MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

Patch Tuesday’s tomorrow. You know what that means.

I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Computerworld Woody on Windows

Turning the ratchet up to MS-DEFCON 2

I’ll have full instructions on Monday, but most of you know the drill.

I’m changing it now because I suddenly realized that some of you may be running Win10 1709 and clicking on “Check for updates.” (Thx, JL!)

If you did get pushed onto 1803, real quick, roll back to 1709 — Start > Settings > Update & security, on the left choose Recovery, on the right click to Roll back to previous version.

We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

MS-DEFCON 2: Get automatic update turned off in preparation for April 2018 Patch Tuesday

It’s time. Tomorrow is Patch Tuesday. Don’t let it catch you unaware.

(P.S. Spread the word. Friends don’t let friends update automatically.)

Computerworld Woody on Windows.

We’re moving to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

Once more unto the breach, dear friends, once more.

In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Computerworld Woody on Windows.

MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off

Last month’s Patch Tuesday (and Monday, Wednesday, Thursday, Friday, Saturday and Sunday) should prove, once again, that knowledgeable Windows users need to turn off Automatic Update.

Computerworld Woody on Windows.

Do me a favor, wouldja? If you bump into any of the self-proclaimed security “experts” who tell everyone to turn on Automatic Update, would you post a link to their drivel? I took a lot of guff for my posts a year ago, advising folks to turn off Automatic Update. If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why.

Reaffirming that we’re still at MS-DEFCON 2

There’s still no pressing reason to install the early crop of Patch Tuesday patches.

Computerworld Woody on Windows.

Correction: @teroalhonen notes that there’s no such thing as Win10 1511 LTSC. He’s right, my Computerworld article’s wrong. Win10 1511 is supported through April 2018, but only for Enterprise and Education editions.

But that brings up a related question. Why are the Surface firmware updates only going out to 1703 and 1709? What about 1607 and 1511? They’re both being supported.

UPDATE: We have a report of a BSOD with the Win7 32-bit patch. Details to follow.

MS-DEFCON 2: Batten down the hatches, there’s a kernel patch headed your way

UPDATE: 4:00 am ET: @teroalhonen just noted that Yammer is down. The reason given:

After reviewing the logs, we determined that recent maintenance is causing a portion of cloud network infrastructure to be in a degraded state. We’re reconnecting users to a to a healthy portion of infrastructure to mitigate the impact while we address the cause.

Does “recent maintenance” encompass deployment of the Meltdown patches? That does not bode well.

UPDATE 3:00 am ET: The Meltdown fix is getting pushed out Windows Update, but many people haven’t seen it yet. I haven’t seen either the 1709 or the 1703 update coming down the chute.

We now have patches — both Monthly Updates and Security-only Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). It looks like the Monthly Rollups will come out next week.

BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. If you’re running third party antivirus, it has to be updated before the Meltdown patch installer will run. It looks like there are known problems with bluescreens for some AV products.

There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.

Note that the Windows Server patches are NOT enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)

Windows XP and Server 2003 don’t yet have patches.

There’s an official Security Advisory, ADV 180002. One sobering comment:

In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

Which means you, as a Windows user, aren’t fully protected until you’ve installed the Windows patch, turned it on if you’re running Windows Server, and applied the latest firmware update. According to @teroalhonen, Dell, Microsoft and HPE have yet to push firmware patches.

Microsoft has released official installation guidance for Windows Server, for non-server versions of Windows, and also for Edge and IE. Mozilla has posted its analysis for Firefox. Chromium also has details for Chrome, which should be patched later this month.

There’s a great deal of knowledgeable speculation that Meltdown may not be fully fixed, even with firmware updates. It may require completely new processors. Expect that debate to continue for the next decade.

We’re likely to see exploits published in fairly short order, but as of this writing, there are NO known in-the-wild exploits that take advantage of the Meltdown holes.

It would be a very good idea to make sure that your Windows machine has auto update turned off. Kernel changes are always, always tricky. Far better to sit and wait for a few hours, or even a day or two, than to get blindsided by a bad kernel patch.

It’s happened before. Many times.

UPDATE: There appears to be a working exploit, purportedly on a Mac, from Michael Schwarz. “we are publishing demo code as soon as patches are available, so I guess next week.”

I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it

MS-DEFCON 2: Make sure you have Windows Automatic Update turned off

We’ve had a very rocky few months – and amazing array of buggy patches, dutifully vetted by the unpaid beta testers. Don’t volunteer your machine.

You need to patch sooner or later, but there’s no reason to patch to Microsoft’s schedule.

Computerworld Woody on Windows.