Newsletter Archives

  • MS-DEFCON 4: Get patched, but don’t touch the Meltdown/Spectre trash heap

    Things are looking stable. Now’s a good time to get your PC caught up with Windows and Office patches.

    Follow the instructions in the Computerworld article and you won’t accidentally install microcode patches, Rollup Previews and/or this week’s non-security Office patches.

    Computerworld Woody on Windows.

  • Tuesday’s officially over, and still no updates

    Our usual 4th Tuesday (“D Week”) updates didn’t arrive.

    Given the manifest problems, especially with the Intel microcode patches dated “2018-07” you have to wonder if there are more problems in Windows paradise.

    Like many of you, I’m waiting with bated breath. I was hoping to give the all-clear for installing patches this month.

    Ah well. Sit tight. We’ll get the dump sooner or later.

  • Staying the course at MS-DEFCON 2

    Many of you have written, asking when I would change the MS-DEFCON level from 2 to 3 (or even 4), thus recommending that people install the August Windows and Office patches. After all, the August patches look pretty good so far. And we skipped July entirely.

    I’ve thought about it quite a bit, and decided to stay with MS-DEFCON 2 for a while. While there are a handful of specific problems with the August patches, which I’ll write about when the level hits 3 or 4, the simple fact is that there’s no pressing reason to install either the July or August patches just yet. I don’t see any threat, present or on the immediate horizon, that justifies jolting your system.

    Let’s wait and see if the Fourth Tuesday patches (er, the “D Week” patches) are similarly benign. If so, it’ll be worthwhile installing the whole bunch, just to have a solid starting point for the next round of disruptions.

    If you feel the urge to get patched up, by all means do so. But for the majority of Windows/Office users, the lack of a clear threat makes patching right now a “meh” exercise. Don’t fret about your PC. Go out and enjoy the weather!

  • Microsoft Patch Alert: August is much, much better than July

    There are still some well-known (even acknowledged) bugs, and the inanities performed in the name of Meltdown and Spectre continue to boggle my mind.

    And, of course, you can’t post any before-and-after performance statistics about the Intel microcode patches.

    Computerworld Woody on Windows.

    UPDATE: Intel has backed off its ridiculous (and likely unenforceable) gag order. See Paul Alcorn’s article on Tom’s Hardware.

  • MS-DEFCON 2: Initial reports on the August 2018 Patch Tuesday crop are hopeful

    But it’s still too early to patch. Of course.

    As long as you don’t use Internet Explorer or Edge, and stay away from Flash — admonitions you’ve heard here for years — you should be secure while you wait for the all-clear on this month’s patches.

    Accordingly, I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Computerworld Woody on Windows.

  • Patch Tuesday hits with a bang

    The Microsoft Update Catalog suddenly lists 116 separate downloadable patches, dated either Aug 10 or 11.

    Martin Brinkmann has his usual thorough review on Ghacks of the August patches:

    • Microsoft released updates for all versions of Windows, Microsoft Edge, Internet Explorer Microsoft Office, and other company products including Visual Studio, .NET Framework, Microsoft SQL Server, Microsoft Exchange Server, and Adobe Flash Player.
    • All client and server versions of Windows are affected by critical vulnerabilities.
    • Microsoft does not provide a general overview of resolved security issues anymore on support pages.

    Former ‘Softie patching guru, now working for the Zero Day Initiative, has details:

    Microsoft released 60 security patches for August… 19 are listed as Critical, 39 are rated Important, one is rated as Moderate, and one is rated as Low in severity. Twelve of these CVEs came through the ZDI program. One of these bugs is listed as publicly known at the time of release and two others are listed as being under active attack… 13 of the 20 Critical bugs affect [Internet Explorer and Edge]

    Looking through Childs’s list, the only currently exploited “Critical” security hole is in Internet Explorer. The second currently exploited security hole is only rated “Important” which means, of course, that it isn’t.

    The Win10 1703, 1709 and 1803 patches still list this known bug:

    After you install any of the July 2018 .NET Framework Security Updates, a COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors. The most common failure signature is the following:

    Exception type: System.UnauthorizedAccessException

    Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    So it looks like MS still hasn’t fixed the .NET bugs from last month.

    Patch Lady Susan here with a late Tuesday evening update to this post:  Microsoft has updated the known issues section and removed the sections about the .NET/COM errors that were listed in July.  In my early testing I haven’t seen side effects but I will be doing more testing/more watching.  So for now hang loose and test and wait.  Clearly they messed up the documentation in this month’s release and copied and pasted the text from July’s releases.   The only known issues left are the ones with Exchange (make sure you install with admin rights) and the missing OEM note in Windows 7 (shown below).  In ALL of my Windows 7 testing I have had zero issues and my understanding this network interface problem is limited to VMware (virtual machine) installs.  Thus I don’t anticipate that we will see this on normal machines.

    From @PKCano:

    Win8.1 Monthly Rollup –

    Win7 Monthly Rollup –

    The Win7 Monthly Rollup still lists:

    There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

    More .NET patches. The  main ones:

    • KB 4344145 – Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 for Windows 8.1, RT 8.1, and Server 2012 R2
    • KB 4344146 – Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 for Windows 7 SP1 and Server 2008 R2 SP1, and for .NET Framework 4.6 for Server 2008 SP2

    Of course, Microsoft promises that these .NET patches work just fine, unlike last month’s. Susan Bradley has a bit to say about that:

    August 2018 Office Security Updates have been released for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint servers.

    SANS Internet Storm Center has their assessment, which reinforces Childs’s analysis.

  • Time to make sure Windows Automatic Update is turned off

    With Patch Tuesday arriving tomorrow, now’s a good time to triple-check and make sure you have Automatic Update turned off.

    We’re still at MS-DEFCON 1: Current Microsoft patches are causing havoc. Don’t patch.

    Computerworld Woody on Windows.

  • August 2018 Office non-Security updates are available

    August 2018 Office non-security updates have been released by Microsoft on August 7, 2018.

    Just a reminder – these updates are NOT covered under the July DEFCON setting. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported. They are still untried and untested. Don’t be a Guinea Pig.

    Office 2013

    Update for Microsoft Office 2013 (KB3172506)
    Update for Microsoft Office 2013 (KB4011155)
    Update for Microsoft Office 2013 (KB4022212)
    Update for Microsoft OneDrive for Business (KB4022226)
    Update for Microsoft PowerPoint 2013 (KB4018374)
    Update for Skype for Business 2015 (KB4032250)

    Office 2016

    Update for Microsoft Office 2016 (KB4032234)
    Update for Microsoft Office 2016 Language Interface Pack (KB4032232)
    Update for Microsoft OneNote 2016 (KB4022216)
    Update for Microsoft PowerPoint 2016 (KB4018368)
    Update for Microsoft Project 2016 (KB4032238)
    Update for Microsoft Word 2016 (KB4032258)
    Update for Skype for Business 2016 (KB4032255)
    Update for Microsoft OneDrive for Business (KB4022219)

    There were no non-security listings this month for Office 2010 and no listings for Office 2007 (which is out of support).
    Office 365 and C2R are not included.
    Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).