![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security3-100734732-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Thu, 30 May 2019 04:16:00 -0700<\/strong><\/p>\n In a normal month, you need a scorecard to keep track of Windows patches. Now, your scorecards need a scorecard. One ray of hope: It looks like some Windows 10 cumulative updates will include the new \u201cDownload and install now\u201d feature.<\/p>\n The May 2019 Windows updates have taken so many twists and turns it\u2019s hard to pin things down, but as of Thursday morning, here\u2019s what we\u2019ve seen.<\/p>\n As of now, all of the recent versions of Win10 (1607\/Server 2016, 1703, 1709, 1803, 1809\/Server 2019) have had three cumulative updates in May. Depending on where you live (or, more correctly, which locality you\u2019ve chosen for your machine), you\u2019ve been pushed one or two of them. If you\u2019re a \u201cseeker\u201d (and clicked \u201cCheck for updates\u201d or downloaded and installed the patches), you\u2019ve had at least two, and maybe three. Got that?<\/p>\n The reason for all the hilarity: The original Win10 cumulative updates broke access<\/a> to certain sites that end with \u201cgov.uk\u201d for Internet Explorer and Edge users. All 10 of you.<\/p>\n The latest \u201coptional\u201d (meaning for \u201cseekers\u201d only) non-security patches include the usual laundry list of fixes for an unconscionable number of bugs. Win10 1809, which has had an inordinate amount of work lavished on its bug fixes over the past eight months, still has several acknowledged flaws including this one:<\/p>\n When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”<\/p>\n Microsoft officially started pushing Win10 version 1903 on May 21 (see Gregg Keizer\u2019s birth announcement<\/a>), although I haven\u2019t heard from anyone yet who\u2019s had 1903 pushed onto their systems. Lots of people upgraded to 1903 by clicking on \u201cCheck for updates,\u201d and many were already on 1903 when it went legit, by virtue of being in the Windows Insider Release Preview or Slow rings.<\/p>\n For good measure, Microsoft put its first \u201creal\u201d Win10 1903 cumulative update, KB 4497935, through the Release Preview wringer \u2013 a practice formerly reserved for Win10 1809 patches, which were notoriously late and arguably better vetted. All sorts of confusion resulted when KB 4497935, the May 29 cumulative update for 1903, was released to the teeming masses. (I heard lots of complaints about update deferral settings not being honored.)<\/p>\n As it happens, the settings for those still in the Insider program are different from the settings for those who received their copies of 1903 without being beta testers. G\u00fcnter Born has a detailed explanation<\/a> of what he\u2019s seen in various permutations and combinations.<\/p>\n The single most important fix to Win10 this month arrived on Wednesday with the Win10 1903 KB 4497935 update:<\/p>\n Addresses an issue that may cause an external USB device or SD memory card to be reassigned to an incorrect drive during installation.<\/p>\n Win10 1903, as shipped, had a bug in it that swapped drive letters willy-nilly on external USB drives, SD memory cards, and even some internal drives<\/a>. Susan Bradley put it this way<\/a>:<\/p>\n My Lenovo laptop is \u201cthrottled\u201d because I have an external usb drive that I am using to upgrade this device. This doesn\u2019t bode well for my Acer that only has 32 gigs that I HAVE to attach an external hard drive in order to upgrade it.<\/p>\n So it now appears as if this cumulative update will fix Win10 1903. But in classic Catch-22 fashion, you can\u2019t install the cumulative update on a machine that needs a USB drive in order to install the update.<\/p>\n In more Win10 1903 news, Trend Micro now says<\/a> it won\u2019t have a fix for Win10 1903 compatibility problems with its Apex One\/OfficeScan XG SP1 products until early June. Microsoft\u2019s release information page<\/a> doesn\u2019t mention the gaffe, although it does acknowledge the Sandbox fail to start with error code \u201c0x80070002\u201d bug, Dolby Atmos bugs, AMD RAID driver incompatibilities, display brightness issues, and a dozen additional bugs that should keep you from installing 1903<\/a> until Microsoft gets its act together.<\/p>\n See what I mean about scorecards?<\/p>\n Microsoft has been talking about \u2013 and showing off \u2013 a new feature called \u201cDownload and install now<\/a>\u201d that will give everyone some control over when Win10 updates get installed. It\u2019s a tremendous new feature \u2013 arguably the most important new feature in Windows 10 since the very first version shipped almost four years ago.<\/p>\n The official explanation<\/a> of the feature states without reservation that the \u201cDownload and install now\u201d option will be available for version changes: Before your machine is upgraded to a new version of Win10, you have to explicitly ask for it. Great. The explanation doesn\u2019t<\/em><\/strong>specifically say that the same \u201cDownload and install now\u201d option will be available for cumulative updates.<\/p>\n Earlier this month, I wrote about<\/a> the implications: \u201cDownload and install now\u201d for version changes is tremendous. \u201cDownload and install now\u201d for cumulative updates would be a game-changer, at least for those of us concerned about bad patches.<\/p>\n Now comes word from Leopeva64<\/a> \u2013 who\u2019s been right about several Windows Update revelations \u2013 that Microsoft may implement \u201cDownload and install now\u201d for (many? most? all?) of the monthly second (or third or fourth) \u201coptional non-security\u201d patches.<\/p>\n Time will tell, but we may be witnessing a real breakthrough.<\/p>\n Earlier this month we had quite a shock when Microsoft announced, with appropriate fanfare, that every Windows XP, Win7, Server 2003, 2008 and 2008 R2 machine needed an inoculation to protect against a very mean \u201cwormable\u201d hole in Windows Remote Desktop Services<\/a>. Billed as the son of WannaCry, Microsoft had everyone \u2013 including me \u2013 sounding the alarm to get the crazy thing patched.\u00a0<\/p>\n Now, two weeks later, BlueKeep (as Kevin Beaumont has named the hole) is still a threat, but it\u2019s nowhere to be seen. Ends up that creating a real, working, destructive worm using the security hole is a highly non-trivial task.<\/p>\n I\u2019ve asked every expert<\/a> I can find about an obvious solution \u2014 isn\u2019t it sufficient to simply turn off the Remote Desktop Protocol in the user interface? (In Win7, Start > Control Panel > System and Security > System > Remote Settings, in the System Properties dialog box, click Don\u2019t Allow Connections to This Computer.) That, and\/or blocking port 3389 (the port RDP uses by default) should be enough to keep any RDP-related malware at bay. At least, it appears that way to me.<\/p>\n But I haven\u2019t received a positive response from any of those experts. The ones who know ain\u2019t sayin\u2019. And the ones who probably do know aren\u2019t willing to stick their necks out. It\u2019s hard to fault them: Microsoft hasn\u2019t provided any guidance on the matter, one way or another, so if blocking RDP ends up being insufficient \u2014 no matter how logical \u2014 there\u2019s a lot of exposure to the person making the recommendation.<\/p>\n Oh. For the dozens of you who still use Vista, Microsoft initially forgot to mention that the Server 2008 SP2 version<\/a> of the patch also works with Windows Vista.<\/p>\n Peruse the Patching Pilgrim\u2019s Progress on the <\/em>AskWoody Lounge<\/em><\/a><\/p>\n