Hold your breath, avoid the snake oil, and get Windows updated

Credit to Author: Woody Leonhard| Date: Mon, 05 Feb 2018 09:50:00 -0800

January 2018 was a month that will go down in patching infamy. Looking back on my notes, we had patches released, yanked, re-released and/or re-re-released on 15 different days in January. Untold thousands of machines were bricked by Microsoft patches. Millions of hours were lost chasing down bad patches and bad advice.

Although there were a couple of real bugs fixed in the January patches — the Equation Editor vulnerability being suspect #1 — most of the angst was completely superfluous. The Meltdown/Spectre patches at the heart of the drama attacked a problem that wasn’t — and isn’t — there. We still have no known Meltdown or Spectre exploits in the wild. None.

If you ever wanted a good reason to hold off patching Windows to see if others are having problems, you just saw it played out in slo-mo.

At this point, I’m seeing a few reported problems with the Win10 1709 cumulative update released on Jan. 31, KB 4058258:

Failure to install with error 0x80070643 is an acknowledged bug in this and other Win10 patches this month. Microsoft’s advice is to ignore it.

Microsoft has also fessed up to bugs in several of the latest Win10 cumulative updates (too many of ‘em to count!), saying:

After installing this update, some users may experience issues logging into some websites when using third party account credentials in Microsoft Edge.

There’s no known fix. My suggestion is that you join the vast majority of Win10 customers and use a different browser.

There’s one other persistent problem with this month’s patches that doesn’t have an easy solution. After installing this month’s Win10 cumulative updates (not sure which ones), your computer throws a blue screen when it starts, with the error Inaccessible Boot Device. There’s a very lengthy thread on the Microsoft Answers forum, with a possible manual solution for some people (helps to have a degree in Advanced Microsoft Bugology), but it doesn’t work in all cases.

Microsoft does acknowledge the problem for sites running WSUS update servers, and the solution for admins is bizarre: do not run “automatic repair” but manually delete a registry key. If you go through the steps in either solution and can’t get your machine going again, it looks like the only solution is to re-install Windows. 

I’ve seen reports of a wide array of additional problems — everything from blue screens to frozen logons to unexplained crashes — but I don’t see any definitive patterns. Make sure you have that backup ready to get you out of any tight spots, OK?

I’m looking forward to Windows for Pacemakers. In S Mode, no doubt. Just not sure how to boot to recovery media. Can you imagine an autonomous driving system based on Windows?

For those of you who held off installing the December cumulative update for Win10 1709, you should get patched up, in spite of the problems noted above. Microsoft released three cumulative updates in January just for you.

In the normal course of events, I’d just chalk January’s patches up to experience and recommend that you not install them at all — wait for the February patches to roll out and listen for screams as they go through the usual unpaid beta-testing phase. Unfortunately, this month, we have the, uh, specter of Spectre breathing down our collective necks.

So it is with no small amount of fear and trepidation that I urge you to take the plunge and get the January patches installed — but use your head about it. If you want no-brainer patching, get a Chromebook. Seriously.

I don’t care if they have security certificates from the Vatican. If your Dell Update or SupportAssist or HP Update Tools or Lenovo System Update or Fujitsu DeskUpdate tool tells you that you absolutely have to have this juicy new version of your machine’s microcode or firmware (BIOS or UEFI update), laugh demonically as you click No Way.

Neither Intel nor AMD have reliable Meltdown/Spectre patches just yet. And we’ve seen the mess created by Intel’s garbage patches, even though they had six months to build and test them.

Yes, I know Microsoft updated the Surface firmware with patches in January. I haven’t heard any loud scream about those patches, so if they’re being offered for your Surface machine, they’re probably OK.

If you have a reasonably recent version of your antivirus software — updated in the past few weeks — you’ll be fine. If you’re running Windows Defender, you’re fine. But if you have a weird antivirus product, or you’ve stopped doling out antivirus payola, I figure it’s best to uninstall your current antivirus and get Windows Defender or Microsoft Security Essentials working, just for as long as it takes to get Windows updated. Check with your antivirus vendor for details.

If you don’t want to trust your PC to Microsoft — who can blame ya? — check out Kevin Beaumont’s detailed list of antivirus vendors and their patch proclivities. If you want to check to see if your machine, specifically, is ready for the January patches, follow the steps posted by OscarCP on AskWoody.com.

This month more than ever, there’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can re-install even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full image backup products including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup.

The “S” in Windows 10 S stands for “sucker.” Based on some insider info unearthed by Paul Thurrott and Brad Sams, it looks like Win10 S is headed to the trash can where it belongs, replaced by a complex series of ill-defined “in S mode” inanities. The Win10 S version that some of you have now is worse than lame, it’s dangerous.

Microsoft claims that the bugs in the early-January versions of the .Net patches have been fixed in the later January versions of the .Net patches. I remain skeptical, but patching .Net has been such an unholy mess for so long that it’s hard to say.

Once again this month, Microsoft’s ongoing list of acknowledged bugs in Office updates offers some worthwhile caveats. (Will Windows ever get anything comparable?) The January Outlook buglist includes misbehaving searches and a warning about not being able to use Outlook 2010 on Windows XP after installing the January patches. The Word and Excel buglists include many bugs that have been floating around for months.

I’ve seen so many bugs in the January patches that I simply lost count. At this point, though, the situation seems to be much more stable than it was two weeks ago.

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches. Note that AKB 200003 has been modified to incorporate Microsoft’s fixes-of-fixes in January.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian).

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website. After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines, but I’m starting to believe that snooping on Win7 is getting closer and closer to that on Win10.

With the caveats noted above, Microsoft’s Win10 patches have finally stabilized. Go ahead and install them.

If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting — so you need to run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.

If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn’t support you anymore.

If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the Windows Update Troubleshooter before inventing new epithets. If you still can’t get it installed, check out this Reddit page and follow the instructions to reset your Hosts file. Weird, but it seems to help.

To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”

As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED. In particular, don’t be tempted to install anything marked “Preview.”

It’s time to get patched. Tell your friends and warn your enemies. Or vice versa. If you bump into some self-described security “expert” who tells you to install all Windows security patches as soon as they’re released, send ‘em over to the Lounge. We’ll take care of ‘em.

For lots of help, and a bit of sympathy, join us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss