Newsletter Archives

  • MS-DEFCON 3: Win10 customers should install March updates, but Win7 victims have some soul searching

    Looks like the March patches for Windows 10 have finally sorted themselves out, but if you’re running 64-bit Windows 7 you have some soul-searching in store. Get patched now, but watch out for the bonfire. Bonfires.

    Computerworld Woody on Windows.

  • MS jiggles — but doesn’t fix — buggy Win7 patches KB 4088875, KB 4088878

    A big shake-up last night re-arranged the way the buggy March Win7 patches install and clean up after themselves and adds to the lengthy list of known bugs. The key looming bug — “Total Meltdown” — remains a patching enigma: Dammed if ya do, dammed if ya don’t.

    Computerworld Woody on Windows.

  • Windows patches for Total Meltdown, bluescreens, an IP stopper — and little documentation

    Last week ended with a bang. Several bangs, in fact, including an enormously confusing and potentially damaging fix for the Win7 Total Meltdown hole, a patch that fixes the NIC/static IP bug in Win7, and a laundry list of bluescreen fixes.

    Computerworld Woody on Windows.

  • Microsoft Patch Alert: Suddenly, Windows 7 patching is an unholy mess

    With the publication yesterday of Ulf Frisk’s “Total Meltdown” vulnerability, patching this month has turned into a damned-if-you-do/damned-if-you-don’t quandary.

    This, in addition to all of the other problems this month.

    Computerworld Woody on Windows.

    NOTE: I’ve merged two other AskWoody threads on “Total Meltdown” into this thread…

  • Friday night patch dump: KB 4088881, a flawed Win7 Monthly Rollup preview and KB 4089187, an IE fix

    UPDATE: See Computerworld Woody on Windows.

    Microsoft continues its any-day-of-the-month patching policy with a highly anticipated preview of the April Win7 Monthly Rollup and a rushed patch for IE on Win7 that resolves a bug introduced two weeks ago

    When Microsoft released its gang of patches last Thursday, one patch was remarkably absent: We didn’t get a preview of next month’s Win7 Monthly Rollup. Win8.1, Server 2012 and Server 2012R2 all got previews, but not Win7 (or Server 2008R2).

    I hypothesized at the time that Microsoft didn’t release a new Win7 April Monthly Rollup preview because they were still trying to fix the bugs they introduced in this month’s Monthly Rollup for Windows 7 and Server 2008 R2, KB 4088875, and  the download-and-manually-install Security-only patch for March, KB 4088878.

    Microsoft now acknowledges all of these bugs in March’s Win7 Patch Tuesday release:

    • After you install this update, SMB servers may leak memory.
    • A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.
    • A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
    • A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.
    • IP address settings are lost after you apply this update.

    All of those bugs are new in March, except the memory leak, which first appeared in January.

    With the new, delayed preview of April’s Win7 Monthly Rollup, you might expect that at least some of those bugs would be fixed. Not so. They’re all still around, per the official write-up.

    Microsoft is working on a resolution and will provide an update in an upcoming release.

    Sooner or later.

    In addition to the Friday night Monthly Rollup preview that doesn’t fix the major bugs, Microsoft rolled out a patch for a bug introduced in IE by its Patch Tuesday patch. Another patch of a patch. The article for the original Patch Tuesday patch, KB 4089187, has been modified to state:

    After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.

    To resolve this issue, use one of the following methods:

    If you’re a bit rusty on manually whitelisting an SHA1 certificate, you can run the patch released on Friday night, KB 4089187. Note that this is only for IE 11 running on Windows 7 (and Server 2008R2).

    I think of it as Mother Microsoft’s way of telling you that you really shouldn’t be using IE. Excuse my snark.

    Of course, you’ve been following along here and know that we’re still at MS-DEFCON 2, which means you didn’t install the original buggy patches, anyway. Right?

    By the by… for those of you who are manually installing the cumulative updates for Win10 1703 or 1607, there’s now an explicit warning in the associated KB article:

    Important When installing both the SSU (KB4088825) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU.

    Which is an obtuse way of saying that, if you’re going to install the Cumulative Update manually, you better get the Servicing Stack Update installed first.

    MrBrian speculates that the root problem is the race condition on installation that Susan Bradley talked about last week.

    The Servicing Stack updates for 1703 and 1607 were part of the Thursday blast.

    Thx, @MrBrian, @gborn

  • We’re still at MS-DEFCON 2

    If you’re worried about all of the patches, manual installation sequences, and other mind-boggling things, don’t be.

    We’re still at MS-DEFCON 2 — don’t patch unless you have an overwhelming need to install a specific patch.

    The MS-DEFCON system is designed for folks who don’t want to sweat the details. If you aren’t particularly interested in sorting through the offal, wait for the MS-DEFCON number to change.

    Each time I raise the MS-DEFCON level, I have detailed instructions on what you need to do to keep your ship afloat. Unlike Susan (see below), I recommend that you defer “quality updates” (read “cumulative updates”) for the full 35 days, then set the spinner down to 0 when you’re ready to install a specific cumulative update. I also recommend that you set Win7 and 8.1 to “check but don’t download.” I include full instructions for both of those settings in every month’s Computerworld “go ahead” article.

    For now, unless you need to sort through the patching details, just hold tight.

  • Massive March Patch Tuesday relaxes antivirus restrictions, but there are problems

    With 74 separately identified plugged holes, every version of Windows and Office gets goosed. No known exploits for any “Critical” vulnerabilities, but there’s a report of more forced upgrades.

    Computerworld Woody on Windows.

    UPDATE: Win7/Win2008 R2 Monthly Rollup KB 4088875 and Security-only KB 4088878 are causing problems on Server 2008 R2 because the updates blow away virtual Network Interface Cards (VMWare hit bad) and on Win7 because it overwrites static IP addresses. Discussion on Reddit and an apprently related post on KB 3125574.

    ANOTHER UPDATE: It looks like the Word 2016 security patch KB 4011730 causes Word 2016 to crash when you double-click on a file with a DOCX filename extension. Uninstalling the patch fixes the problem.

    ANOTHER UPDATE: We’re getting reports that the beleaguered Win7 Monthly Rollup, KB 4088875, now appears in Windows Update as unchecked. It’s still available through the Microsoft Update Catalog, however.

  • March 2018 Patch Tuesday

    The patches are starting to appear. I’ll keep this post updated as the situation becomes more clear.

    OF COURSE We’re still at MS-DEFCON 2. You’d have to be a real glutton for punishment — and a daft one at that — to install any of these patches just yet.

    SANS Internet Storm Center has its visual analysis. There are no “critical” vulnerabilities that have been disclosed, or used in the wild.

    Martin Brinkmann has his usual in-depth look on And it’s a busy Tuesday:

    Windows 7: 21 vulnerabilities of which 21 are rated important
    Windows 8.1: 20 vulnerabilities of which 20 are rated important
    Windows 10 version 1607: 29 vulnerabilities of which 29 are rated important
    Windows 10 version 1703: 28 vulnerabilities of which 28 are rated important
    Windows 10 version 1709: 24 vulnerabilities of which 24 are rated important
    Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
    Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important

    Don’t tell me how Edge is so much more secure than IE.

    @PKCano has updated the list in AKB2000003, for those of you who apply Win7 and 8.1 Security-only patches manually.

    I’ve updated the list of recently revised KB articles, KBNew. Quick check confirms that this month’s new KBs are listed there.

    The master list — the Security Update Guide — is up on the MSRC Security TechCenter blog. Looks like there are 157 separately identified patches.

    John Cable has the official Patch Tuesday announcement on the Windows blog.

    Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update.

    (Note that the antivirus check is still in effect for Win7 and 8.1.)

    Microsoft has updated its Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities:

    The following updates have been made: 1. Microsoft has released security updates for Windows Server 2008 and Windows Server 2012 to provide mitigations against the vulnerabilities discussed in this advisory. See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update. 2. Microsoft has also released security updates to provide additional protections for the 32-bit (x86) versions of Windows 7 and Windows 8.1. These updates are included in the March Security Only and Monthly Rollup updates. See the Affected Products table for links to download and install the updates. 3. Updated FAQ #14 to announce that the following stand-alone updates for Windows 10 are available via the Microsoft Update Catalog. These updates include microcode updates from Intel: For devices running Windows 10 Version 1703, for the latest available microcode updates see Microsoft Knowledge Base Article 4091663 ( For devices running Windows 10 Version 1607 and Windows Server 2016, for the latest available microcode updates see Microsoft Knowledge Base Article 4091664 ( For devices running Windows 10, for the the latest available microcode updates see Microsoft Knowledge Base Article 4091666 ( 4. Corrected FAQ #12 to better describe what customers need to do if they have not installed the January or February 2018 Security Only updates, and they want to be protected from the vulnerabilities described in this advisory.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1703. For more information and the latest available microcode update for devices running Windows 10 Version 1703, see Microsoft Knowledge Base Article 4091663.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1607 and Windows Server 2016. For more information and the latest available microcode update for devices running Windows 10 Version 1607 or Windows Server 2016, see Microsoft Knowledge Base Article 4091664.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10. For more information and the latest available microcode update for devices running Windows 10, see Microsoft Knowledge Base Article 4091666.

    Microsoft will make available Intel microcode updates for Windows operating systems as they become available.

    Worth noting: “Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. ”

    Ed Bott’s overview is up on ZDNet:

    a variety of security updates for all supported Windows versions, as well as removing a compatibility check for antivirus software. A separate release significantly expands available microcode updates for affected Intel CPUs… includes security updates that defend against the Meltdown vulnerability on PCs running x86 versions of Windows 7 and 8.1. With those updates, all currently supported Windows releases now include defense against this vulnerability.

    Trend Micro’s ZeroDay Initiative posted its analysis:

    Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

    The official Office Update page is up:

    The March 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 26 non-security updates. All of the security and non-security updates are listed in KB article 4090988.

    Thx @PKCano, @sb

  • MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

    Once more unto the breach, dear friends, once more.

    In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Computerworld Woody on Windows.

  • March 2018 Office non-security updates have been released

    Microsoft has released the March 2018 Office non-secruity updates. These are NOT covered under February’s DEFCON-3 patching. Wait to install them until any potential problems are known and for the Patch Lady’s guidance. If you are following Woody’s DEFCON system, wait for the March DEFCON patching go-ahead.

    Office 2010

    Update for Microsoft Outlook 2010 (KB4018314)

    Office 2013

    Update for Microsoft Office 2013 (KB3172471)
    Update for Microsoft Office 2013 (KB4011152)
    Update for Microsoft Office 2013 (KB4018297)
    Update for Microsoft Project 2013 (KB4018292)
    Update for Microsoft Visio 2013 (KB4011230)
    Update for Skype for Business 2015 (KB4018290)

    Office 2016

    Update for Microsoft Office 2016 (KB4011624)
    Update for Microsoft Office 2016 (KB4011671)
    Update for Microsoft Office 2016 (KB4011728)
    Update for Microsoft Office 2016 (KB4011729)
    Update for Microsoft Office 2016 (KB4011732)
    Update for Microsoft Office 2016 (KB4018295)
    Update for Microsoft Office 2016 Language Interface Pack (KB4011731)
    Update for Microsoft OneNote 2016 (KB4011733)
    Update for Microsoft Outlook 2016 (KB4018296)
    Update for Microsoft Project 2016 (KB4011734)
    Update for Microsoft Visio 2016 (KB4011661)
    Update for Skype for Business 2016 (KB4011725)

    There were no non-security patches for Office 2007.

    [The KBNew list of all new and modified March KB articles has been updated, and now includes the March non-security Office patches. We’re showing more than 300 new and changed KB articles since March 1.]

  • Microsoft claims it’s solved the USB problem with Win10 1709 cumulative update KB 4090913

    Welcome to Patch Monday!

    A few hours after I posted my diatribe in Computerworld, taking Microsoft to task for not fixing Win10 Fall Creators Update, version 1709, wouldn’tcha know it, but Microsoft released yet another cumulative update for 1709 that claims to fix one (not all) of the admitted problems with Win10 FCU.

    KB 4090913 brings Win10 version 1709 up to build 16299.251.

    According to the KB article its sole raison d’être is fixing the USB bug introduced in the last cumulative update.

    Addresses an issue in which some USB devices and onboard devices, such as a built-in laptop camera, keyboard, or mouse, stop working. This may occur when the Windows Update servicing stack incorrectly skips installing the newer version of some critical drivers in the cumulative update and uninstalls the currently active drivers during maintenance.

    That’s all she wrote. The other bugs are still there:

    • Windows Update History reports that KB4054517 failed to install because of error 0x80070643.
    • After installing this update, some devices may fail to start, and return INACCESSIBLE_BOOT_DEVICE.
    • Because of an AD FS server issue that causes the WID AD FS database to become unusable after a restart, the AD FS service may fail to start. / There is no way to undo the database corruption. To return your AD FS server to a functional state, you must restore it from a backup.

    There’s also an out-of-out-of-band Servicing Stack update, KB 4090914.

    I suggest you hold off until we find out if this patch actually fixes the problem, or if some other ogre jumps out and bites.

  • Anybody see the “Third Tuesday” Windows previews?

    They’re usually out by now. Wonder if MS hit a snag?