Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

    Posted on March 12th, 2018 at 17:01 woody Comment on the AskWoody Lounge

    Once more unto the breach, dear friends, once more.

    In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Computerworld Woody on Windows.

  • MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off

    Posted on February 12th, 2018 at 08:24 woody Comment on the AskWoody Lounge

    Last month’s Patch Tuesday (and Monday, Wednesday, Thursday, Friday, Saturday and Sunday) should prove, once again, that knowledgeable Windows users need to turn off Automatic Update.

    Computerworld Woody on Windows.

    Do me a favor, wouldja? If you bump into any of the self-proclaimed security “experts” who tell everyone to turn on Automatic Update, would you post a link to their drivel? I took a lot of guff for my posts a year ago, advising folks to turn off Automatic Update. If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why.

  • Reaffirming that we’re still at MS-DEFCON 2

    Posted on January 5th, 2018 at 08:28 woody Comment on the AskWoody Lounge

    There’s still no pressing reason to install the early crop of Patch Tuesday patches.

    Computerworld Woody on Windows.

    Correction: @teroalhonen notes that there’s no such thing as Win10 1511 LTSC. He’s right, my Computerworld article’s wrong. Win10 1511 is supported through April 2018, but only for Enterprise and Education editions.

    But that brings up a related question. Why are the Surface firmware updates only going out to 1703 and 1709? What about 1607 and 1511? They’re both being supported.

    UPDATE: We have a report of a BSOD with the Win7 32-bit patch. Details to follow.

  • MS-DEFCON 2: Batten down the hatches, there’s a kernel patch headed your way

    Posted on January 3rd, 2018 at 16:59 woody Comment on the AskWoody Lounge

    UPDATE: 4:00 am ET: @teroalhonen just noted that Yammer is down. The reason given:

    After reviewing the logs, we determined that recent maintenance is causing a portion of cloud network infrastructure to be in a degraded state. We’re reconnecting users to a to a healthy portion of infrastructure to mitigate the impact while we address the cause.

    Does “recent maintenance” encompass deployment of the Meltdown patches? That does not bode well.

    UPDATE 3:00 am ET: The Meltdown fix is getting pushed out Windows Update, but many people haven’t seen it yet. I haven’t seen either the 1709 or the 1703 update coming down the chute.

    We now have patches — both Monthly Updates and Security-only Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). It looks like the Monthly Rollups will come out next week.

    BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. If you’re running third party antivirus, it has to be updated before the Meltdown patch installer will run. It looks like there are known problems with bluescreens for some AV products.

    There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.

    Note that the Windows Server patches are NOT enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)

    Windows XP and Server 2003 don’t yet have patches.

    There’s an official Security Advisory, ADV 180002. One sobering comment:

    In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

    Which means you, as a Windows user, aren’t fully protected until you’ve installed the Windows patch, turned it on if you’re running Windows Server, and applied the latest firmware update. According to @teroalhonen, Dell, Microsoft and HPE have yet to push firmware patches.

    Microsoft has released official installation guidance for Windows Server, for non-server versions of Windows, and also for Edge and IE. Mozilla has posted its analysis for Firefox. Chromium also has details for Chrome, which should be patched later this month.

    There’s a great deal of knowledgeable speculation that Meltdown may not be fully fixed, even with firmware updates. It may require completely new processors. Expect that debate to continue for the next decade.

    We’re likely to see exploits published in fairly short order, but as of this writing, there are NO known in-the-wild exploits that take advantage of the Meltdown holes.

    It would be a very good idea to make sure that your Windows machine has auto update turned off. Kernel changes are always, always tricky. Far better to sit and wait for a few hours, or even a day or two, than to get blindsided by a bad kernel patch.

    It’s happened before. Many times.

    UPDATE: There appears to be a working exploit, purportedly on a Mac, from Michael Schwarz. “we are publishing demo code as soon as patches are available, so I guess next week.”

    I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it

  • MS-DEFCON 2: Time to make sure you’re locked down

    Posted on March 7th, 2016 at 11:54 woody Comment on the AskWoody Lounge

    Tomorrow’s Black Tuesday. Time to make sure your cows are in and the barn door’s closed.

    Make sure you have your Vista, Win7 and 8.1 Windows Update set to “Notify but don’t download.” If your Windows 10 machine is set up with a Wi-Fi connection, set it to a metered connection. To do all of that, see the Automatic Update tab above.

    This month I’ll be trying a new trick. I’m going to see if I can get wushowhide to hide the Win10 cumulative update (assuming there is a cumulative update) before my Win10 machines download and install the patch. It’s all in the timing. For details on running wushowhide, see my discussion about the Outlook 2010 Calendar bugs. You’re most welcome to join me in testing the catch-if-you-can technique. (I’m still too skittish to shut down Windows Update in Win10 entirely.)

    Anyway, I’m headed to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    If you’re able to test the hair-trigger wushowhide approach on a working Win10 system, chime in here and tell me how it goes.

  • MS-DEFCON 2: Make sure Windows Automatic Update is turned off

    Posted on May 11th, 2015 at 10:21 woody Comment on the AskWoody Lounge

    With Black Tuesday coming tomorrow, now’s the time to get everything locked down.

    At this point – almost noon east coast time on Monday – there have been no notifications I can find about patches headed down the automatic update chute on Tuesday.

    Microsoft didn’t say that it was getting rid of Patch Tuesday in Windows 10, no matter what you may have read. What they said, in effect, is that they aren’t going to hold back and wait for the second Tuesday of the month to push out either security fixes or new features. Windows 10 installations using Windows Update for Business can bundle up the patches and release them any time they want — second Tuesday is as good as a nod and a wink to a blind horse. For those of us running “free” Windows 10, everything I hear is that you’ll get updated whenever Microsoft is good and ready – Tuesday, Wednesday, everyday, never mind – and you won’t be able to do anything about it, save for disconnecting from the internet completely.

    That may change before Windows 10 launches, but I don’t have a good feeling about it.

    This month, we aren’t seeing an early transition to the Windows 10 rules of engagement. What we’re seeing is a complete disregard for the old advance notification service. Either that, or we won’t have any non-security updates on Tuesday. Which could happen.

    I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Make sure Automatic Update is turned off, and let’s see what the morrow shall bring.

  • MS-DEFCON 2: Time to get locked down

    Posted on February 7th, 2011 at 17:57 woody Comment on the AskWoody Lounge

    Tuesday should bring 12 Security Bulletins, patching a total of 22 separately identified holes in Windows, IE, and Office.

    Time to get your system locked down. Take a minute and make sure Windows is set to “Check for Updates but don’t download.”

    For detailed instructions, see the tab at the top of this page that says Automatic Updates.