Newsletter Archives

  • MS-DEFCON 4: Get Windows patched, but watch out

    I’m still running down details, but figured it’s time to release the floodgates. While it may look like the August 2015 Patch Tuesday updates are just fine, in fact we’ve seen a real problem – solved earlier this week – and there’s been a lot of speculation about a host of “snooping” patches. 

    I’ve been looking high and low for more information about the snoopers, and lemme tell ya, it’s hard to find real facts buried in a big mound of, uh, opinions, both for and against. The debate over new surveillance in Win7 and Win8.1 sounds more like a Microsoft loyalty test than a dispassionate look at the facts.

    But I digress.

    There aren’t any patches sitting in the closet, screaming to get out, unless you use Internet Explorer. If you still use IE – knowing that Microsoft has put it out to pasture – you should check Firefox or Chrome (or any of a dozen other browsers).

    Let’s take ’em from the oldest to the scrappy youngest.

    Vista – Install all offered updates.

    Windows 7 – Here’s where things get interesting. If you’re concerned about Microsoft snooping (and you should be), it would be a good idea to avoid KB 3068708, 3022345, 3075249, and 3080149 for now. I say that realizing that my tinfoil hat is showing. I have an inquiry into Microsoft at this moment which should shed some light — if I get a straight answer.

    All of those patches are from the June Patch Tuesday crop. If you already have them installed, don’t worry about it — I’ll update you on my findings in InfoWorld shortly. If you don’t have those patches installed, though, I’d hide them for now. (In the Windows Update available patches list, right-click on the patch and choose Hide.)

    The rest of the Windows 7 patches are now OK.

    Windows 8.1 – Same thought process, parallel advice. For now, hold off on installing KB 3068708, 3022345, 3075249, and 3080149 (from June’s Patch Tuesday). If they’re already installed, don’t do anything drastic just yet. There may be a much simpler way to blunt their snitching proclivities. The rest of the Win 8.1 patches are also OK.

    Windows 10 – We’re up to Cumulative Update 5, and aside from some ongoing driver heartburn (which you may be able to blunt using this approach), I haven’t heard of any major problems.

    If you’re using the metered connection trick to block forced updates, tell Win10 that your internet connection isn’t metered. Run out to Updates (Start, Settings, Update & security, Windows Update), click Check for updates and let Windows run its course. Then turn the metered indicator back on.

    If you’re using the new Windows Store setting to block Automatic Store app updates, turn the switch in Windows Store on, then in Windows Store, click on your picture, choose Downloads and Updates, then click to Check for updates.

    UPDATE: In the comments, @Louis asked, “If we haven’t installed KB 3076895 yet, and KB 3092627 isn’t currently available, should we install KB 3076895 and then look for KB 3092627? Or just hide KB 3076895 altogether?”

    My answer: “Unless you’re using Symantec Endpoint on a server, or Microsoft Forefront, you shouldn’t have any problem with 3076895. I’d say install it, with the expectation that 3092627 will show up shortly. In fact, if you run the updates, re-boot, then re-run Windows Update (standard procedure), I bet it appears in the second round.”

    In summary, then, I’m cranking us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

    The usual admonition applies: In Vista, Win7 and Win8.1, use Windows Update, DON’T CHECK ANY BOXES THAT AREN’T CHECKED, reboot after you patch, and then run Windows Update one more time to see if there’s anything lurking. When you’re done, make sure you have Automatic Update turned off. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source).

    For Windows 10, the situation’s more complicated, depending on how far you’ve gone to block forced patches. The general procedure’s described above.

  • So when’s MS-DEFCON going to change?

    Just got this from Quicksilver…

    Good morning, Woody.

    I’ve been holding off on the updates, waiting for an “all clear”. I don’t use the IE, however there were 2 critical patches this month, and I do keep it updated, although never use it.

    Is it safe to always update the IE, although it’s never used?  

    Guess I’m getting a little nervous with patch Tuesday being less than a week away.  

    Thank you for your guidance on the updating. I learned to not make a move without your “all clear” announcement because you keep us all out of trouble.

     Good question, and I’m sorry for the delay. Many of you know that there’s been a rash of reports about new (and old) “phone home” software for Win7 and Win 8.1. I’m trying to sort through the details before leading anybody down a golden patch path. Hang in there. I should have something up today or tomorrow – and in the meantime, if you don’t use IE, there are no immediate reasons to patch.

  • MS-DEFCON 2: As we approach the known unknown, turn off Auto Updates

    Will we get a Patch Tuesday this month? Who knows?

    My bet is that the answer is “yes,” and it’ll be a big one. But it’s only a guess. If we’re lucky, it’ll be as innocuous as the past four months. If we aren’t lucky…

    As usual, if you’re using Vista, Win7, Win8, or Win8.1, now is the time to turn Automatic Udpate off (see the tab above if you’ve never done it before).

    If you’re using Win10, care to participate in a little experiment? If you have Win10 and are using a mobile connection (WiFi or 3/4G), could you set it to Metered Connection? (Start, Settings, Network & internet, Wi-Fi, Advanced Options then slide the Metered Connection slider to On.) In theory, that should have these side-effects:

    • Windows Update will only download priority updates.
    • Apps downloading from the Windows Store might be paused.
    • Start screen tiles might stop updating.
    • Offline files might not sync automatically.

    (In fact, that’s the description for Win 8.1, but I don’t see anything for Win10 on Microsoft’s site.) When I switched on the Metered Connection setting on one of my mobile machines, Win10 refused to download today’s Windows Defender update, KB 2267602. That’s progress, I think.

    (Update: To be clear, I don’t expect a Win10 patch today or tomorrow. I’d just like to get a bunch of people watching, poised for when the next update comes out.)

    The big question, for me, is whether any new updates that may come down the pike this week are “priority” updates. Microsoft uses the term “priority” in varying ways.

    Anyway, get yourself locked down and let’s see what Tuesday will bring.