{"id":16745,"date":"2019-11-01T10:30:04","date_gmt":"2019-11-01T18:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/01\/news-10484\/"},"modified":"2019-11-01T10:30:04","modified_gmt":"2019-11-01T18:30:04","slug":"news-10484","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/01\/news-10484\/","title":{"rendered":"With a few exceptions, all\u2019s clear to install Microsoft\u2019s October patches"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 01 Nov 2019 09:54:00 -0700<\/strong><\/p>\n

If you had automatic update turned on at the beginning of October, you got clobbered with a bug-infested, out-of-band update for an IE-related zero-day that <\/span>never appeared in real life.<\/span><\/a> Later in the month, those with automatic update turned on were treated to a wide assortment of bugs<\/a> (Start and Search fails, RDP redlines, older Visual Basic program blasts) \u2013 only some of which were solved with the month\u2019s final, optional, non-security patches.<\/span><\/p>\n

It\u2019s now time to install the October patches. Here\u2019s a guide to what might go bump in the night, and what you can do about it.<\/span><\/p>\n

For users manually installing Windows 7 and 8.1 (and related Server) Security-only patches to avoid Microsoft\u2019s pernicious snooping\/telemetry, I have good news. For October, we haven\u2019t detected the full-monty telemetry packages that were lurking in the July and September \u201cSecurity-only\u201d updates.\u00a0<\/span><\/p>\n

Here\u2019s how to get your system updated the (relatively) safe way.<\/span><\/p>\n

Step 1. Make a full system image backup before you install the latest patches.<\/strong><\/p>\n

There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall, even if your machine refuses to boot. This is in addition to the usual need for System Restore points.<\/span><\/p>\n

There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>. For Win7 users, If you aren\u2019t making backups regularly, take a look at this<\/span> thread started by Cybertooth<\/span><\/a> for details. You have good options, both free and not-so-free.<\/span><\/p>\n

Step 2. For Win7 and 8.1<\/strong><\/p>\n

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you’re running Windows 7 or 8.1 on a PC that\u2019s less than two years old, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n

If you\u2019ve been relying on the Security-only \u201cGroup B\u201d patching approach to keep Microsoft\u2019s snooping software off your PC, this month you\u2019re in luck \u2013 we haven\u2019t detected a repeat of the full telemetry packages hidden in the July<\/a> and September<\/a> patches. That means you can install the June, August and October patches without covering Microsoft\u2019s messy tracks.<\/span><\/p>\n

For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. You should have one Windows patch, dated Oct. 8 (the Patch Tuesday patch). <\/span>\u00a0<\/span><\/p>\n

If you have problems with an error 0x8009030f in Transport Layer Security (TLS), see <\/span>this post<\/span><\/a> for the cause and a solution.<\/span><\/p>\n

Realize that some or all of the expected patches for October may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the October Monthly Rollup, you won\u2019t need (and probably won\u2019t see) the concomitant patches for September. Don’t mess with Mother Microsoft.<\/span><\/p>\n

If you see<\/span> KB 4493132<\/span><\/a>, the \u201cGet Windows 10\u201d nag patch, make sure it\u2019s unchecked.<\/span><\/p>\n

Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website.<\/span><\/p>\n

After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. If you want to thoroughly cut out the telemetry, see @abbodi86\u2019s detailed instructions in<\/span> AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model<\/span><\/a>.<\/span><\/p>\n

Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.<\/span><\/p>\n

Step 3. For Windows 10 prior to version 1903<\/strong><\/p>\n

If you\u2019re running Win10 version 1803, don\u2019t feel bashful about sticking with it. Microsoft\u2019s last security patch for 1803 is scheduled to arrive on Nov. 12, but you have another month after that before the disappearing patches may start to hurt.<\/span><\/p>\n

If you\u2019re running Win10 version 1809 \u2013 my production machines are still on 1809 \u2013 you should start thinking about moving to 1903. Microsoft has issued rivers of patches for 1903 in recent months, and 1903 may be approaching some semblance of stability. That\u2019ll be an ongoing theme this month; stay tuned.<\/span><\/p>\n

I have step-by-step instructions for dealing with the 1803-1809-1903 conundrum in <\/span>How to block the Windows 10 November 2019 Update, version 1909, from installing<\/span><\/a>.<\/span><\/p>\n

Once you\u2019re running the version of Win10 you want \u2013 there\u2019s no reason to install patches until you\u2019re running the right version \u2013 and you have Win10 Pro (or Education or Enterprise), you can follow my<\/span> advice from February<\/span><\/a> and set \u201cquality update\u201d (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on Oct. 23 and will update again on Nov. 27. Don\u2019t touch a thing and in particular don\u2019t click <\/span>Check for updates<\/span><\/i>.<\/span><\/p>\n

Woody Leonhard\/IDG<\/span><\/p>\n

If you\u2019re stuck with Win10 Home, and you don\u2019t want to upgrade to Win10 version 1909 (specifically to take advantage of its vastly improved patch blocking features), go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.” Make sure that you run Step 3, to hide any updates you don\u2019t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.<\/span><\/p>\n

If you see a notice that “You’re currently running a version of windows that’s nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements” you can safely chill. Win10 1803 will get patched through November and doesn’t really turn belly-side up until December. If you see a link to \u201cDownload and install now,\u201d ignore it for the same reason.<\/span><\/p>\n

Step 4. For Windows 10 version 1903<\/strong><\/p>\n

Most users running Win10 version 1903 will want to install the first (but not the second) October cumulative update. We still have a couple of unresolved errors in Win10 1903, though, that may prove to be showstoppers:<\/span><\/p>\n

Should either of those bugs, uh, bug you, uninstall the October update as soon as you hit the problem. There\u2019s nothing in the October updates that you absolutely have to have right now. Let\u2019s see if Microsoft irons out those bugs at some point in the future.<\/span><\/p>\n

Windows Update in Win10 version 1903 went through a <\/span>major makeover<\/span><\/a> in September \u2013 the documentation didn\u2019t change, but the behavior did. The result is a major step forward in Windows 10 patching.<\/span><\/p>\n

There\u2019s a legacy fly in the ointment, though. If you\u2019ve moved to Win10 Pro version 1903, and you set 15-day deferral on quality updates (as shown in the screenshot below), you\u2019ll no doubt discover that the settings shown are no longer available on your machine. I have details about the change, and its implications, in <\/span>The difference between Defer updates, Pause updates and Delay updates \u2014 and what happens with Win10 1909<\/span><\/a>.<\/span><\/p>\n

Long story short, the setting shown in the screenshot may not be visible on your machine. Not to worry. You have a belt-and-suspenders kind of second choice. If you\u2019re on Win10 version 1903 (either Home or Pro), click the link on the Windows Update page that says \u201cPause updates for 7 days,\u201d then click on the newly revealed link, which says \u201cPause updates for 7 more days,\u201d then click it again.<\/span><\/p>\n

By clicking that link three times, you\u2019ll defer cumulative updates for 21 days from the day you started clicking — if you do it today, you\u2019ll be protected until Nov. 22 \u2013 which is typically long enough for Microsoft to work out the worst bugs in their patches.<\/span><\/p>\n

There are several group policies and a handful of registry settings working in the background when you make those changes. But if you\u2019re using Pro and set the quality update deferral to 15 days, <\/span>and <\/i><\/strong>punch the \u201cPause updates for 7 days\u201d button three times (on either Home or Pro), you should be in good shape.<\/span><\/p>\n

If you see an offer of an Optional update (see screenshot), don\u2019t click Download and install now. Even more bugs await.<\/span><\/p>\n

There\u2019s one exception: If you hit any of the <\/span>documented problems<\/span><\/a> with Win10 version 1903 \u2013 the Start menu triggers a Critical error; Search doesn\u2019t work; your machine redlines after disconnecting from a remote session \u2013 you might (operative term: <\/span>might<\/span><\/i>) have some luck installing the Optional update. Numerous posters have said that the second cumulative update still doesn\u2019t work (see Laurence Abrams\u2019 article in <\/span>BleepingComputer<\/span><\/a>), but Microsoft says the latest \u201coptional\u201d patch should help in some cases. Probably wouldn\u2019t hurt to give it a try.<\/span><\/p>\n

Happy trails. Or are those contrails?<\/span><\/p>\n

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.<\/span><\/i><\/p>\n

We\u2019ve moved to MS-DEFCON 4 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 01 Nov 2019 09:54:00 -0700<\/strong><\/p>\n

\n
\n

If you had automatic update turned on at the beginning of October, you got clobbered with a bug-infested, out-of-band update for an IE-related zero-day that <\/span>never appeared in real life.<\/span><\/a> Later in the month, those with automatic update turned on were treated to a wide assortment of bugs<\/a> (Start and Search fails, RDP redlines, older Visual Basic program blasts) \u2013 only some of which were solved with the month\u2019s final, optional, non-security patches.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[13764,714,10525],"class_list":["post-16745","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16745"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16745\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16745"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}