{"id":15491,"date":"2019-06-04T04:30:07","date_gmt":"2019-06-04T12:30:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/06\/04\/news-9240\/"},"modified":"2019-06-04T04:30:07","modified_gmt":"2019-06-04T12:30:07","slug":"news-9240","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/04\/news-9240\/","title":{"rendered":"It\u2019s time to install the May Windows and Office patches"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 04 Jun 2019 05:08:00 -0700<\/strong><\/p>\n

May 2019 will go down in the annals of Patch-dom as the month we all ran for cover to fend off another WannaCry-caliber worm, but a convincing exploit never emerged. <\/span><\/p>\n

Microsoft officially released Windows 10 version 1903 on May 21, but I haven\u2019t yet heard from anyone who\u2019s been pushed. All of the complaints I hear are from those \u201cseekers\u201d who went to the download site and installed 1903 with malice and forethought. A triumph of hope over experience.<\/span><\/p>\n

This month, if you let Windows Update have its way on your machine, you may end up with a different build number than the person sitting next to you. Blame the<\/span> gov.uk debacle<\/span><\/a> for that: Folks with Windows set up for U.K. English get an extra cumulative update pushed onto their machines, whilst those who don\u2019t fly the Union Jack will get the fix in due course next month.<\/span><\/p>\n

Remember the \u201cwormable\u201d <\/span>Remote Desktop security hole<\/span><\/a> that was going to bring down all older Windows machines? As of this writing, early Tuesday morning, there are exactly no known exploits. Lots of people have tried. Plenty of people are selling snake oil. But nobody has yet figured out how to exploit BlueKeep in order to run a nasty program. <\/span><\/p>\n

Before you feel too smug, realize that I continue to recommend that you install the latest Windows 7, XP, Vista, Server 2003, 2008 or 2008 R2 patches. I\u2019m convinced a weapons-grade BlueKeep attack is on the way, and your only gold-standard defense is to fix the bug in Microsoft\u2019s Remote Desktop Protocol.<\/span><\/p>\n

Tell your friends. This is the real thing.<\/span><\/p>\n

Once again this month, you should studiously avoid <\/span>KB 4493132<\/span><\/a>, a Windows 7 patch that does nothing but nag you to move to Windows 10.<\/span><\/p>\n

Windows 10 version 1903 has one truly important new feature: The ability to push off updates. That may be the single most important new feature in Windows 10 since it was released almost four years ago. We still haven\u2019t seen the feature in real-life action, and there\u2019s some ambiguity between the descriptions and the settings, but I have great hope.<\/span><\/p>\n

Don\u2019t make the mistake of jumping in right now<\/span><\/a>\u00a0before Microsoft\u2019s has a chance to iron out the inevitable problems. At the very least, you should wait until Microsoft declares that version 1903 is stable enough for broad deployment in large organizations. <\/span><\/p>\n

There\u2019s supposed to be a \u201cDownload and install now\u201d link arriving soon in Win10 1803 and 1809 to give you some control over when the upgrade to 1903 gets pushed onto your machine. Unfortunately, there\u2019s also a promise from Microsoft that it\u2019ll start pushing 1903 onto 1803 machines this month<\/a>. We still don\u2019t know when the 1803-to-1903 forced upgrades will start, and we don\u2019t know how hard Microsoft will push.<\/span><\/p>\n

Stay tuned.<\/span><\/p>\n

Here\u2019s how to get your system updated the (relatively) safe way.<\/span><\/p>\n

Step 1:<\/strong>\u00a0Make a full system image backup before you install the latest patches.<\/span><\/p>\n

There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n

There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>. For Windows 7 users, if you aren\u2019t making backups regularly, take a look at this<\/span> thread started by Cybertooth<\/span><\/a> for details. You have good options, both free and not-so-free.<\/span><\/p>\n

Step 2a:<\/strong>\u00a0For Windows XP, Server 2003, and Embedded POSReady 2009<\/span><\/p>\n

Manually download and install <\/span>KB 4500331<\/span><\/a>. In the Microsoft Update Catalog listing, find the version of Windows XP that concerns you and on the right, click Download. Choose the language that you\u2019re using, and click on the link underneath that language. Click Save File. When the windowsxp-kb4500331-blah-blah.exe file has downloaded, double-click on it and stand back.<\/span><\/p>\n

Step 2b:<\/strong>\u00a0For Windows 7 and 8.1<\/span><\/p>\n

If you have <\/span>McAfee Endpoint Security<\/span><\/a>, make sure it\u2019s up to date. Microsoft says it\u2019s still having problems with McAfee.<\/span><\/p>\n

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s 24 months old or newer, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n

If you\u2019re very concerned about Microsoft\u2019s snooping on you and want to install just security patches, realize that the privacy path\u2019s getting more difficult. The old \u201cGroup B\u201d \u2014 security patches only \u2014 isn\u2019t dead, but it\u2019s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano\u2019s<\/span> AKB 2000003<\/span><\/a> and be aware of<\/span> @MrBrian\u2019s recommendations<\/span><\/a> for hiding any unwanted patches.<\/span><\/p>\n

For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. Realize that some or all of the expected patches for May may not show up, or if they do show up, they may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the May Monthly Rollups or Cumulative Updates, you won\u2019t need (and probably won\u2019t see) the concomitant patches for April. Don’t mess with Mother Microsoft.<\/span><\/p>\n

If you see<\/span> KB 4493132<\/span><\/a>, the \u201cGet Windows 10\u201d nag patch, make sure it\u2019s unchecked.<\/span><\/p>\n

Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website.<\/span><\/p>\n

After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. If you want to thoroughly cut out the telemetry, see @abbodi86\u2019s detailed instructions in<\/span> AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model<\/span><\/a>.<\/span><\/p>\n

Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Windows 7 and 8.1 machines. But I\u2019d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Windows 10.<\/span><\/p>\n

Step 3:<\/strong> For Windows 10<\/span><\/p>\n

If you want to stick with your current version of Windows 10 \u2014 a reasonable alternative \u2014 you can follow my<\/span> advice from February<\/span><\/a> and set \u201cquality update\u201d (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on May 29. Don\u2019t touch a thing and in particular don\u2019t click <\/span>Check for updates<\/span><\/i>.<\/span><\/p>\n

For the rest of you, including those of you stuck with Win10 Home, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.” Make sure that you run Step 3 to hide any updates you don\u2019t want (such the Windows 10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding.<\/span><\/p>\n

When we have more experience with the new settings in Windows 10 1903, I\u2019ll update these steps specifically for 1903. Until then, we\u2019re watching and waiting, to see how things really work \u2014 and in the interim, these steps should work just fine in 1903. Stay tuned for details.<\/span><\/p>\n

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.<\/span><\/i><\/p>\n

We\u2019ve moved to MS-DEFCON 4 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 04 Jun 2019 05:08:00 -0700<\/strong><\/p>\n

\n
\n

May 2019 will go down in the annals of Patch-dom as the month we all ran for cover to fend off another WannaCry-caliber worm, but a convincing exploit never emerged. <\/span><\/p>\n

Microsoft officially released Windows 10 version 1903 on May 21, but I haven\u2019t yet heard from anyone who\u2019s been pushed. All of the complaints I hear are from those \u201cseekers\u201d who went to the download site and installed 1903 with malice and forethought. A triumph of hope over experience.<\/span><\/p>\n

This month, if you let Windows Update have its way on your machine, you may end up with a different build number than the person sitting next to you. Blame the<\/span> gov.uk debacle<\/span><\/a> for that: Folks with Windows set up for U.K. English get an extra cumulative update pushed onto their machines, whilst those who don\u2019t fly the Union Jack will get the fix in due course next month.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-15491","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15491"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15491\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15491"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}