Get caught up on your July and August Windows/Office patches

Credit to Author: Woody Leonhard| Date: Wed, 05 Sep 2018 12:29:00 -0700

With the arrival of “Fourth Week” patches on the last working day of August, and having had a few days to vet them, it looks as if we’re ready to release the cracklin’ Kraken.

Microsoft continues to unleash microcode patches for Meltdown and Spectre (versions 1, 2, 3, 3a, 4, n for n >=4). You won’t get stung by any of them, unless you specifically go looking for trouble.

Considering there still haven’t been any garden-variety Meltdown or Spectre attacks, I strongly suggest you ignore Microsoft’s Intel microcode patches, unless you’re in charge of a server that multitasks users with sensitive data. Wait till Microsoft (and Intel) gets the kinks worked out.

If you really feel like beta-testing for Microsoft, follow RetiredGeek’s recommendations for Meltdown/Spectre mitigations on 1803. Make special note of the fact that he flashed his Dell XPS 8920 firmware prior to pursuing the Herculean labors.

Microsoft has a bug in its Win7 Monthly Rollup that’s been, uh, bugging us since March. If you installed any Win7/Server 2008R2 patches after March and your network connections didn’t go kablooey, you’re almost undoubtedly OK to proceed with this month’s patches.

On the other hand, if you’ve been waiting to install patches on your Win7 or Server 2008R2 machine, you need to be aware of a bug that Microsoft has acknowledged.

Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

Workaround: To locate the network device, launch devmgmt.msc; it may appear under Other Devices.

1. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.

2. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

That’s a bizarre, convoluted series of steps. Microsoft still hasn’t confirmed which third-party software is at fault, but reports have it that it’s largely a VMware problem. Five months later, the bug’s still there, still acknowledged, still unfixed.

If you’re worried that installing this month’s updates will clobber your Network Interface Card, make sure you take a full backup before installing the updates. You can also take @GoneToPlaid’s advice and edit certain registry entries in advance.

Microsoft broke Single Sign On (SSO) in IE 11 in the first set of August patches. Per the KB article:

In Internet Explorer 11, a blank page may appear for some redirects. Additionally, if you open a site that uses Active Directory Federation Services (AD FS) or Single sign-on (SSO), the site may be unresponsive.

Microsoft says you can fix that problem by installing the Monthly Preview (KB 4343894 for Win7; KB 4343891 for Win8.1). Confusingly, there’s also a KB 4459022 — a “Cumulative Update for Internet Explorer: August 30, 2018” — but that KB article says that you need to install one of the Monthly Previews to fix the problem.

Monthly Previews, of course, are supposed to contain advance copies of non-security patches expected in the following month. They’re designed for folks who need to test the next month’s patches, to vet them before they hit the mainstream.

Increasingly, Microsoft isn’t fixing bugs that it introduces with proper patches. Instead, it’s throwing them into the Monthly Preview stew and hoping that those affected figure out they need to jump ahead to fix what was just broken.

Susan Bradley’s Master Patchlists for July and August show that the past two months’ patches look clean, finally, except for the Meltdown/Spectre inanities. The official Fixes or workarounds articles for Office include many specific problems and a few possible solutions.

Ready to take a chance on messing up your NIC? Here’s how to proceed. The patching pattern should be familiar to many of you.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’ve already installed any Monthly Rollups after March, your Network Interface Card should be immune to the latest slings and arrows. But if you haven’t been keeping up on patches, see the discussion in the Network Cards section above to protect yourself.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for July and August may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the August Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for July. Don’t mess with Mother Microsoft. Take what’s being offered, and checked, and don’t grab something unchecked just because it sounds good.

If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or  its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and drive a wooden stake through your motherboard. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing equality to that pushed in Win10.

If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1709, and you want to stay on 1703 or 1709 and not get sucked into the 1803 vortex, follow the instructions here to ward off the upgrade. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

Remember: If you want to avoid 1803, don’t click “Check for Updates” until you’ve gone through all the precautions listed in this article, including running wushowhide. If you forget, you may be tossed in the seeker heap and shuffled off to 1803 land.

Worried about 1809? Yeah, me too. Those of you running Win10 1703 will need to upgrade to 1709, 1803 or possibly 1809 at some point in October. (It isn’t clear if Microsoft will release Fourth Tuesday or C/D Week patches for 1703 in October.) I’m still sitting on a fence, and suggest you join me in MSmugwump land until we have a clearer view of the horizon.

If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.

To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86, @gborn, @GoneToPlaid, @Cybertooth, @RetiredGeek and @MrBrian.

We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss