Newsletter Archives

  • MS-DEFCON 3: Patch Windows, but beware the snoops

    It’s time to get caught up with your Microsoft patches. The September Black Tuesday patches have festered, gone through a few re-releases, and generally stewed enough to warrant applying to your machine.

    If I count Susan Bradley’s list of patches correctly, there were 75 patches released for Vista, Win 7 and Win 8.1 in September, and another six — many of which are nagging or snooping patches — released so far in October.

    I don’t see any patches screaming to get out, as long as you aren’t using Internet Explorer. Of course, as I’ve been advising for a long time (a decade?), you should update IE but not use it. Instead, use Firefox or Chrome for your day-to-day browsing. If you have Windows 10, Edge is a secure choice, but it’s still way behind the ball on features – most Windows 10 users have moved to Chrome, for good reason.

    Here’s what I recommend:

    Vista – install all available updates.

    Windows 7 – This is hairy because of the snooping patches just re-re-released. Start by reading this article in InfoWorld, then search through your list of available patches (in Windows Update, see the tab above that says “Automatic Update” for instructions). If you see any of these patches: KB 3035583, KB 2952664, KB 2977759, KB 3068708, 3022345, 3075249, or 3080149, [UPDATE: or 3083324, which now appears to be “Important”] [UPDATE: or 3090045, which is supposed to help upgrading to Win10] make sure they’re unchecked, right-click on the patch and “Hide” it. They’re all Win10 nags or telemetry patches. If you don’t see one or more of those patches, don’t worry about it. I have an article in the works that’ll show you how to turn off most Windows 7 telemetry.

    (If you’re double-checking with last month’s recommendations, note: I received official information back from Microsoft about those patches, and it was demonstrably incorrect and/or misleading.)

    After installing all outstanding patches, reboot, then immediately follow the instructions here to run the GWX Control Panel. That should turn off the Windows 10 upgrade nags. Reboot again.

    Windows 8.1 – Similar to Windows 7, but uncheck and hide KB 3035583, KB 2976978 KB 3068708, 3022345, 3075249, and 3080149 [UPDATE: or 3090045, which is supposed to help upgrading to Win10]. If you don’t see one or more of those patches, don’t worry about it. I have an article in the works that’ll show you how to turn off most Windows 8.1 telemetry. Reboot, use GWX Control Panel to remove the Windows 10 nagging software, and reboot again. If you have trouble getting KB 3069114 to install, try installing KB 3096053 and see if that helps.

    Windows 10 – If you’ve been using the metered connection trick to block Windows 10 updates, now’s a good time to turn off the metered connection and let the updates flow. (Start, Settings, Network & internet, Wi-Fi, click on your connection, then Advanced options, turn Metered Connection off. Let Windows do its update thing, then turn the metered indicator back on.) We’re up to Cumulative Update 7.

    If you’re using the new Windows Store setting to block Automatic Store app updates, turn the switch in Windows Store on, then in Windows Store, click on your picture, choose Downloads and Updates, then click to Check for updates. Remember to turn the switch off again.

    If you have problems installing the Cumulative Update, don’t worry about it. Microsoft will get its act together one of these days. All of the Win10 patches to date are cumulative (with a couple of driver exceptions), so when Microsoft gets caught up, you will, too.

    We’re going down to MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. Specifically, I’m concerned about adding Windows 10 nagware and Microsoft snooping to Windows 7 and 8.1 machines. I’ll be following that closely in InfoWorld’s Woody on Windows.

    The usual admonitions apply: In Vista, Win7 and Win8.1, use Windows Update, DON’T CHECK ANY BOXES THAT AREN’T CHECKED, reboot after you patch, and then run Windows Update one more time to see if there’s anything lurking. When you’re done, make sure you have Automatic Update turned off. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). For Windows 10, the situation’s more complicated, depending on how far you’ve gone to block forced patches. The general procedure’s described above.