{"id":11659,"date":"2018-03-05T12:30:27","date_gmt":"2018-03-05T20:30:27","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/05\/news-5429\/"},"modified":"2018-03-05T12:30:27","modified_gmt":"2018-03-05T20:30:27","slug":"news-5429","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/03\/05\/news-5429\/","title":{"rendered":"Get the February Microsoft patches applied, unless you\u2019re using Win10 Fall Creators Update"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 05 Mar 2018 11:57:00 -0800<\/strong><\/p>\n

Granted, February\u2019s patches from Microsoft weren\u2019t as malevolent as <\/span>January\u2019s patches<\/span><\/a>, but they still managed to knock out lots and lots of PCs. That said, if you can tiptoe around the problems, now is a good time to get the latest versions of the latest patches installed.<\/span><\/p>\n

The worst problem I see at this point involves <\/span>clobbered USB connections<\/span><\/a> on Win10 Fall Creators Update (version 1709) machines after installing the latest cumulative update, KB 4074588. To its credit, Microsoft has <\/span>acknowledged the problem<\/span><\/a>. But the only offered fix, a complex <\/span>manual workaround<\/span><\/a>, would drive a hardened MS-DOS junkie to drink.<\/span><\/p>\n

Microsoft currently acknowledges all of these problems with the February Win10 1709 cumulative update:<\/span><\/p>\n

As well as a problem with Active Directory Federation Service. <\/span><\/p>\n

It\u2019s become a familiar refrain. Microsoft had problematic patches for Win10 1709 <\/span>in December<\/span><\/a>, <\/span>in January<\/span><\/a> (took three tries and they it didn\u2019t get it right) and <\/span>in February<\/span><\/a>. I keep waiting for 1709 to stabilize before I recommend that folks move on from 1703, but that time hasn\u2019t come yet. <\/span><\/p>\n

Then there are those who bought new PCs with 1703 installed and\u00a0<\/span>don\u2019t have enough storage<\/span><\/a> to run the upgrade to 1709.<\/span><\/p>\n

Even if most of the Win10 world has been pushed, pulled and prodded onto 1709 (<\/span>AdDuplex reports<\/span><\/a> that 85% of all Win10 users they see run Win10 1709), the avalanche of buggy patches proves to me that Fall Creators Update just ain\u2019t ready for prime time.<\/span><\/p>\n

Truth be told, the multiple patches for 1703 (two in January, two in February) leave me feeling queasy about the Win10 Creators Update as well. I guess that\u2019s the price we pay for Windows as a Service and the mad dash to two new versions of the last version of Windows per year.<\/span><\/p>\n

There have been <\/span>problems galore<\/span><\/a> with the .Net Preview patches, with several yanked after colliding with QuickBooks 2017 Enterprise. Fortunately, they\u2019re just Previews \u2014 you only installed them if you specifically sought them out and you shot yourself in the foot.<\/span><\/p>\n

Windows 7 users who install the latest patches (Monthly Rollup <\/span>KB 4074598<\/span><\/a>, or Security-Only <\/span>KB 4077525<\/span><\/a>) may have problems if they have a <\/span>Smart Card two-factor authorization <\/span><\/a>enabled on their machine. Microsoft also warns: \u201cAfter installing this update, SMB servers may experience a memory leak.\u201d No solution at this point.<\/span><\/p>\n

If you\u2019re using Flash on Internet Explorer (or Edge) and haven\u2019t yet installed the fix for CVE-2018-4878, described in Microsoft\u2019s Security Advisory <\/span>ADV180004<\/span><\/a>, you\u2019re vulnerable to a Malspam campaign attack <\/span>described by Morphisec Labs<\/span><\/a>. Of course, if you avoid Flash and\/or use a different browser, you have little to fear.<\/span><\/p>\n

With those exceptions, <\/span>Susan Bradley\u2019s Monthly Patchlist <\/span><\/a>gives an all-clear for the other 40 or so patches released this month.<\/span><\/p>\n

For those of you following the trials and travails of the <\/span>KB 4090007 <\/span><\/a>microcode updates, which are only available by manual download and only apply to sixth-generation Skylake Intel chips running Win10 1709, there\u2019s a reason why they\u2019re so obscure: Microsoft doesn\u2019t want \u201cnormal\u201d people to install them. <\/span><\/p>\n

Microcode, you may know (but I didn\u2019t!), is different from firmware. G\u00fcnter Born on his <\/span>BornCity site explains<\/span><\/a>:<\/span><\/p>\n

There is also a small but subtle difference between firmware updates for the UEFI and a microcode update. A firmware update for the UEFI must be approved by the manufacturer of the motherboard. This update may also include microcode updates. These are loaded from the UEFI firmware into the CPU when the system is started. Pure microcode updates can be rolled out by Microsoft. These microcodes are loaded into the CPU when the operating system is started. The above update is therefore a microcode update, which is reloaded every time Windows starts.<\/span><\/p>\n

For now, I figure you\u2019d be crazy to install the microcode update \u2014 particularly because there are no Spectre v 2 exploits in the wild. Susan Bradley <\/span>has a full explanation <\/span><\/a>of the patch and a warning to admins who may be contemplating the leap of faith:<\/span><\/p>\n

For those that plan to import these microcode updates into your Server 2016 WSUS, there\u2019s a known issue whereby one can\u2019t import updates into WSUS based on Server 2016 like one is used to in other platforms. As noted on the WSUS blog, you\u2019ll need to<\/span> edit a bit<\/span><\/a> before you can import the patch.<\/span><\/p>\n

In my humble opinion, it\u2019s time to install the February patches \u2014 unless you\u2019re using Win10 Fall Creators Update version 1709. (To see your version, in the Cortana search box, type about and press Enter.) If you\u2019re on 1709, wait until Microsoft finally fixes the USB problems.<\/span><\/p>\n

Step 1. Make sure your antivirus is copacetic with this month\u2019s patches.<\/strong><\/p>\n

If you have a reasonably recent version of your antivirus software \u2014 updated in the past few weeks \u2014 you\u2019ll be fine. If you\u2019re running Windows Defender, you\u2019re fine. But if you have a weird antivirus product, or you\u2019ve stopped doling outantivirus payola, I figure it\u2019s best to uninstall your currentantivirus and get Windows Defender or Microsoft Security Essentials working, just for as long as it takes to get Windows updated. Check with your antivirus vendor for details.<\/span><\/p>\n

If you don\u2019t want to trust your PC to Microsoft \u2014 who can blame ya? \u2014 check out Kevin Beaumont\u2019s <\/span>detailed list<\/span><\/a> of antivirus vendors and their patch proclivities. If you want to check to see if your machine, specifically, is ready for the February patches, follow the steps <\/span>posted by OscarCP<\/span><\/a> on AskWoody.com.<\/span><\/p>\n

Step 2. Make a full system image backup before you install the January patches.<\/strong><\/p>\n

There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n

There are plenty of full image backup products including at least two good free ones: <\/span>Macrium Reflect Free<\/span><\/a> and <\/span>EaseUS Todo Backup<\/span><\/a>.<\/span><\/p>\n

Step 3. For Win7 and 8.1<\/strong><\/p>\n

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s a year old or newer, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n

If you\u2019re very concerned about Microsoft\u2019s snooping on you and want to install just security patches, realize that the privacy path\u2019s getting more difficult. The old \u201cGroup B\u201d \u2014 security patches only \u2014 isn\u2019t dead, but it\u2019s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano\u2019s<\/span> AKB 2000003<\/span><\/a> and be aware of<\/span> @MrBrian\u2019s recommendations<\/span><\/a> for hiding any unwanted patches. Note that AKB 200003 has been modified to incorporate Microsoft\u2019s fixes-of-fixes in January.<\/span><\/p>\n

For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. If you want to minimize Microsoft\u2019s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of<\/span> AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping<\/span><\/a>) before you install any patches. (Thx, @MrBrian.)<\/span><\/p>\n

Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website. After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019m starting to believe that information pushed to Microsoft\u2019s servers for Win7 owners is nearing that pushed in Win10.<\/span><\/p>\n

Step 4. For Windows 10<\/strong><\/p>\n

If you\u2019re running Win10 Creators Update, <\/span>version 1703<\/strong> (my current preference), or <\/span>version 1607<\/strong>, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft\u2019s dog food, follow the<\/span> instructions here<\/span><\/a> to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh,<\/span> forgot to honor<\/span><\/a> the \u201cCurrent Branch for Business\u201d setting \u2014 so you need to run the \u201cfeature update\u201d (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn\u2019t forget how to count to 365.<\/span><\/p>\n

If you\u2019re running an earlier version of Win10, you\u2019re basically on your own. Microsoft doesn’t support you anymore.<\/span><\/p>\n

If you have trouble getting the latest cumulative update installed, make sure you\u2019ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the <\/span>newly refurbished<\/span><\/a> Windows Update Troubleshooter<\/span><\/a> before inventing new epithets. <\/span><\/p>\n

To get Windows 10 patched, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.”<\/span><\/p>\n

As is always the case, <\/span>DON\u2019T CHECK ANYTHING THAT\u2019S UNCHECKED<\/strong>. In particular, don\u2019t be tempted to install anything marked \u201cPreview.\u201d <\/span><\/p>\n

It\u2019s time to get patched. Even if you really, really don\u2019t want to.<\/span><\/p>\n

Thx, @MrBrian, @sb, @PKCano, @abbodi86, and many others<\/span><\/p>\n

Join the chorus on the Titanic at the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 05 Mar 2018 11:57:00 -0800<\/strong><\/p>\n

\n
\n

Granted, February\u2019s patches from Microsoft weren\u2019t as malevolent as <\/span>January\u2019s patches<\/span><\/a>, but they still managed to knock out lots and lots of PCs. That said, if you can tiptoe around the problems, now is a good time to get the latest versions of the latest patches installed.<\/span><\/p>\n

Problems with Win10 Fall Creators Update<\/strong><\/h2>\n

The worst problem I see at this point involves <\/span>clobbered USB connections<\/span><\/a> on Win10 Fall Creators Update (version 1709) machines after installing the latest cumulative update, KB 4074588. To its credit, Microsoft has <\/span>acknowledged the problem<\/span><\/a>. But the only offered fix, a complex <\/span>manual workaround<\/span><\/a>, would drive a hardened MS-DOS junkie to drink.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11659","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11659"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11659\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11659"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}