![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security14-100734743-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Wed, 02 Oct 2019 11:00:00 -0700<\/strong><\/p>\n It\u2019s a smelter-weight slapdown.\u00a0<\/span><\/p>\n In one corner you have the Chicken Little contingent, which insists that September\u2019s IE zero-day patch <\/span>must <\/i><\/strong>be important because Microsoft marked it as \u201cExploited: Yes\u201d and memorialized it with <\/span>an extremely odd patch on a Monday<\/span><\/a>, followed in Keystone Kops fashion with a <\/span>stumbling trail of follow-ons<\/span><\/a>.\u00a0<\/span><\/p>\n In the other corner you have Dummies like me who say Microsoft <\/span>obviously didn\u2019t care <\/span><\/a>that much about the security hole because it didn\u2019t really push out a fix. If Microsoft were serious about the zero-day, the Dummies insist, it would\u2019ve gotten its act together by now. Demonstrably, the act is still in progress.<\/span><\/p>\n And in the middle you have a billion or two Windows customers who really don\u2019t care. They just want their computers to work and not suddenly get whopped by a WannaCry wannabe.<\/span><\/p>\n Welcome to Windows as a service.<\/span><\/p>\n With Internet Explorer usage share rapidly swirling down the drain, you might wonder why anybody would <\/span>care <\/i><\/strong>about a patch for a zero-day bug in IE. The problem is that some security holes in IE can be exploited even if you aren\u2019t using IE because Microsoft spreads IE plumbing throughout Windows. Fair enough. But Microsoft hasn\u2019t said if the CVE-2019-1367 exploit can be harnessed even if you aren\u2019t using IE. So the long and short answer is we don\u2019t know if you really need to install the IE patch(es).<\/span><\/p>\n That\u2019s true in spite of what you heard on your local evening news right after the weather report\u00a0\u2014 or read in one of a gazillion Chicken Little articles rumbling in the Windows echo chamber.<\/span><\/p>\n In what follows, I\u2019ll show you how to install the official, approved patches for all versions of Windows. That\u2019ll leave you unprotected from the CVE-2019-1367 ghoul. If the Chicken Little approach appeals to you, when you\u2019re done with these steps, you have one of two choices for Windows 10:<\/span><\/p>\n If you\u2019re using Windows 7 or 8.1 (or Server variants) and you follow the instructions here, you\u2019ll get all the recommended September patches, but you won\u2019t be protected from the CVE-2019-1367 mess. If you\u2019re in the Chicken Little party, the easiest way to get protected is to manually install a single standalone patch, KB<\/span> 4522007<\/span><\/a>, that applies to IE in Win7, 8.1, Server 2012 and Server 2012 R2. It\u2019s a plain-vanilla IE patch (which means it\u2019s a rollup), arriving at a weird time. It\u2019s NOT a Windows patch.\u00a0<\/span><\/p>\n This month brought three cumulative updates for each version of Win10. The last cumulative update, marked \u201coptional, non-security\u201d is in fact a security patch. But you Win10 users shouldn\u2019t feel special. Win7 and 8.1 this month have precisely the opposite problem\u00a0\u2014 their \u201cSecurity only\u201d patches include the full suite of Microsoft snooping\/telemetry updates, and installing them sets up scheduled tasks to use them.<\/span><\/p>\n It\u2019s the same shenanigans we saw in July.<\/span><\/p>\n Fortunately, there are ways to circumvent the telemetry\u00a0\u2014 or at least minimize it. Details follow.<\/span><\/p>\n Here\u2019s how to get your system updated the (relatively) safe way.<\/span><\/p>\n Step 1. Make a full system image backup before you install the latest patches<\/strong><\/p>\n There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>. For Win 7 users, If you aren\u2019t making backups regularly, take a look at this<\/span> thread started by Cybertooth<\/span><\/a> for details. You have good options, both free and not-so-free.<\/span><\/p>\n Step 2. For Win7 and 8.1<\/strong><\/p>\n Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s 24 months old or newer, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n If you\u2019ve been relying on the Security-only \u201cGroup B\u201d patching approach to keep Microsoft\u2019s snooping software off your PC, you\u2019re stuck again this month. You can install the August Security-only patch without bringing in the snooping routines. But unless you install the telemetry-laden July and September Security-only patches, you\u2019re missing a couple of months of (not really all that important) patches. Think of it as a preview of your January Win7 end-of-support conundrum.<\/span><\/p>\n For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. You should have one Windows patch, dated Sept. 10 (the Patch Tuesday patch). If you\u2019re very paranoid about the CVE-2019-1367 IE zero-day exposure, use the separately downloaded and manually installed IE update, KB<\/span> 4522007<\/span><\/a>.\u00a0<\/span><\/p>\n Realize that some or all of the expected patches for September may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the September Monthly Rollup, you won\u2019t need (and probably won\u2019t see) the concomitant patches for August. Don’t mess with Mother Microsoft.<\/span><\/p>\n If you see<\/span> KB 4493132<\/span><\/a>, the \u201cGet Windows 10\u201d nag patch, make sure it\u2019s unchecked.<\/span><\/p>\n Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website.<\/span><\/p>\n After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. If you want to thoroughly cut out the telemetry, see @abbodi86\u2019s detailed instructions in<\/span> AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model<\/span><\/a>.<\/span><\/p>\n Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.<\/span><\/p>\n Step 3. For Windows 10 prior to version 1903<\/strong><\/p>\n If you want to stick with your current version of Win10 Pro \u2014 a reasonable alternative \u2014 you can follow my<\/span> advice from February<\/span><\/a> and set \u201cquality update\u201d (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on Sept. 25, and will update again on Oct. 16. Don\u2019t touch a thing and in particular don\u2019t click <\/span>Check for updates<\/span><\/i>.<\/span><\/p>\n For the rest of you, including those of you stuck with Win10 Home, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.” Make sure that you run Step 3, to hide any updates you don\u2019t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.<\/span><\/p>\n If you see a notice that “You’re currently running a version of windows that’s nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements” you can safely chill. Win10 1803 is good through November. If you see a link to \u201cDownload and install now,\u201d ignore it\u00a0\u2014 for the same reason.<\/span><\/p>\n Step 4. For Windows 10 version 1903<\/strong><\/p>\n Windows Update in Win10 version 1903 went through a <\/span>major makeover<\/span><\/a> last month. The result, if it works the way it\u2019s been described, will be a major step forward in Windows 10 patching.<\/span><\/p>\n There\u2019s a legacy fly in the ointment, though. If you\u2019ve moved to Win10 Pro version 1903, and you set 15 day deferral on quality updates (as shown in the preceding screenshot), you\u2019ll no doubt discover that the settings shown in the screenshot are no longer available on your machine. Microsoft hasn\u2019t yet deigned to tell us what\u2019s going on, but you can rest assured that your 15-day deferral was obeyed\u00a0\u2014 and you got the September patches on Sept. 25. Don\u2019t worry about changing the deferral settings. You\u2019re protected until Oct. 16.<\/span><\/p>\n Long story short, the setting shown in the screenshot <\/span>may not be visible on your machine<\/span><\/a>. Not to worry. You have a belt-and-suspenders kind of second choice. If you\u2019re on Win10 version 1903 (either Home or Pro), click the link on the Windows Update page that says \u201cPause updates for 7 days,\u201d then click on the newly revealed link, which says \u201cPause updates for 7 more days,\u201d then click it again.<\/span><\/p>\n By clicking that link three times, you\u2019ll defer cumulative updates for 21 days from the day you started clicking\u00a0\u2014 if you do it today, you\u2019ll be protected until Oct. 23\u00a0\u2014 which is typically long enough for Microsoft to work out the worst bugs in their patches.<\/span><\/p>\n There are several group policies and a handful of registry settings working in the background when you make those changes. But if you\u2019re using Pro and set the quality update deferral to 15 days, <\/span>and <\/i><\/strong>punch the \u201cPause updates for 7 days\u201d button three times (on either Home or Pro), you should be in good shape.<\/span><\/p>\n If you see an offer of an Optional update (screenshot), don\u2019t click Download and install now. Even more bugs await.<\/span><\/p>\n And, no, I don’t know how to reliably keep Win10 1909 off your 1903 machine. For now, the Pause updates button should keep you protected. At some point Microsoft will have to explain exactly how the feature-upgrade-in-cumulative-update-clothing gets installed.<\/span><\/p>\n I think.<\/span><\/p>\n Stay tuned.<\/span><\/p>\n Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.<\/span><\/i><\/p>\n We\u2019ve moved to MS-DEFCON 3 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Wed, 02 Oct 2019 11:00:00 -0700<\/strong><\/p>\n It\u2019s a smelter-weight slapdown.\u00a0<\/span><\/p>\n In one corner you have the Chicken Little contingent, which insists that September\u2019s IE zero-day patch <\/span>must <\/i><\/strong>be important because Microsoft marked it as \u201cExploited: Yes\u201d and memorialized it with <\/span>an extremely odd patch on a Monday<\/span><\/a>, followed in Keystone Kops fashion with a <\/span>stumbling trail of follow-ons<\/span><\/a>.\u00a0<\/span><\/p>\n<\/p>\n