to modify its access control list to restrict what a certain group of users on the given computer is allowed to do with the file.

Reply | Quote

[PKCano]

@Woody posted that Workaround earlier here.

Reply | Quote

[b]

But the workaround has since been modified with additional takeown commands (before and after disappearing several times).

2 users thanked author for this post.

rc primak, PKCano

Reply | Quote

[anonymous]

Ok, as of yesterday’s posting above, the instructions in the article had been removed, that I know for sure. BUT, as of THIS writing, they’re back. As I said above, who knows why MS pulled them, as right now, they’re exactly the same as they were yesterday before being removed from the article. This problem (being there and gone again) has been noted on the other thread related to this issue by other AskWoody readers/members.

Good thing for all of us, @Woody ‘s posted (via copy/paste) the instructions here for us to attempt at our leisure should we choose to do so.

Reply | Quote

[PKCano]

Here is the current version of the Workaround per MS (12/22/2018):

Workarounds

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\syswow64\jscript.dll
	cacls %windir%\syswow64\jscript.dll /E /P everyone:N
	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\syswow64\jscript.dll /E /R everyone

1 user thanked author for this post.

rc primak

Reply | Quote

[anonymous]

ALL of the steps mentioned by MS with the command line can also be performed via the GUI, no need for the command line.
HOWEVER, they must be performed as an administrator, just like the command line options.

Reply | Quote

[anonymous]

Hello anonymous, When you said you “Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.” Anon, what recovery option did you choose that helped you roll-back? Was it the “Last Known Good Configuration” option? Thanks, in advance.

Reply | Quote

[anonymous]

Yes, it was.

Reply | Quote

[banzaigtv]

Uh, how is it possible to wait to install patches when Microsoft is just going to keep replacing them with out-of-band updates every few days? We have no choice but to install the Patch Tuesday updates immediately. Therefore, the MS-DEFCON data means nothing anymore. 🙁

I am no longer an active member of the forums.

Reply | Quote

[Elly]

@bangzaigtv- I hear your frustration… but there are definitely choices to be made. Relatively few people here are willing to act as beta-testers for Microsoft…

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

rc primak, SueW

Reply | Quote

[ch100]

Or putting it differently, few people who have a better understanding, just take a calculated risk… and everything is OK.
No beta-testing at all, just following the manufacturer’s instructions like for any other product.
Someone who says that they dual-boot Win 81 and Win 10 and makes claims of potential (not experienced) problems does really contribute in a positive sense?
Why not following Susan’s lead on this matter?

Reply | Quote

[banzaigtv]

If I decide to keep Windows 10 for a bit longer, is there going to be any problems turning off Windows Update in services.msc, then manually downloading and installing the Patch Tuesday cumulative update released on 12/11/18? I have updates set to manual on the Group Policy Editor settings and Windows will display this week’s update as the one it will be set to download. What is that patch number I should be looking for? It’s for Windows 10 Pro version 1803. Also, should I manually download and install the latest version of the Windows Malacious Software Removal Tool?

I am no longer an active member of the forums.

Reply | Quote

[PKCano]

The latest CU for 1803 is KB4483234 (12/19/2018). Be sure you have the SSU KB4477137 installed before. And yes, to MSRT.

1 user thanked author for this post.

banzaigtv

Reply | Quote

[banzaigtv]

No, not the 12/19 update. I need the one for 12/11. So when I download the updates manually each month, then how do I find out the numbers for both the SSU and CU patches for Patch Tuesday each time?

I am no longer an active member of the forums.

Reply | Quote

[Microfix]

Susan’s Master Patch List:

Master Patch List

No problem can be solved from the same level of consciousness that created IT- AE

1 user thanked author for this post.

banzaigtv

Reply | Quote

[PKCano]

The Win10 History pages have the information on Patch Tues updates for all versions of Win10. When you open the page for the specific CU (by the KB number) it tells you what SSU you need at the bottom of the page.

1 user thanked author for this post.

banzaigtv

Reply | Quote

[AJNorth]

Report from the field:

Five Win 7 Pro and three Win 8.1 Pro (all x64) were patched with the Dec 2018 “Group B” patches (KB4471328 & KB4483187 and KB4471322 & KB4483187, respectively) about forty hours ago; none of their users have experienced any issues as of a couple of hours ago (the Dec .NET has not yet been installed).

1 user thanked author for this post.

SueW

Reply | Quote

[Nibbled To Death By Ducks]

This may be a cross-post, as I may have done it on some other forum…but I installed KB 4483317 without incident.

I did have some trouble with my Bluetooth CSR software stack and drivers around the same time, but nobody exists who doesn’t have trouble with Bluetooth at some time, so I’m thinking it was a quinky-dink.

 

Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
--
"A committee is the only known form of life that can have least four legs and no brain."

-Robert Heinlein

Reply | Quote

[Kirsty]

I suspect KB4483317 may be a typo?

Reply | Quote

[Xi]

@woody

As requested via email, pls help with these:

Win 8.1 x86 & x64:
List installed KB4052978 & KB4054522 – Dec 2017 Security Only Updates. Help with the list of security only updates incl..net updates from MS catalog to be installed and to be avoided for telemetry/botched. In Jan 2018 we have AMD boot issue updates and worried/stuck since the device is AMD.

FYI: Not interested in Group A/combined/rollups updates even-though u moved to Group A . No MS Office installed.

Unable to follow with the updates and update list here – confused with searching for details/issue details posted by you. Please help with KB list and the threads regards to it.

Also, provide Win 7 x86 & x64 – Security only updates incl. .net updates from Jan 2018 if possible.

Thanks…..

Merry X’mas n New Year!

Reply | Quote

[PKCano]

The Security-only patches for Win7/8.1 and IE11 Cumulative Updates (both 32-bit and 64-bit) are listed in AKB2000003 from October 2016 to the current December 2018 updates. The link is a direct download from the MS Update Catalog.

For January 2017, KB4073578 released for AMD is marked.

When a patch shows that it replaces another patch, you do not need both. You do not need the replaced (superseded) patch.

If there is a .exe file included with the .msu update when you download it, simply put the .exe file in the same location as the KB numbered .msu update. You do not need to click on it. It will be executed automatically during the install process of the .msu update.

The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

4 users thanked author for this post.

Xi, SueW, Elly, AJNorth

Reply | Quote

[Xi]

PKCano wrote:

The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

Thanks for the detailed clarification.
However, for Win 7, the .Net framework security only patches are available in update catalog. Why? Can we use it instead of .net rollup patches for win 7?

Reply | Quote

[PKCano]

You will find that the .NET Security-only patch is bundled as well.
If you click on the SO patch download button in the catalog, you will find the download to be multiple patches for the different versions.
If you click on the name of the update (instead of the “download” button), then click on “More information” in the box that pops up, you will find that each of the SO patches has a different KB number. This will tell you which of the patches is for which version of .NET, but then you need to know what version(s) is/are installed on your computer as well.

Reply | Quote

[Author]

Posts