Newsletter Archives

  • MS-DEFCON 4: Time to install the February patches

    Most of the bugs introduced by Microsoft patches in early February were fixed by early March. Looks like we’re good to go.

    Once again, I recommend that you actively block the upgrade to Win10 version 1809.

    Details in Computerworld Woody on Windows.

    UPDATE: I’m seeing reports of bluescreens after installing this month’s Win 8.1 Monthly Rollup, KB 4487000. If you’re using Windows 8.1, you should be prepared to roll back the update.

  • Where we stand with the February patches

    What an odd month.

    We got a ton of bugs introduced in the Patch Tuesday patches that were — mostly, but not completely — solved by patches later in the month. Microsoft’s still holding back on Win10 1809 patches, which is good news — but 1809 isn’t “ready for business.” And the mystery update bulldozer patch KB 4023057 has come out of the closet, into the Catalog.

    Details in Computerworld Woody on Windows.

    We’re still at MS-DEFCON 2. As far as I know, there are no major security problems solved by the February patches, so let’s give things a rest for now. Those of you using Win10 Pro or Enterprise, who follow my recommendations, have already installed updates, and everybody else should sit back and enjoy the weekend.

    UPDATE: And, of course, just minutes after the Computerworld article hit, Microsoft released KB 4482887 – the second February cumulative update for Win10 version 1809. Except they’re calling it the March 1 update. There’s an enormous list of 36 fixes. As usual for a second “optional non-security” cumulative update, you have to manually install it or click Check for updates.

  • Miscellaneous, minor problems with the Patch Tuesday patches

    So far the patching situation looks pretty good. Mind you, we’re still at MS-DEFCON 2, and unless you’re using Internet Explorer, there’s nothing lurking in the depths – so don’t patch yet. Yes, there were 20 “critical” patches. No, you don’t need to worry about them yet.

    When the patches first came out, the Knowledge Base articles had all sorts of strange omissions. They were fixed yesterday afternoon/evening US time. So now we know officially:

    • The Win10 1803 cumulative update fixed the problem where Edge was trying to get to local IP addresses – a bug most commonly reported with routers. KB 4487017 now says this cumulative update “Addresses an issue that prevents Microsoft Edge from connecting using an IP address.”
    • All of the Windows patches — Win7 thru Win10 1809 are now admitted to have yet another Japanese date bug: “previously abbreviated Japanese date and time strings no longer parse.” We’re talking a tough computer science problem here.

    The KB articles for Win10 1809, 1803 and 1709 say they have fixed the Access 97-era Jet database bug. “Addresses an issue that may prevent applications that use a Microsoft Jet database with the Microsoft Access 97 file format from opening. This issue occurs if the database has column names greater than 32 characters. The database fails to open with the error, “Unrecognized Database Format”.”

    There’s an odd report from Johnny_55 on the Microsoft Answers forum (thanks, Julia!):

    After installing KB4487044 [the Win10 1809 cumulative update], it disabled Windows Defender leaving it with the Red X, and not possible to scan. This was never an issue prior with any CU installed on Retail 17763. Putting it back online, updating and back working.

    Jack Smook, reporting on the Microsoft Answers forum, said:

    Updates (KB4487044) downloaded ok to 2 computers, but during installation, they both got an error message… We couldn’t complete the updates / Undoing changes / Don’t turn your computer off…

    Two folks who identified themselves as “Independent Advisors… here to help you with your question” gave advice. Both apparently resulted in BSODs.

    And there’s the usual expletive-laced posting of problems on Reddit.

    @abbodi86 notes that there was no Office 2010 Click-to-Run released. Likely culprit: Japanese date bugs.

    Anybody spot other notable bugs?

  • Patch Tuesday patches start rolling out

    Martin Brinkmann is out with his usual monthly overview

    • Windows 7: 24 vulnerabilities of which 3 are rated critical and 21 are rated important.
    • Windows 8.1: 25 vulnerabilities of which 3 are rated critical and 22 are rated important.
    • Windows 10 version 1709: 29 vulnerabilities of which 3 are critical and 26 are important
    • Windows 10 version 1803: 29 vulnerabilities of which 3 are critical and 26 are important
    • Windows 10 version 1809: 28 vulnerabilities of which 3 are critical and 25 are important

    All versions of Windows, all versions of Server, Edge, IE, Office, .NET, and much more.

    May the odds be forever in your.. oh, nevermind.

    Dustin Childs has his Zero Day Initiative post – always good reading.

    …security patches for 77 CVEs along with three new advisories.

    Of these 74 CVEs, 20 are rated Critical, 54 are rated Important, and three are rated Moderate in severity. A total of 21 of these CVEs came through the ZDI program. Four of these bugs are listed as public and one is listed as being under active attack at the time of release.

    The actively exploited vulnerability:

    An attacker could use this to check for files on a target system if a user browses [with Internet Explorer] to a specially crafted website. Microsoft doesn’t list how this bug is being exploited in the wild, but it’s likely restricted to targeted attacks.

    And of course you aren’t using IE. Right?

    There are new Servicing Stack Updates for:
    Win10 v1607  KB 4485447
    Win10 v1703  KB 4487327
    Win10 v1709  KB 4485448
    Win10 v1803  KB 4485449
    Servicing stack updates only count if you manually install the Windows 10 cumulative updates. And, of course, you followed my Block Monday advice and wouldn’t dream of installing any patches, much less manually install Win10 cumulative updates.
    February 2019 Security Updates for Microsoft Office 2010, Office 2013, Office 2016, the Office Viewers, and SharePoint Servers are available on the Office Support Pages. These Updates are for the .msi versions of Office, not Office 365 or C2R.
  • MS-DEFCON 2: It’s time, once again, to make sure Windows Automatic Updating is blocked

    Tomorrow’s Patch Tuesday so that means today is… Block Monday. As in blockhead. Don’t be one. Make sure you have Automatic Update well and thoroughly turned off.

    Full step-by-step details in Computerworld Woody on Windows.

    This bears repeating:

    The current beta test version of the next (“19H1” or “1903”) version of Win10 Home includes the ability to Pause updates for seven days. While that’s certainly a step in the right direction, it doesn’t help much in the real world:

    • You can only Pause once, and only for seven days
    • You can’t Pause again without accepting all backed-up updates in the interim
    • You have to know in advance that a bad update is coming down the pike –  there’s no warning

    All of which makes Win10 Home “Pause updates” a really nifty marketing setting (“Look! You can pause updates in Win10 Home!”) that’s basically useless. Unless you’re Carnac the Magnificent.

  • February 2019 non-Security Office Updates are available

    The February 2019 non-Security Office updates have been released Tuesday, February 5, 2019. They are not included in the DEFCON4 approval for the January 2019 patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

    Office 2010

    Update for Microsoft Office 2010 (KB4462172)
    Update for Microsoft Office 2010 (KB4462187)
    Update for Microsoft Outlook 2010 (KB4462182)
    Update for Microsoft Visio 2010 (KB3115314)

    Office 2013

    Update for Microsoft Access 2013 (KB4032252)
    Update for Microsoft Office 2013 (KB4461550)
    Update for Microsoft Office 2013 (KB4461444)
    Update for Microsoft Outlook 2013 (KB4462141)
    Update for Microsoft Office 2013 (KB3172473)
    Update for Skype for Business 2015 (KB4462135)

    Office 2016

    Update for Microsoft Access 2016 (KB4032257)
    Update for Microsoft Office 2016 Language Interface Pack (KB4461534)
    Update for Skype for Business 2016 (KB4462114)
    Update for Microsoft Office 2016 (KB4461536)
    Update for Microsoft Outlook 2016 (KB4462147)
    Update for Microsoft PowerPoint 2016 (KB4461599)
    Update for Microsoft Project 2016 (KB4462134)
    Update for Microsoft Office 2016 (KB4022161)
    Update for Microsoft Word 2016 (KB4462145)

    There were no non-security listings for Office 2007 (which is out of support).
    Updates are for the .msi version (persistent). Office 365 and C2R are not included.
    Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).