{"id":12147,"date":"2018-04-27T08:30:03","date_gmt":"2018-04-27T16:30:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/27\/news-5916\/"},"modified":"2018-04-27T08:30:03","modified_gmt":"2018-04-27T16:30:03","slug":"news-5916","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/27\/news-5916\/","title":{"rendered":"Time to install the April Windows and Office patches, but there\u2019s a big problem with Win7"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 27 Apr 2018 09:22:00 -0700<\/strong><\/p>\n

Good things come to those who wait. If you resisted the drill sergeant scream of \u201cGET THOSE PATCHES INSTALLED AS SOON AS THEY\u2019RE OUT, MAGGOT!\u201d you\u2019re about to reap your just reward. <\/span><\/p>\n

As is so often the case, the Patch Tuesday screams are something you should consider, but they\u2019re hardly the final word. At this point, there\u2019s a credible threat forming for Win7 and Server 2008 R2 machines \u2014 Total Meltdown <\/span>is definitely coming<\/span><\/a>\u00a0\u2014 but the sky hasn\u2019t fallen. There are no known Meltdown or Spectre exploits in the wild, and all of the <\/span>hell unleashed<\/span><\/a> by this month\u2019s series of patches and re-patches and pre-appended re-re-patches primarily served as demonic theater to those of us who chose to wait.<\/span><\/p>\n

I don\u2019t know of any major exploits in the wild, as yet, that are blocked by the April patches. But you do need to patch sooner or later \u2014 and right now is as good a time as any.<\/span><\/p>\n

If you waited, the way forward is clear. If you installed some (or all) of this month\u2019s patches as they came out, and you\u2019re using Win7 or Server 2008 R2, you may be stuck in a very difficult spot.<\/span><\/p>\n

Microsoft\u2019s Keystone Kops act returned with a vengeance this month, kicked off by a bug in <\/span>last month\u2019s 64-bit Win7 Monthly Rollup<\/span><\/a> that knocked some Network Interface Cards and some machines with manually set IP addresses off their networks. Microsoft fixed, then re-fixed, then pulled apart and re-fixed the bug, but the re-fix still has problems, even if you uninstall the original fix. Got that? Naw, me neither.<\/span><\/p>\n

Here\u2019s the short version for 64-bit Win7 and Server 2008 R2 machines, for those who install the Monthly Rollups (\u201cGroup A\u201d). Thx to <\/span>@abbodi86<\/span><\/a>, @MrBrian and @PKCano, all of whom contributed to this simplified solution:<\/span><\/p>\n

Step 1.<\/strong> Check your update history to see if you have already installed this month\u2019s Win7\/Server 2008 R2 Monthly Rollup, KB 4093118. If you <\/span>haven\u2019t <\/i><\/strong>installed KB 4093118, you\u2019re fine; proceed with the next section to install the April Monthly Rollup, KB 4093118.<\/span><\/p>\n

Step 2.<\/strong> You have (a possibly old version of) this month\u2019s Monthly Rollup, KB 4093118. Uninstall KB 4093118. Then …<\/span><\/p>\n

Step 2a.<\/strong> If you have the March Monthly Rollup, KB 4088875, uninstall it.<\/span><\/p>\n

Step 2b.<\/strong> If you have the <\/span>Carnak patch<\/span><\/a>, KB 4099950, uninstall it.<\/span><\/p>\n

Step 3.<\/strong> Just for good luck, reboot.<\/span><\/p>\n

That\u2019s the simplest sequence I know to make sure you ultimately get the latest version of a file called pci.sys, after you install this month’s Monthly Rollup. You can <\/span>follow along with the discussion<\/span><\/a>, but the simple fact is that Microsoft\u2019s mucking with KB 4099950 metadata and re-re-releasing KB 4093118 can put you in a position where you have an outdated version of that key file.<\/span><\/p>\n

For those of you who are spitting in the patching god\u2019s face and manually installing Security Only patches (the \u201cGroup B\u201d approach), I wish you well and point you to <\/span>@abbodi86\u2019s instructions<\/span><\/a>.<\/span><\/p>\n

See how you\u2019re way ahead of the game if you didn\u2019t install any of this month\u2019s patches?<\/span><\/p>\n

Go ahead and install all outstanding Win10 patches. The first set of April cumulative updates had some bad bugs<\/a>, but those were fixed in the versions released later in the month.<\/span><\/p>\n

We\u2019re seeing a late-surfacing bug in KB 4018319 (Office 2016) and KB 4018288 (Office 2013) that cause <\/span>problems when opening files with embedded charts<\/span><\/a>. Microsoft has not yet <\/span>officially acknowledged the bug<\/span><\/a>.<\/span><\/p>\n

Other than that, Susan Bradley\u2019s<\/span> Master Patch List<\/span><\/a> says the April Office patches are OK.<\/span><\/p>\n

Before you install this month\u2019s Win7\/Server 2008 R2 patches, make sure you use the above steps to figure out if you have to uninstall anything before you proceed.<\/span><\/p>\n

The patching pattern should be familiar to many of you.<\/span><\/p>\n

There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n

There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>.<\/span><\/p>\n

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s a year old or less, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n

If you\u2019re very concerned about Microsoft\u2019s snooping on you and want to install just security patches, realize that the privacy path\u2019s getting more difficult. The old \u201cGroup B\u201d \u2014 security patches only \u2014 isn\u2019t dead, but it\u2019s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano\u2019s<\/span> AKB 2000003<\/span><\/a> and be aware of<\/span> @MrBrian\u2019s recommendations<\/span><\/a> for hiding any unwanted patches.<\/span><\/p>\n

For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. Realize that some or all of the expected patches for April may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. If you’re going to install the April patches, accept your lot in life, and don’t mess with Mother Microsoft.<\/span><\/p>\n

If you want to minimize Microsoft\u2019s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of<\/span> AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping<\/span><\/a>) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or \u00a0its Win8.1 cohort, KB 2976978 \u2014 the patches that so helpfully make it easier to upgrade to Win10 \u2014 uncheck them and spread your machine with garlic. Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website.<\/span><\/p>\n

After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019m starting to believe that information pushed to Microsoft\u2019s servers for Win7 owners is nearing that pushed in Win10.<\/span><\/p>\n

If you\u2019re running Win10 Creators Update, <\/span>version 1703<\/strong> (my current preference), or <\/span>version 1607<\/strong>, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft\u2019s dog food, follow the<\/span> instructions here<\/span><\/a> to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh,<\/span> forgot to honor<\/span><\/a> the \u201cCurrent Branch for Business\u201d setting \u2014 so you need to run the \u201cfeature update\u201d (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn\u2019t forget how to count to 365.<\/span><\/p>\n

If you\u2019re running an earlier version of Win10, you\u2019re basically on your own. Microsoft doesn’t support you anymore.<\/span><\/p>\n

If you have trouble getting the latest cumulative update installed, make sure you\u2019ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the<\/span> newly refurbished<\/span><\/a> Windows Update Troubleshooter<\/span><\/a> before inventing new epithets.<\/span><\/p>\n

To get Windows 10 patched, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.”<\/span><\/p>\n

Thanks to the dozens of volunteers on AskWoody who contribute mightily.<\/span><\/i><\/p>\n

We\u2019ve moved to MS-DEFCON 3 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 27 Apr 2018 09:22:00 -0700<\/strong><\/p>\n

\n
\n

Good things come to those who wait. If you resisted the drill sergeant scream of \u201cGET THOSE PATCHES INSTALLED AS SOON AS THEY\u2019RE OUT, MAGGOT!\u201d you\u2019re about to reap your just reward. <\/span><\/p>\n

As is so often the case, the Patch Tuesday screams are something you should consider, but they\u2019re hardly the final word. At this point, there\u2019s a credible threat forming for Win7 and Server 2008 R2 machines \u2014 Total Meltdown <\/span>is definitely coming<\/span><\/a>\u00a0\u2014 but the sky hasn\u2019t fallen. There are no known Meltdown or Spectre exploits in the wild, and all of the <\/span>hell unleashed<\/span><\/a> by this month\u2019s series of patches and re-patches and pre-appended re-re-patches primarily served as demonic theater to those of us who chose to wait.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-12147","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12147"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12147\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12147"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}