{"id":11952,"date":"2018-04-06T14:30:02","date_gmt":"2018-04-06T22:30:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/06\/news-5721\/"},"modified":"2018-04-06T14:30:02","modified_gmt":"2018-04-06T22:30:02","slug":"news-5721","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/06\/news-5721\/","title":{"rendered":"Get the March patches for your Windows machines installed, but watch out for Win7"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 06 Apr 2018 13:51:00 -0700<\/strong><\/p>\n

The quality of March\u2019s patches <\/span>set new lows<\/span><\/a>, even by Windows\u2019 tarnished standards. The Win10 patches flew fast and furious, with new Microsoft-induced bugs introduced and swatted multiple times over the month. The Word 2016 security patch demands that you first install the Word 2016 non-security patch, or Word refuses to open files. That bug hasn\u2019t been fixed. Windows 8.1\/Server 2012R2 escaped relatively unscathed. Server 2008 got a fix for its buggy patch, <\/span>KB 4090450<\/span><\/a>, on April 3. But Windows 7\u2026 ah, that\u2019s a dying horse of a completely different color.<\/span><\/p>\n

The fur\u2019s flying so fast and thick that it\u2019s hard to pick an auspicious point in time to get patched up, but now seems as opportune a moment as any. Except for Win7. If you\u2019re still using Win7 \u2014 and about half of the Windows world is \u2014 you have a difficult choice to make.<\/span><\/p>\n

You can read some of the <\/span>historic details here<\/span><\/a>, but the short version goes like this:<\/span><\/p>\n

As of this moment, EVERY Windows 7 \/ Server 2008 R2 64-bit patch released this year opens a gaping security hole commonly called \u201cTotal Meltdown.\u201d In addition, recent patches have a healthy collection of bugs that range from blue screens (STOP messages), to blocking Internet Explorer 11, to a particularly debilitating bug for folks running servers that leads to lockups due to SMB leaks.<\/span><\/p>\n

Microsoft has released a fix for the Total Meltdown hole, but installing it brings along many of those creepy bugs.<\/span><\/p>\n

The 32-bit version of Win7 doesn\u2019t seem to have the same problems, but I\u2019m seeing reports of blue screens after installing the 32-bit version of the Win7 Security-only update.<\/span><\/p>\n

Realize this drama unfolded over weeks of bad patches, re-patches, re-re-patches, appended patches, surprise patch confessions, patched surprise patch confessions, and documentation that comes from a demonstrably unparallel dimension. Even now, on the Friday before Patch Tuesday, we have a warning of <\/span>yet another patch in the offing<\/span><\/a> that hasn\u2019t been released as yet, and it isn\u2019t completely clear how (or if) Microsoft will <\/span>fix the ongoing NIC\/static IP address bug<\/span><\/a>.<\/span><\/p>\n

The Windows 7\/Server 2008 R2 inanity has been surrounded by on-again, off-again patches, like evil sprites prancing around a Win7 bonfire. At any given moment, on any given machine, one or some or all of the March Win7 patches may be offered through Windows Update. A different set of patches may or may not be offered through enterprise update servers (WSUS or SCCM). And for those who defy the automatic update gods and install patches manually, unknown conflicts and hidden prerequisites abound.<\/span><\/p>\n

Against that demonic backdrop, I offer the following recommendations\u2026<\/span><\/p>\n

Go ahead and install all outstanding Win10 patches. They were <\/span>re-released and re-re-released<\/span><\/a> in March, and the current versions appear to be working OK. Heaven only knows what\u2019s going to happen on April Patch Tuesday, so get the patches squared away now.<\/span><\/p>\n

I\u2019ve thought long and hard about whether to recommend that Win10 Creators Update (version 1703) customers upgrade to Win10 Fall Creators Update (version 1709). It looks like Microsoft has pushed about 90% of all Win10 1703 users on to 1709 \u2014\u00a0<\/span>forcibly <\/span><\/a>in some cases. And 1803 appears to be ready to launch next Tuesday. So if you\u2019re so inclined, the time to move to 1709 is now, unless you want to quickly <\/span>squirrel away a copy<\/span><\/a> of 1709 to install at a later date \u2014 but you need to do that in the next few days.<\/span><\/p>\n

Personally, I\u2019m not going to bother with 1709. The <\/span>new features<\/span><\/a> aren\u2019t worth a second glance for most (3D this ‘n’ that, keyboard emojis, Controlled Folder Access \u2014 which is so intrusive that I disabled it immediately). I\u2019d consider moving to 1709 for the OneDrive Files on Demand feature, but I use Dropbox and Google Drive much more than OneDrive. <\/span><\/p>\n

If you feel bold enough to move to 1709 on your own terms, not Microsoft\u2019s, now\u2019s the time to roll the Defer feature updates setting (Start > Settings > Update & security > Advanced Options) down to 0. Let the Fall Creators Update engulf you. As for me and \u00a0mine, meh, I\u2019m sticking with 1703.<\/span><\/p>\n

That bug in the Word 2016 security patch, KB 4011730, hasn\u2019t been fixed: If you install it, you <\/span>need to get <\/span><\/a>the non-security patch, KB 4018295, too. Otherwise, you won\u2019t be able to open or save Word documents.<\/span><\/p>\n

Other than that, Susan Bradley\u2019s <\/span>Master Patch List<\/span><\/a> says the March Office patches are OK.<\/span><\/p>\n

\u201cYou gotta ask yourself one question: Do I feel lucky?\u201d<\/span><\/p>\n

There\u2019s no clearcut right-or-wrong answer to the patching question of the month: Should you patch Win7 or just let sleeping dogs lie? I\u2019ve struggled with scenarios and arguments both for and against installing the mammoth list of buggy March Win7 patches. No luck. Here\u2019s the best I could come up with:<\/span><\/p>\n

*The Total Meltdown attacks, when they come, will rely on infected web pages and files you receive from the web. At least, that\u2019ll be the first wave. Of course, we\u2019ll be watching intently and screaming bloody murder should something untoward happen, both on AskWoody and Computerworld<\/em>. With a little luck, you\u2019ll have enough advance warning that you can get all of the March patches installed in time. Or maybe Microsoft will clean up its Win7 act for the April round of patches. Hope springs eternal.<\/span><\/p>\n

If your machine slows down noticeably after March\u2019s patches (or any of the January or February patches), you can disable many of the fixes and see if your machine speeds back up. Microsoft <\/span>has instructions<\/span><\/a>. Steve Gibson\u2019s <\/span>InSpectre tool <\/span><\/a>automates much of it.<\/span><\/p>\n

Don\u2019t forget: There are <\/span>no known exploits <\/strong>for Meltdown or Spectre in the wild. None. Zero. Never have been.<\/span><\/p>\n

The patching pattern should be familiar to many of you.<\/span><\/p>\n

If you\u2019re running Win7 or 8.1, you still need to have a reasonably recent version of your antivirus software. If you\u2019re running Windows Defender\/Microsoft Security Essentials, you\u2019re fine. If you want to check to see if your machine, specifically, is ready for the March patches, follow the steps<\/span> posted by SueW<\/span><\/a> on AskWoody.com<\/span><\/p>\n

Starting next month, it looks as if this step will no longer be necessary for Win7 and 8.1. It\u2019s already been waived for Win10.<\/span><\/p>\n

There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n

There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>.<\/span><\/p>\n

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s a year old or less, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n

If you\u2019re very concerned about Microsoft\u2019s snooping on you and want to install just security patches, realize that the privacy path\u2019s getting more difficult. The old \u201cGroup B\u201d \u2014 security patches only \u2014 isn\u2019t dead, but it\u2019s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano\u2019s<\/span> AKB 2000003<\/span><\/a> and be aware of<\/span> @MrBrian\u2019s recommendations<\/span><\/a> for hiding any unwanted patches. <\/span><\/p>\n

For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. Realize that some or all of the expected patches for March may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. If you’re going to install the March patches, accept your lot in life, and don’t mess with Mother Microsoft.<\/span><\/p>\n

If you want to minimize Microsoft\u2019s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of<\/span> AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping<\/span><\/a>) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or \u00a0its Win8.1 cohort, KB 2976978 \u2014 the patches that so helpfully make it easier to upgrade to Win10 \u2014 uncheck them and spread your machine with garlic. Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website. <\/span><\/p>\n

After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019m starting to believe that information pushed to Microsoft\u2019s servers for Win7 owners is nearing that pushed in Win10.<\/span><\/p>\n

If you\u2019re running Win10 Creators Update, <\/span>version 1703<\/strong> (my current preference), or <\/span>version 1607<\/strong>, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft\u2019s dog food, follow the<\/span> instructions here<\/span><\/a> to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh,<\/span> forgot to honor<\/span><\/a> the \u201cCurrent Branch for Business\u201d setting \u2014 so you need to run the \u201cfeature update\u201d (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn\u2019t forget how to count to 365.<\/span><\/p>\n

If you\u2019re running an earlier version of Win10, you\u2019re basically on your own. Microsoft doesn’t support you anymore.<\/span><\/p>\n

If you have trouble getting the latest cumulative update installed, make sure you\u2019ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the<\/span> newly refurbished<\/span><\/a> Windows Update Troubleshooter<\/span><\/a> before inventing new epithets.<\/span><\/p>\n

To get Windows 10 patched, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.”<\/span><\/p>\n

Yes, that\u2019s on the horizon. The next \u201cfeature update\u201d for Win10 will likely arrive on April 10. As with all new versions of Windows, it would be a bit, uh, presumptuous to install it before the unpaid beta testers take a whack at it. Listen to \u2018em whine, whine, whine. With apologies to Jan and Dean.<\/span><\/p>\n

I\u2019ll have full instructions for blocking the update to Win10 1803 coming early next week. But I\u2019ll leave you with this little Protip: If you rely on Microsoft\u2019s Win10 Pro Advanced Options to ward off the update, you\u2019re setting yourself up for a big surprise. Don\u2019t forget that Microsoft pushed Win10 1709 onto machines that had it blocked <\/span>three times in the past six months<\/span><\/a>\u00a0\u2014 and that most Win10 machines now have an official backdoor for version updates.<\/span><\/p>\n

Gotcha.<\/span><\/p>\n

Thanks to the dozens of volunteers on AskWoody who contribute mightily.<\/span><\/i><\/p>\n

We\u2019ve moved to MS-DEFCON 3 on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 06 Apr 2018 13:51:00 -0700<\/strong><\/p>\n

\n
\n

The quality of March\u2019s patches <\/span>set new lows<\/span><\/a>, even by Windows\u2019 tarnished standards. The Win10 patches flew fast and furious, with new Microsoft-induced bugs introduced and swatted multiple times over the month. The Word 2016 security patch demands that you first install the Word 2016 non-security patch, or Word refuses to open files. That bug hasn\u2019t been fixed. Windows 8.1\/Server 2012R2 escaped relatively unscathed. Server 2008 got a fix for its buggy patch, <\/span>KB 4090450<\/span><\/a>, on April 3. But Windows 7\u2026 ah, that\u2019s a dying horse of a completely different color.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-11952","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11952"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11952\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11952"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}