News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Where we stand with the December patches

    Home Forums AskWoody blog Where we stand with the December patches

    This topic contains 53 replies, has 23 voices, and was last updated by

     PKCano 5 months ago.

    • Author
      Posts
    • #241739 Reply

      woody
      Da Boss

      Things were looking pretty good for This Month in Patches — until two days ago. Now, it’s anybody’s guess. But I continue to recommend that you hold
      [See the full post at: Where we stand with the December patches]

      6 users thanked author for this post.
    • #241750 Reply

      banzaigtv
      AskWoody Lounger

      I received a notification of this update on Windows 8.1 which is set for manual updates. I will be ignoring this update. Will it go away when the January cumulative update is released?

      I am no longer an active member of the forums.

      • #241751 Reply

        PKCano
        Da Boss

        The fix for IE will be rolled into the Jan. Rollups and IE CUs.

        9 users thanked author for this post.
        • #241772 Reply

          geekdom
          AskWoody Plus

          And in January 2019 upon patch release, we will probably be under DEFCON-Wait-to-Patch.

          Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta
          1 user thanked author for this post.
          • #241784 Reply

            banzaigtv
            AskWoody Lounger

            But apparently we now have less than a week to wait to install Patch Tuesday updates. We no longer have the luxury of waiting two weeks since Microsoft now apparently releases buggy quality updates every few f******’ days. Our peace of mind is going away.

            I am no longer an active member of the forums.

            • #241786 Reply

              geekdom
              AskWoody Plus

              The next Patch Tuesday is January 8, 2019, the second Tuesday of each month.

              Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta
              1 user thanked author for this post.
    • #241787 Reply

      Geo
      AskWoody Plus

      Really basic users of W7 Group A  never had a problem except we don’t need the previews.  Enterprise  is another story.  I use Firefox.

      1 user thanked author for this post.
      • #241790 Reply

        geekdom
        AskWoody Plus

        There have been some real howlers with Windows 7 updates. One recent problem update that comes to mind is SSU KB3177467 related. “Here be dragons” holds true.

        Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta
      • #241946 Reply

        ch100
        AskWoody_MVP

        @geo Actually Enterprise users have never had much of a problem.
        It is a common misconception that somehow businesses are impacted by the quality of the Microsoft patches. This is an extremely rare occurrence, but it certainly happens now and then.
        I am aware of businesses with 100k + users installing patches less than 48 hours after their release for compliance reasons and which almost never experience an issue with the official patches. I am currently working for one of those businesses and it is not an easy job.
        Congrats for being in Group A, the Group B style of patching is a fake.

        • #242231 Reply

          RTEsysadmin
          AskWoody Lounger

          It’s “fake” only until you’ve had users complaining that Outlook isn’t working or their documents have disappeared, road warriors call in tears, telling you that their Surface laptops are bricked, and banks of servers have lost their IP addresses.

          Group K(ill me now)
          1 user thanked author for this post.
        • #242270 Reply

          OscarCP
          AskWoody Plus

          Thanks for enlightening me about Group B patching being fake.

          I did not know that and, in my blind ignorance, am sorry to admit that I have been patching as “Group B” from way before it was given this name, for some 20 years by now, and have had not a single problem because of an installed bad patch: never, ever. And in recent years, as things have become more complicated, I have been able to continue without problems in good part thanks to the advice and information provided by other loungers and by MVPs here, at Woody’s.

          But now your comment has opened my eyes and am ready to start patching in whatever way you might kindly suggest that one should do this. I am always ready to learn at the feet of true masters.

           

          Group B, Windows 7 Pro, SP1 x64.

          1 user thanked author for this post.
    • #241795 Reply

      Susan Bradley
      AskWoody MVP

      I installed the IE updates and have not seen side effects.  December updates have been installed as well.

      Susan Bradley Patch Lady

      14 users thanked author for this post.
      • #241797 Reply

        anonymous

        Susan,
        Are you going to add the new KB’s (for IE patch) for Windows 10 versions to the Patch List? And are there also new SSU’s?

    • #241812 Reply

      WildBill
      AskWoody Plus

      Thanks for the Computerworld article, Boss. Unless you say “The Sky Is Falling!”, I can wait. Not in a hurry to patch until you move us to MS-DEFCON 3 or above.

      Windows 8.1, 64-bit, now in Group B!
      Wild Bill Rides Again...

      1 user thanked author for this post.
    • #241814 Reply

      warrenrumak
      AskWoody Plus

      This fix for IE11 will probably be included in the upcoming “Preview of Monthly Rollup” release, right?

    • #241838 Reply

      Lars220
      AskWoody Lounger

      Thank you Woody for keeping us abreast of the bleeding edge Chicken Little Headlines, I appreciate your ‘cool headed’ response and will wait for your reasoned advice. It is those “poison frog darts” that reallly scare me.

    • #241856 Reply

      CADesertRat
      AskWoody Plus

      Looks like I just got another brand new KB 4023057 waiting for a restart while I was away.

      Don't take yourself so seriously, no one else does 🙂
      4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

    • #241867 Reply

      OscarCP
      AskWoody Plus

      As far as I can remember from reading, over  a number of years, what has been reported here and elsewhere, nothing really bad has come to Windows 7 users (Group B in particular, I am glad to add) for looking (and waiting) before jumping, no matter how much in need of urgent action, and how scary, things might be made to look. To me, that’s the real trick.

      And thanks to Woody and Co. for always helping to lower the temperature from “overheated” to “moderate” in situations such as this…

      (“Meteor Crater News”? A really terrific choice of cover picture; is it a still from some movie?)

      1 user thanked author for this post.
    • #241870 Reply

      anonymous

      Rashly installed the December updates yesterday, and immediately began having problems loading Outlook 2010.  Later in the day, had a spontaneous shutdown:  *click* and a black screen.  Attempted to reboot, had another shutdown mid-boot.  Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.  Waiting now for clarity on which updates are suspect.

      • #241874 Reply

        PKCano
        Da Boss

        Could you please give us some information about your computer hardware?
        What version of Windows are you running?
        What updates were installed? For Windows? For Office 2010?

        This information will help pinpoint the problem and help others avoid the problem.
        Thanks.

    • #241877 Reply

      anonymous

      Windows 7/x64

      Office 2010 updates:

      Security Update for Microsoft Excel 2010 (KB4461577) 32-Bit Edition
      Security Update for Microsoft Office 2010 (KB4461570) 32-Bit Edition
      Security Update for Microsoft Outlook 2010 (KB4461576) 32-Bit Edition
      Security Update for Microsoft PowerPoint 2010 (KB4461521) 32-Bit Edition
      Update for Microsoft Office 2010 (KB4227172) 32-Bit Edition
      Update for Microsoft Office 2010 (KB4461579) 32-Bit Edition

      Windows 7 Updates

      2018-12 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4483187)
      2018-12 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64 (KB4471987)
      2018-12 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4471318)
      Windows Malicious Software Removal Tool x64 – December 2018 (KB890830)

       

      • #241880 Reply

        PKCano
        Da Boss

        Thanks for the information.

        The Dec patches for Windows have generally been OK. We have had a couple of reports of problems with Outlook and the Dec patches. They have issued a bug fix for Office 2013, and there maybe ones for the other Office products in the offing.

        We are still on DEFCON2. Give it a little more time to let the problems shake out before trying to update again. Come back and check on the status here.

        BTW, did you check out Woody’s ComputerWorld article linked on the main blog article?

        • #241888 Reply

          anonymous

          Yes, thanks.  I notice others have reported problems with Win 7 and KB4483187.   Think I’ll just wait a little and see what else turns up; then try installing the other updates one at a time.

        • #241939 Reply

          ch100
          AskWoody_MVP

          Is the Outlook patch mainstream, which means on Windows Microsoft Update, or only a hotfix with limited release in the Catalog?
          We should not be concerned with commenting about Catalog only releases, although mentioning them is useful for those few who may need to try them to fix specific issues.

    • #241896 Reply

      anonymous

      If I understand the information correctly, mainly on the CVE page, that IE patch is really a patch for jscript.dll, which IE9 and newer don’t even use by default, but may be used under special circumstances (compatibility mode?) and by other applications, right?

      Then again, just a bit ago when I checked the CVE page, there was mitigation information listing that by default IE has measures reducing the risks of such exploits, a way to restrict access to jscript.dll and a notice that doing so shouldn’t normally affect IE9+ since it uses jscript9.dll, but now when I looked again while writing this it says there are no mitigating measures. Weird.

      • #241903 Reply

        Bob99
        AskWoody Lounger

        Yes, I saw the same thing…a couple of hours ago there were instructions on how to mitigate the vulnerability via restricting access to jscript.dll, and now the instructions are gone.

        However, the instructions were mostly for those running server versions of Windows, as I noticed in the details. Also, the article made mention (under the “Workarounds” heading) of running IE in an Enhanced Security “Environment” (my word, as I don’t recall the exact one) as well for those running servers, complete with a link to instructions on implementing said environment/settings from within IE’s (or the Control Panel’s) Internet Options dialog box.

        Makes me wonder why MS took down the instructions: They weren’t that overly complex or technical in nature. They involved two very infrequently used commands used at an administrator-level command prompt to first take ownership of jscript.dll and next to modify its access control list to restrict what a certain group of users on the given computer is allowed to do with the file.

        • #241965 Reply

          PKCano
          Da Boss
          • #242001 Reply

            b
            AskWoody Plus

            But the workaround has since been modified with additional takeown commands (before and after disappearing several times).

            Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

            2 users thanked author for this post.
        • #242012 Reply

          anonymous

          Ok, as of yesterday’s posting above, the instructions in the article had been removed, that I know for sure. BUT, as of THIS writing, they’re back. As I said above, who knows why MS pulled them, as right now, they’re exactly the same as they were yesterday before being removed from the article. This problem (being there and gone again) has been noted on the other thread related to this issue by other AskWoody readers/members.

          Good thing for all of us, @woody ‘s posted (via copy/paste) the instructions here for us to attempt at our leisure should we choose to do so.

      • #242004 Reply

        PKCano
        Da Boss

        Here is the current version of the Workaround per MS (12/22/2018):

        Workarounds

        Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

        	takeown /f %windir%\system32\jscript.dll
        	cacls %windir%\system32\jscript.dll /E /P everyone:N
        

        For 64-bit systems, enter the following command at an administrative command prompt:

        	takeown /f %windir%\syswow64\jscript.dll
        	cacls %windir%\syswow64\jscript.dll /E /P everyone:N
        	takeown /f %windir%\system32\jscript.dll
        	cacls %windir%\system32\jscript.dll /E /P everyone:N
        

        Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

        How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

        	cacls %windir%\system32\jscript.dll /E /R everyone
        

        For 64-bit systems, enter the following command at an administrative command prompt:

        	cacls %windir%\syswow64\jscript.dll /E /R everyone
        
        1 user thanked author for this post.
        • #242025 Reply

          anonymous

          ALL of the steps mentioned by MS with the command line can also be performed via the GUI, no need for the command line.
          HOWEVER, they must be performed as an administrator, just like the command line options.

    • #241902 Reply

      anonymous

      Hello anonymous, When you said you “Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.” Anon, what recovery option did you choose that helped you roll-back? Was it the “Last Known Good Configuration” option? Thanks, in advance.

      • #241927 Reply

        anonymous

        Yes, it was.

    • #241920 Reply

      banzaigtv
      AskWoody Lounger

      Uh, how is it possible to wait to install patches when Microsoft is just going to keep replacing them with out-of-band updates every few days? We have no choice but to install the Patch Tuesday updates immediately. Therefore, the MS-DEFCON data means nothing anymore. 🙁

      I am no longer an active member of the forums.

      • #241921 Reply

        Elly
        AskWoody MVP

        @bangzaigtv- I hear your frustration… but there are definitely choices to be made. Relatively few people here are willing to act as beta-testers for Microsoft…

        Win 7 Home, 64 bit, Group B

        2 users thanked author for this post.
        • #241938 Reply

          ch100
          AskWoody_MVP

          Or putting it differently, few people who have a better understanding, just take a calculated risk… and everything is OK.
          No beta-testing at all, just following the manufacturer’s instructions like for any other product.
          Someone who says that they dual-boot Win 81 and Win 10 and makes claims of potential (not experienced) problems does really contribute in a positive sense?
          Why not following Susan’s lead on this matter?

    • #242009 Reply

      banzaigtv
      AskWoody Lounger

      If I decide to keep Windows 10 for a bit longer, is there going to be any problems turning off Windows Update in services.msc, then manually downloading and installing the Patch Tuesday cumulative update released on 12/11/18? I have updates set to manual on the Group Policy Editor settings and Windows will display this week’s update as the one it will be set to download. What is that patch number I should be looking for? It’s for Windows 10 Pro version 1803. Also, should I manually download and install the latest version of the Windows Malacious Software Removal Tool?

      I am no longer an active member of the forums.

      • #242014 Reply

        PKCano
        Da Boss

        The latest CU for 1803 is KB4483234 (12/19/2018). Be sure you have the SSU KB4477137 installed before. And yes, to MSRT.

        1 user thanked author for this post.
        • #242018 Reply

          banzaigtv
          AskWoody Lounger

          No, not the 12/19 update. I need the one for 12/11. So when I download the updates manually each month, then how do I find out the numbers for both the SSU and CU patches for Patch Tuesday each time?

          I am no longer an active member of the forums.

          • #242023 Reply

            Microfix
            Da Boss

            Susan’s Master Patch List:

            Master Patch List

            ********** Peng/Wins x86/x64 **********

            - µfix

            1 user thanked author for this post.
          • #242024 Reply

            PKCano
            Da Boss

            The Win10 History pages have the information on Patch Tues updates for all versions of Win10. When you open the page for the specific CU (by the KB number) it tells you what SSU you need at the bottom of the page.

            1 user thanked author for this post.
    • #242108 Reply

      AJNorth
      AskWoody Plus

      Report from the field:

      Five Win 7 Pro and three Win 8.1 Pro (all x64) were patched with the Dec 2018 “Group B” patches (KB4471328 & KB4483187 and KB4471322 & KB4483187, respectively) about forty hours ago; none of their users have experienced any issues as of a couple of hours ago (the Dec .NET has not yet been installed).

      1 user thanked author for this post.
    • #242248 Reply

      This may be a cross-post, as I may have done it on some other forum…but I installed KB 4483317 without incident.

      I did have some trouble with my Bluetooth CSR software stack and drivers around the same time, but nobody exists who doesn’t have trouble with Bluetooth at some time, so I’m thinking it was a quinky-dink.

       

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #242282 Reply

      Xi
      AskWoody Lounger

      @woody

      As requested via email, pls help with these:

      Win 8.1 x86 & x64:
      List installed KB4052978 & KB4054522 – Dec 2017 Security Only Updates. Help with the list of security only updates incl..net updates from MS catalog to be installed and to be avoided for telemetry/botched. In Jan 2018 we have AMD boot issue updates and worried/stuck since the device is AMD.

      FYI: Not interested in Group A/combined/rollups updates even-though u moved to Group A . No MS Office installed.

      Unable to follow with the updates and update list here – confused with searching for details/issue details posted by you. Please help with KB list and the threads regards to it.

      Also, provide Win 7 x86 & x64 – Security only updates incl. .net updates from Jan 2018 if possible.

      Thanks…..

      Merry X’mas n New Year!

      • #242377 Reply

        PKCano
        Da Boss

        The Security-only patches for Win7/8.1 and IE11 Cumulative Updates (both 32-bit and 64-bit) are listed in AKB2000003 from October 2016 to the current December 2018 updates. The link is a direct download from the MS Update Catalog.

        For January 2017, KB4073578 released for AMD is marked.

        When a patch shows that it replaces another patch, you do not need both. You do not need the replaced (superseded) patch.

        If there is a .exe file included with the .msu update when you download it, simply put the .exe file in the same location as the KB numbered .msu update. You do not need to click on it. It will be executed automatically during the install process of the .msu update.

        The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

        4 users thanked author for this post.
    • #314423 Reply

      Xi
      AskWoody Lounger

      The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

      Thanks for the detailed clarification.
      However, for Win 7, the .Net framework security only patches are available in update catalog. Why? Can we use it instead of .net rollup patches for win 7?

      • #314442 Reply

        PKCano
        Da Boss

        You will find that the .NET Security-only patch is bundled as well.
        If you click on the SO patch download button in the catalog, you will find the download to be multiple patches for the different versions.
        If you click on the name of the update (instead of the “download” button), then click on “More information” in the box that pops up, you will find that each of the SO patches has a different KB number. This will tell you which of the patches is for which version of .NET, but then you need to know what version(s) is/are installed on your computer as well.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Where we stand with the December patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel