News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Where we stand with the December patches

    Home Forums AskWoody blog Where we stand with the December patches

    Viewing 18 reply threads
    • Author
      Posts
      • #241739 Reply
        woody
        Da Boss

        Things were looking pretty good for This Month in Patches — until two days ago. Now, it’s anybody’s guess. But I continue to recommend that you hold
        [See the full post at: Where we stand with the December patches]

        6 users thanked author for this post.
      • #241750 Reply
        banzaigtv
        AskWoody Lounger

        I received a notification of this update on Windows 8.1 which is set for manual updates. I will be ignoring this update. Will it go away when the January cumulative update is released?

        I am no longer an active member of the forums.

        • #241751 Reply
          PKCano
          Da Boss

          The fix for IE will be rolled into the Jan. Rollups and IE CUs.

          9 users thanked author for this post.
          • #241772 Reply
            geekdom
            AskWoody Plus

            And in January 2019 upon patch release, we will probably be under DEFCON-Wait-to-Patch.

            G{ot backup} TestBeta
            offline▸ Win7Pro SP1 x64 Storage
            online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b5 Windows{Image/Defender/Firewall}
            1 user thanked author for this post.
            • #241784 Reply
              banzaigtv
              AskWoody Lounger

              But apparently we now have less than a week to wait to install Patch Tuesday updates. We no longer have the luxury of waiting two weeks since Microsoft now apparently releases buggy quality updates every few f******’ days. Our peace of mind is going away.

              I am no longer an active member of the forums.

              • #241786 Reply
                geekdom
                AskWoody Plus

                The next Patch Tuesday is January 8, 2019, the second Tuesday of each month.

                G{ot backup} TestBeta
                offline▸ Win7Pro SP1 x64 Storage
                online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b5 Windows{Image/Defender/Firewall}
                1 user thanked author for this post.
      • #241787 Reply
        Geo
        AskWoody Lounger

        Really basic users of W7 Group A  never had a problem except we don’t need the previews.  Enterprise  is another story.  I use Firefox.

        1 user thanked author for this post.
        • #241790 Reply
          geekdom
          AskWoody Plus

          There have been some real howlers with Windows 7 updates. One recent problem update that comes to mind is SSU KB3177467 related. “Here be dragons” holds true.

          G{ot backup} TestBeta
          offline▸ Win7Pro SP1 x64 Storage
          online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b5 Windows{Image/Defender/Firewall}
        • #241946 Reply
          ch100
          AskWoody_MVP

          @geo Actually Enterprise users have never had much of a problem.
          It is a common misconception that somehow businesses are impacted by the quality of the Microsoft patches. This is an extremely rare occurrence, but it certainly happens now and then.
          I am aware of businesses with 100k + users installing patches less than 48 hours after their release for compliance reasons and which almost never experience an issue with the official patches. I am currently working for one of those businesses and it is not an easy job.
          Congrats for being in Group A, the Group B style of patching is a fake.

          • #242231 Reply
            RTEsysadmin
            AskWoody Lounger

            It’s “fake” only until you’ve had users complaining that Outlook isn’t working or their documents have disappeared, road warriors call in tears, telling you that their Surface laptops are bricked, and banks of servers have lost their IP addresses.

            Group K(ill me now)
            1 user thanked author for this post.
          • #242270 Reply
            OscarCP
            AskWoody Plus

            Thanks for enlightening me about Group B patching being fake.

            I did not know that and, in my blind ignorance, am sorry to admit that I have been patching as “Group B” from way before it was given this name, for some 20 years by now, and have had not a single problem because of an installed bad patch: never, ever. And in recent years, as things have become more complicated, I have been able to continue without problems in good part thanks to the advice and information provided by other loungers and by MVPs here, at Woody’s.

            But now your comment has opened my eyes and am ready to start patching in whatever way you might kindly suggest that one should do this. I am always ready to learn at the feet of true masters.

             

            Group B, Windows 7 Pro, SP1 x64.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

            1 user thanked author for this post.
      • #241795 Reply
        Susan Bradley
        AskWoody MVP

        I installed the IE updates and have not seen side effects.  December updates have been installed as well.

        Susan Bradley Patch Lady

        14 users thanked author for this post.
        • #241797 Reply
          anonymous
          Guest

          Susan,
          Are you going to add the new KB’s (for IE patch) for Windows 10 versions to the Patch List? And are there also new SSU’s?

      • #241812 Reply
        WildBill
        AskWoody Plus

        Thanks for the Computerworld article, Boss. Unless you say “The Sky Is Falling!”, I can wait. Not in a hurry to patch until you move us to MS-DEFCON 3 or above.

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        1 user thanked author for this post.
      • #241814 Reply
        warrenrumak
        AskWoody Plus

        This fix for IE11 will probably be included in the upcoming “Preview of Monthly Rollup” release, right?

      • #241838 Reply
        Lars220
        AskWoody Lounger

        Thank you Woody for keeping us abreast of the bleeding edge Chicken Little Headlines, I appreciate your ‘cool headed’ response and will wait for your reasoned advice. It is those “poison frog darts” that reallly scare me.

      • #241856 Reply
        CADesertRat
        AskWoody Plus

        Looks like I just got another brand new KB 4023057 waiting for a restart while I was away.

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

      • #241867 Reply
        OscarCP
        AskWoody Plus

        As far as I can remember from reading, over  a number of years, what has been reported here and elsewhere, nothing really bad has come to Windows 7 users (Group B in particular, I am glad to add) for looking (and waiting) before jumping, no matter how much in need of urgent action, and how scary, things might be made to look. To me, that’s the real trick.

        And thanks to Woody and Co. for always helping to lower the temperature from “overheated” to “moderate” in situations such as this…

        (“Meteor Crater News”? A really terrific choice of cover picture; is it a still from some movie?)

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        1 user thanked author for this post.
      • #241870 Reply
        anonymous
        Guest

        Rashly installed the December updates yesterday, and immediately began having problems loading Outlook 2010.  Later in the day, had a spontaneous shutdown:  *click* and a black screen.  Attempted to reboot, had another shutdown mid-boot.  Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.  Waiting now for clarity on which updates are suspect.

        • #241874 Reply
          PKCano
          Da Boss

          Could you please give us some information about your computer hardware?
          What version of Windows are you running?
          What updates were installed? For Windows? For Office 2010?

          This information will help pinpoint the problem and help others avoid the problem.
          Thanks.

      • #241877 Reply
        anonymous
        Guest

        Windows 7/x64

        Office 2010 updates:

        Security Update for Microsoft Excel 2010 (KB4461577) 32-Bit Edition
        Security Update for Microsoft Office 2010 (KB4461570) 32-Bit Edition
        Security Update for Microsoft Outlook 2010 (KB4461576) 32-Bit Edition
        Security Update for Microsoft PowerPoint 2010 (KB4461521) 32-Bit Edition
        Update for Microsoft Office 2010 (KB4227172) 32-Bit Edition
        Update for Microsoft Office 2010 (KB4461579) 32-Bit Edition

        Windows 7 Updates

        2018-12 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4483187)
        2018-12 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64 (KB4471987)
        2018-12 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4471318)
        Windows Malicious Software Removal Tool x64 – December 2018 (KB890830)

         

        • #241880 Reply
          PKCano
          Da Boss

          Thanks for the information.

          The Dec patches for Windows have generally been OK. We have had a couple of reports of problems with Outlook and the Dec patches. They have issued a bug fix for Office 2013, and there maybe ones for the other Office products in the offing.

          We are still on DEFCON2. Give it a little more time to let the problems shake out before trying to update again. Come back and check on the status here.

          BTW, did you check out Woody’s ComputerWorld article linked on the main blog article?

          • #241888 Reply
            anonymous
            Guest

            Yes, thanks.  I notice others have reported problems with Win 7 and KB4483187.   Think I’ll just wait a little and see what else turns up; then try installing the other updates one at a time.

          • #241939 Reply
            ch100
            AskWoody_MVP

            Is the Outlook patch mainstream, which means on Windows Microsoft Update, or only a hotfix with limited release in the Catalog?
            We should not be concerned with commenting about Catalog only releases, although mentioning them is useful for those few who may need to try them to fix specific issues.

      • #241896 Reply
        anonymous
        Guest

        If I understand the information correctly, mainly on the CVE page, that IE patch is really a patch for jscript.dll, which IE9 and newer don’t even use by default, but may be used under special circumstances (compatibility mode?) and by other applications, right?

        Then again, just a bit ago when I checked the CVE page, there was mitigation information listing that by default IE has measures reducing the risks of such exploits, a way to restrict access to jscript.dll and a notice that doing so shouldn’t normally affect IE9+ since it uses jscript9.dll, but now when I looked again while writing this it says there are no mitigating measures. Weird.

        • #241903 Reply
          Bob99
          AskWoody Plus

          Yes, I saw the same thing…a couple of hours ago there were instructions on how to mitigate the vulnerability via restricting access to jscript.dll, and now the instructions are gone.

          However, the instructions were mostly for those running server versions of Windows, as I noticed in the details. Also, the article made mention (under the “Workarounds” heading) of running IE in an Enhanced Security “Environment” (my word, as I don’t recall the exact one) as well for those running servers, complete with a link to instructions on implementing said environment/settings from within IE’s (or the Control Panel’s) Internet Options dialog box.

          Makes me wonder why MS took down the instructions: They weren’t that overly complex or technical in nature. They involved two very infrequently used commands used at an administrator-level command prompt to first take ownership of jscript.dll and next to modify its access control list to restrict what a certain group of users on the given computer is allowed to do with the file.

          • #241965 Reply
            PKCano
            Da Boss
            • #242001 Reply
              b
              AskWoody Plus

              But the workaround has since been modified with additional takeown commands (before and after disappearing several times).

              2 users thanked author for this post.
          • #242012 Reply
            anonymous
            Guest

            Ok, as of yesterday’s posting above, the instructions in the article had been removed, that I know for sure. BUT, as of THIS writing, they’re back. As I said above, who knows why MS pulled them, as right now, they’re exactly the same as they were yesterday before being removed from the article. This problem (being there and gone again) has been noted on the other thread related to this issue by other AskWoody readers/members.

            Good thing for all of us, @Woody ‘s posted (via copy/paste) the instructions here for us to attempt at our leisure should we choose to do so.

        • #242004 Reply
          PKCano
          Da Boss

          Here is the current version of the Workaround per MS (12/22/2018):

          Workarounds

          Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

          	takeown /f %windir%\system32\jscript.dll
          	cacls %windir%\system32\jscript.dll /E /P everyone:N
          

          For 64-bit systems, enter the following command at an administrative command prompt:

          	takeown /f %windir%\syswow64\jscript.dll
          	cacls %windir%\syswow64\jscript.dll /E /P everyone:N
          	takeown /f %windir%\system32\jscript.dll
          	cacls %windir%\system32\jscript.dll /E /P everyone:N
          

          Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

          How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

          	cacls %windir%\system32\jscript.dll /E /R everyone
          

          For 64-bit systems, enter the following command at an administrative command prompt:

          	cacls %windir%\syswow64\jscript.dll /E /R everyone
          
          1 user thanked author for this post.
          • #242025 Reply
            anonymous
            Guest

            ALL of the steps mentioned by MS with the command line can also be performed via the GUI, no need for the command line.
            HOWEVER, they must be performed as an administrator, just like the command line options.

      • #241902 Reply
        anonymous
        Guest

        Hello anonymous, When you said you “Next reboot attempt, I was prompted to boot in repair mode.  Did that, rolled system back to pre-December updates, and all seems back to normal.” Anon, what recovery option did you choose that helped you roll-back? Was it the “Last Known Good Configuration” option? Thanks, in advance.

        • #241927 Reply
          anonymous
          Guest

          Yes, it was.

      • #241920 Reply
        banzaigtv
        AskWoody Lounger

        Uh, how is it possible to wait to install patches when Microsoft is just going to keep replacing them with out-of-band updates every few days? We have no choice but to install the Patch Tuesday updates immediately. Therefore, the MS-DEFCON data means nothing anymore. 🙁

        I am no longer an active member of the forums.

        • #241921 Reply
          Elly
          AskWoody MVP

          @bangzaigtv- I hear your frustration… but there are definitely choices to be made. Relatively few people here are willing to act as beta-testers for Microsoft…

          Non-techy Win 10 Pro and Linux Mint experimenter

          2 users thanked author for this post.
          • #241938 Reply
            ch100
            AskWoody_MVP

            Or putting it differently, few people who have a better understanding, just take a calculated risk… and everything is OK.
            No beta-testing at all, just following the manufacturer’s instructions like for any other product.
            Someone who says that they dual-boot Win 81 and Win 10 and makes claims of potential (not experienced) problems does really contribute in a positive sense?
            Why not following Susan’s lead on this matter?

      • #242009 Reply
        banzaigtv
        AskWoody Lounger

        If I decide to keep Windows 10 for a bit longer, is there going to be any problems turning off Windows Update in services.msc, then manually downloading and installing the Patch Tuesday cumulative update released on 12/11/18? I have updates set to manual on the Group Policy Editor settings and Windows will display this week’s update as the one it will be set to download. What is that patch number I should be looking for? It’s for Windows 10 Pro version 1803. Also, should I manually download and install the latest version of the Windows Malacious Software Removal Tool?

        I am no longer an active member of the forums.

        • #242014 Reply
          PKCano
          Da Boss

          The latest CU for 1803 is KB4483234 (12/19/2018). Be sure you have the SSU KB4477137 installed before. And yes, to MSRT.

          1 user thanked author for this post.
          • #242018 Reply
            banzaigtv
            AskWoody Lounger

            No, not the 12/19 update. I need the one for 12/11. So when I download the updates manually each month, then how do I find out the numbers for both the SSU and CU patches for Patch Tuesday each time?

            I am no longer an active member of the forums.

            • #242023 Reply
              Microfix
              AskWoody MVP

              Susan’s Master Patch List:

              Master Patch List

              | Win8.1 Pro x64 | Linux Hybrids x86/x64 | Win7 Pro x86/x64 Offline |
              1 user thanked author for this post.
            • #242024 Reply
              PKCano
              Da Boss

              The Win10 History pages have the information on Patch Tues updates for all versions of Win10. When you open the page for the specific CU (by the KB number) it tells you what SSU you need at the bottom of the page.

              1 user thanked author for this post.
      • #242108 Reply
        AJNorth
        AskWoody Plus

        Report from the field:

        Five Win 7 Pro and three Win 8.1 Pro (all x64) were patched with the Dec 2018 “Group B” patches (KB4471328 & KB4483187 and KB4471322 & KB4483187, respectively) about forty hours ago; none of their users have experienced any issues as of a couple of hours ago (the Dec .NET has not yet been installed).

        1 user thanked author for this post.
      • #242248 Reply

        This may be a cross-post, as I may have done it on some other forum…but I installed KB 4483317 without incident.

        I did have some trouble with my Bluetooth CSR software stack and drivers around the same time, but nobody exists who doesn’t have trouble with Bluetooth at some time, so I’m thinking it was a quinky-dink.

         

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that has at least six legs and no brain."

        -Robert Heinlein

      • #242282 Reply
        Xi
        AskWoody Lounger

        @woody

        As requested via email, pls help with these:

        Win 8.1 x86 & x64:
        List installed KB4052978 & KB4054522 – Dec 2017 Security Only Updates. Help with the list of security only updates incl..net updates from MS catalog to be installed and to be avoided for telemetry/botched. In Jan 2018 we have AMD boot issue updates and worried/stuck since the device is AMD.

        FYI: Not interested in Group A/combined/rollups updates even-though u moved to Group A . No MS Office installed.

        Unable to follow with the updates and update list here – confused with searching for details/issue details posted by you. Please help with KB list and the threads regards to it.

        Also, provide Win 7 x86 & x64 – Security only updates incl. .net updates from Jan 2018 if possible.

        Thanks…..

        Merry X’mas n New Year!

        • #242377 Reply
          PKCano
          Da Boss

          The Security-only patches for Win7/8.1 and IE11 Cumulative Updates (both 32-bit and 64-bit) are listed in AKB2000003 from October 2016 to the current December 2018 updates. The link is a direct download from the MS Update Catalog.

          For January 2017, KB4073578 released for AMD is marked.

          When a patch shows that it replaces another patch, you do not need both. You do not need the replaced (superseded) patch.

          If there is a .exe file included with the .msu update when you download it, simply put the .exe file in the same location as the KB numbered .msu update. You do not need to click on it. It will be executed automatically during the install process of the .msu update.

          The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

          4 users thanked author for this post.
      • #314423 Reply
        Xi
        AskWoody Lounger

        The .NET patches are bundled. There are individual patches within the bundle for each of the different version of .NET you have installed on your computer. Because it is difficult to determine what you need within the bundle, Group B recommends that you do the .NET patching through Windows Update because that mechanism will install the updates correctly. .NET is not included for the Group B telemetry avoidance.

        Thanks for the detailed clarification.
        However, for Win 7, the .Net framework security only patches are available in update catalog. Why? Can we use it instead of .net rollup patches for win 7?

        • #314442 Reply
          PKCano
          Da Boss

          You will find that the .NET Security-only patch is bundled as well.
          If you click on the SO patch download button in the catalog, you will find the download to be multiple patches for the different versions.
          If you click on the name of the update (instead of the “download” button), then click on “More information” in the box that pops up, you will find that each of the SO patches has a different KB number. This will tell you which of the patches is for which version of .NET, but then you need to know what version(s) is/are installed on your computer as well.

    Viewing 18 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Where we stand with the December patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel