{"id":16854,"date":"2019-11-11T06:30:09","date_gmt":"2019-11-11T14:30:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/11\/news-10592\/"},"modified":"2019-11-11T06:30:09","modified_gmt":"2019-11-11T14:30:09","slug":"news-10592","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/11\/news-10592\/","title":{"rendered":"Patch Tuesday alert: Make sure Windows Auto Update is temporarily disabled"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 11 Nov 2019 05:03:00 -0800<\/strong><\/p>\n

For those of you who haven\u2019t patched since May, there\u2019s exceedingly bad news on the horizon. Per <\/span>Catalin Cimpanu at ZDNet<\/span><\/a>, Metasploit\u2019s working-but-just-barely BlueKeep exploit is about to get a significant bug fix. That’ll put BlueKeep infection capabilities in the hands of mere mortals. The script kiddies won\u2019t be far behind. <\/span><\/p>\n

If you\u2019re using \u2014 or you know someone who\u2019s using \u2014 Windows XP, Vista, Win7, Server 2003, Server 2008 or Server 2008 R2, <\/span>get patched now<\/span><\/a>.\u00a0<\/span>The fix is easy. Even \u00a0Aunt Martha can handle it.<\/span><\/p>\n

Think of it this way. Would you rather spend the holidays with Aunt Martha over tea and crumpets, or cleaning a BlueKeep infection off her cute little PC? Your choice.<\/span><\/p>\n

Yes, you have to get patched eventually. But there\u2019s very little reason to jump head first into the pernicious patching pit. <\/span>Sit back and watch like a pro<\/span><\/a>. Get automatic update disentangled for a while, and wait while we all watch the unpaid beta testers take one (or more) for the Gipper.<\/span><\/p>\n

If you\u2019re using <\/span>Windows 7 or 8.1<\/strong>, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.<\/span><\/p>\n

Not sure which version of Win10 you\u2019re running? Down in the Search box, near the Start button, type About, then click About your PC. The version number appears on the right under Windows specifications.<\/span><\/p>\n

If you\u2019re on <\/span>Win10 Pro version 1803<\/strong>, you have three options: Stick with version 1803 a while longer (the last scheduled patch for 1803 arrives Tuesday); upgrade to version 1809; or go for 1903, which has had <\/span>teething problems<\/span><\/a> lately. I have details on the options, what they entail, and how to pursue them here:\u00a0<\/span>Is Windows pushing you to upgrade? Don\u2019t be bullied. There\u2019s a middle path<\/span><\/a>.<\/span><\/p>\n

If you\u2019re using <\/span>Win10 Pro<\/strong> version <\/span>1809<\/strong>, or if you\u2019re on <\/span>Pro 1803 <\/strong>and want to stay there a bit longer, I suggest an update blocking technique that Microsoft recommends for \u201cBroad Release\u201d in its obscure <\/span>Build deployment rings for Windows 10 updates<\/span><\/a>\u00a0\u2013 \u00a0it’s intended for admins, but applies to you, too. (Thx, @zero2dash)<\/span><\/p>\n

Step 1.<\/strong> Using an administrative account, click Start > Settings > Update & Security.\u00a0<\/span><\/p>\n

Step 2.<\/strong> On the left, choose Windows Update. On the right, click the link for Advanced options. If you\u2019re using Win10 version 1803 or 1809, you see the settings in the screenshot.\u00a0<\/span><\/p>\n

Step 3. <\/strong>The first box \u2013 \u201cSemi-Annual Channel\u201d \u2013 is no longer recognized by Microsoft. It’s changed the terminology over and over. In our newly-redefined update world, choosing \u201cSemi-Annual Channel\u201d adds 60 days to the \u201cfeature update\u201d setting discussed in the next step. I recommend that you nod, wink and, in the first box, choose Semi-Annual Channel.<\/span><\/p>\n

Step 4.<\/strong> To further delay new versions until they\u2019ve been minimally tested, roll the \u201cfeature update\u201d deferral setting all the way up to 365 days. That tells the Windows Updater (unless Microsoft makes another \u201cmistake,\u201d <\/span>as it has numerous times in the past<\/span><\/a>) that it should wait until 425 days <\/span>after <\/i><\/strong>a new version is released (60 days for Semi-Annual Channel + 365 days deferral) before upgrading and re-installing Windows on your machine.<\/span><\/p>\n

Of course, nobody expects Microsoft to keep its mitts off your 1803 machine until Jan. 12, 2020 (that’s the version 1809 release date + 425 days) or refrain from upgrading your 1809 machine until July 19, 2020 (version 1903 release date + 425 days): Even though those settings appear here, Microsoft is sure to ignore them and blast you onto the next version, somehow, at some point. We just don\u2019t know how or when quite yet.<\/span><\/p>\n

If you\u2019d like to block a forced upgrade to 1903 for the foreseeable future, follow the instructions in <\/span>How to block the Windows 10 May 2019 Update, version 1903, from installing<\/span><\/a>.<\/span><\/p>\n

We also don\u2019t know exactly when Microsoft will start pushing the inevitable upgrade to Win10 version 1909. While it\u2019s likely that the upgrade will be far less traumatic than every Win10 upgrade in the past, you might want to hedge your bets on this one, too. To keep 1909 off your machine until you\u2019re good \u2018n ready to take it, follow the instructions in <\/span>How to block the Windows 10 November 2019 Update, version 1909, from installing<\/span><\/a>.<\/span><\/p>\n

Step 5.<\/strong> To delay cumulative updates, set the \u201cquality update\u201d deferral to 15 days or so. (\u201cQuality update\u201d = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.<\/span><\/p>\n

Step 6.<\/strong> Just \u201cX\u201d out of the settings pane. You don\u2019t need to explicitly save anything.<\/span><\/p>\n

In the past I\u2019ve recommended that you avoid clicking \u201cCheck for updates\u201d simply because, until a few months ago, clicking \u201cCheck for updates\u201d would automatically install everything Microsoft had backed up for your machine without giving you a chance to peruse the items on offer. It now appears as if Microsoft has seen the error of its ways, and no longer dumps everything on your machine, should you have the temerity to \u201cCheck.\u201d Still, I\u2019m a superstitious old cuss with a long memory. <\/span>I<\/i><\/strong> won\u2019t be clicking \u201cCheck for updates\u201d any time soon.<\/span><\/p>\n

If there are any real howlers \u2013 months where the cumulative updates were irretrievably bad, and never got any better, as <\/span>they were in July 2018<\/span><\/a>\u00a0\u2013 we\u2019ll let you know, loud and clear.\u00a0<\/span><\/p>\n

If you have Win10 Home, version 1803 or 1809, your only reasonable option (other than installing a third-party patch blocker) is to set your internet connection to \u201cmetered.\u201d Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn\u2019t have Microsoft\u2019s official endorsement as a cumulative update prophylactic. Worryingly, there are some reports that Microsoft is pushing for upgrades even if they go over metered connections.<\/span><\/p>\n

To set your Ethernet connection as metered: Using an administrator account, click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.<\/span><\/p>\n

To set your Wi-Fi connection as metered: Using an administrator account, click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.<\/span><\/p>\n

If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it\u2019s safe to let the demons in the door. At that point, turn \u201cmetered\u201d off, and just let your machine update itself. Don\u2019t click Check for updates.<\/span><\/p>\n

I\u2019m close to installing 1903 on my production machines, but haven\u2019t yet made the plunge. It still hasn\u2019t been stable enough, for long enough, to get my wholehearted endorsement. If you\u2019ve already upgraded to 1903, though, your patching life<\/span> is considerably simpler<\/span><\/a>.\u00a0<\/span><\/p>\n

In version 1903 (either Home or Pro), using an administrator account, click Start > Settings > Update & Security. At the top, click the Pause updates for 7 days button.\u00a0<\/span><\/p>\n

That button changes so it says Pause updates for seven more days. Click it two more times, for a total of 21 paused days. That defers all updates on your machines until 21 days after you click the button. You can\u2019t extend the deferral any longer unless you install all the outstanding cumulative updates to that point.<\/span><\/p>\n

Historically, 21 days has sufficed to avoid the worst problems.<\/span><\/p>\n

It looks like Win10 version 1909 will be distributed <\/span>just like a cumulative update<\/span><\/a> later this month, possibly on Patch Tuesday. We\u2019ll have more details as the update\/upgrade\/version\/service pack unfolds.<\/span><\/p>\n

We\u2019re at MS-DEFCON 2 <\/span><\/i>on AskWoody<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 11 Nov 2019 05:03:00 -0800<\/strong><\/p>\n

\n
\n

For those of you who haven\u2019t patched since May, there\u2019s exceedingly bad news on the horizon. Per <\/span>Catalin Cimpanu at ZDNet<\/span><\/a>, Metasploit\u2019s working-but-just-barely BlueKeep exploit is about to get a significant bug fix. That’ll put BlueKeep infection capabilities in the hands of mere mortals. The script kiddies won\u2019t be far behind. <\/span><\/p>\n

If you\u2019re using \u2014 or you know someone who\u2019s using \u2014 Windows XP, Vista, Win7, Server 2003, Server 2008 or Server 2008 R2, <\/span>get patched now<\/span><\/a>.\u00a0<\/span>The fix is easy. Even \u00a0Aunt Martha can handle it.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-16854","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16854"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16854\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16854"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}