11
Oct 16

Microsoft: No More Pick-and-Choose Patching

Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

brokenwindowsZero-day vulnerabilities describe flaws that even the makers of the targeted software don’t know about before they start seeing the flaws exploited in the wild, meaning the vendor has “zero days” to fix the bugs.

According to security vendor Qualys, Patch Tuesday updates fix zero-day bugs in Internet Explorer and Edge — the default browsers on different versions of Windows. MS16-121 addresses a zero-day in Microsoft Office. Another zero-day flaw affects GDI+ — a graphics component built into Windows that can be exploitable through the browser. The final zero-day is present in the Internet Messaging component of Windows.

Starting this month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. For example, I’ve often advised home users to hold off on installing .NET updates until all other patches for the month are applied — reasoning that .NET updates are very large and in my experience have frequently been found to be the source of problems when applying huge numbers of patches simultaneously.

But that cafeteria-style patching goes out the…err…Windows with this month’s release. Microsoft made the announcement in May of this year and revisited the subject again in August to add more detail behind its decision:

“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed,” wrote Nathan Mercer, a senior product marketing manager at Microsoft. “This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems:

  • Various combinations caused sync and dependency errors and lower update quality
  • Testing complexity increased for enterprises
  • Scan times increased
  • Finding and applying the right patches became challenging
  • Customers encountered issues where a patch was already released, but because it was in limited distribution it was hard to find and apply proactively

By moving to a rollup model, we bring a more consistent and simplified servicing experience to Windows 7 SP1 and 8.1, so that all supported versions of Windows follow a similar update servicing model. The new rollup model gives you fewer updates to manage, greater predictability, and higher quality updates. The outcome increases Windows operating system reliability, by eliminating update fragmentation and providing more proactive patches for known issues. Getting and staying current will also be easier with only one rollup update required. Rollups enable you to bring your systems up to date with fewer updates, and will minimize administrative overhead to install a large number of updates.”

Microsoft’s patch policy changes are slightly different for home versus business customers. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. 

What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). I have no doubt this simplifies things for Microsoft and likely saves them a ton of money, but my concern is this will leave end-users unable to apply critical patches simply due to a single patch breaking something.

It’s important to note that several update types won’t be included in a rollup, including those for Adobe Flash Player. As it happens, Adobe today issued an update for its Flash Player browser plugin that fixes a dozen security vulnerabilities in the program. The company said it is currently not aware of any attempts to exploit these flaws in the wild (i.e., no zero-days in this month’s Flash patch).

brokenflash-aThe latest update brings Flash to v. 23.0.0.185 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version).

Finally, Adobe released security updates that correct a whopping 71 flaws in its PDF Reader and Acrobat products. If you use either of these software packages, please take a moment to update them.

Tags: , , , , , , , , , , ,

104 comments

  1. This time the mandatory Windows update pulled down some obscure Intel sound driver that wiped out my Realtek sound driver.

    NO SOUND FOR YOU!

    • After several hours of trying to get Realtek-based sound working on Windows 10 on an HP XW4600 workstation (not mine – I am a Debian user), the ultimate fix was to buy and fit a £2 USB sound dongle.

  2. The above has happened, also on my win 10,8.1,8, and win7 machines. My XP doesn’t get on the net, or my DOS machine.
    About the Mac vs. Win? It all depends on how big a target you are. The bigger the target you are, the more you should run win. With the lack of updates coming from Apple, they are not subject to the same attacks as win. Not safer, just different attack profile. You attack where the money is. Less money on the Apple side. Fewer attacks. Who then knows where their system is broken. The only plus is, you can virtulize your windows machines on their OS. Same with Linux. But, now, your security is lacking, just like embedded systems. You have to go thru the whole update system, slowing your operating time by minutes, when you only wanted to check your email for sales.
    Each system isn’t inherently better, but you will notice each system demands that you have the latest equipment to run on. Update a win 10 or an OS x on a b/g connection? Anyone? Now that cuts business time, or update on a 386, same effect.
    What they are doing, is forcing all older machines to update also. The new minimum is dual core, with g/n communications ability, and pushing for AC to speed up the networks. Pushing for better monitors, and higher speed multi core systems, ain’t bad, but more expensive. Try running the latest Mac OS on a machine from 2001. It will run, but will it work?

    • Good example. I tried running the latest Mac OS on a machine from 2007. After the update, it would not go into sleep mode reliably when the lid was closed. I normally closed the lid when not in use. Multiple times I found it overheated, not sleeping, with the lid closed. Not long after, the display system failed and the machine was dead.

    • HUH? If you are a bigger target, you should use the most targeted operating system. I fail to see the logic in that. It is targeted not only because of market share, but also because the design is about ease of use and security was added as an afterthought. *nix was designed from the very beginning to be multi-user, and security was part of the early design before the age of hackers and the Internet (so security didn’t have to be as strong). I don’t particularly trust OS x even though it is part of the *nix family, but I still believe they are safer than Windows.

      As for constant hardware updates to keep up with the latest OS requirements… I have only had that experience when I was a Windows user. Every version of Linux I have ever used has not significantly increased system requirements between versions. Mac OS x may introduce features that are not available on older models, but system performance still remains quite reasonable on version upgrades (for the reasonable life of the computer). Apple phones on the other hand, I stay away from because of the forced obsolescence I experienced with the 3G model where they simply removed versions of apps that could run on my phone.

      • I will agree, yes. But, do all the programs needed to run a law office work in Linux? Apple? They do in Windows. How about sales? Or bookkeeping, rocketry? And unfortunately also arts!. In Windows, you take the installer program, and run it. It works. And is jupdatable, and it works. I can buy and install any program that I wanted, from XP till the dropping of the old .net framework. That’s the only thing I dislike about Ms. It limits backward compatibility, many of the old communications programs are old.net. and now unusable, unfortunately, but, in businesses, it is recoverable. A mom and pop establishment will have to get a new machine, and be up and running again with improved security available. And be able to use the old system as a backup, but can the same be said in a Linux, or an apple system.
        Now let’s take something larger, like Ford, can they do the same? Are they a bigger target then the simple mom and pop? Here is where their would be more attacks. Because their a money operation. They should see attacks every day, even from their own security teams. And we are expecting the mom and pops to be as smart as the Ford security team. But, do the mom and pops know that they forgot to put a check mark beside some obscure program to update the security there? Updates can do that.
        I know it’s a long ramble, but, as a deer hunter would do, look for the size of the rack, would you rather have two points hung on the wall, or 21 points?

  3. I checked hoping that maybe the individual KBs would still be available as an uninstall option. Sadly, at least on 2008 R2, it just listed the rollup KB3185330

  4. The lengthy searching by Windows Update has not been abolished but at least all the updates are now in a single .msu file.

    http://wu.krelay.de/en/ helpfully gives the download links for both security and monthly rollups. I am not yet aware of where Microsoft keeps them. Anyone know?

    • My comments apply to Windows 7.

      • Windows catalog, as some have said in this thread. Good luck finding it with external links, however, as following links to Microsoft has no longer worked for me. The MS site just gets worse and worse – I post a complaint every time I’m forced to use it.

  5. Well, that was the final nail in the coffin. Win 7 Pro 64 bit has worked just fine for me. I don’t want nor should I forced to suffer the data monitoring, Win 10 harassment and other BS.

    My privacy, my choice. No choice, no privacy. Updates were already turned off and I cherry picked what went on my systems and what didn’t. Now, I’ll be reading up on Linux and installing ASAP.

  6. I upgraded to Win7 because of the update issue and discovered it was happening to it too. So I gave up manually updating until the KB ending in 2605 was installed that fixed the inability to properly update issue. Today’s rollup was the first one in months that installed all components without error. I had to log in to the local administrator account to finish it with one more update(KB3177467); though manually.

    Happily Flash has updated automatically for the 4rth time in a row!! Now that is a historical streak of luck for me!!

  7. I hate to say this, but if I were a Windows Home user, why is it that Microsoft determines my level of risk acceptance if I cannot install a particular patch because it will interfere with what I am doing on that system?

    That is why I always stick with Linux, which allows me to determine how I will accept risk when not installing a patch.

    • Well, guess the mandatory Windows update will force me to move my home PCs to Mac or Linux. I’ve been a Windows NetAdmin most of my life but this just pushes me too far.

      Work is still another issue, in our environment Macs are just too costly ($ and labor) and Linux just isn’t practical.

  8. Microsoft is creating a tremendous amount of dissatisfaction with its customer base over the update issues. The PC business is already suffering from competition from smart phones and tablets taking the low end user who only checks email and a few news stories away from the Windows market. Nobody needs to wait three minutes for Windows to start, and then Windows decides it has updates and pre-empt your usage for another 5-10 minutes. I had an update that took over a half hour that consumed the time slot I was supposed to give a presentation in…. not good. The machine updated again for twenty minutes that evening! My smartphone is always on… email checks are instantaneous. MSFT is not thinking this through… they are eroding a substantial part of their customer base. Sophisticated users have started air gapping machines since after all the patching inconvenience – they find they are still exposed. A second machine for “must net” use… guess what … mine are Linux and an Android Tablet. MSFT drove those sales!

    • I’m seeing this kind of thing too –
      We need to start a Webex or GoTo design review, but M$ Win10 (w/ “Download Optimizer” – read: download monopolizer…) is pulling a download, using the entire internet bandwidth… to the point that no one else can even use it… No work for you until update done…! Morons…

      • If you have multiple systems in a workplace sharing the same internet connection its really the business owner’s fault that they didn’t setup a server to download and cache updates for all the systems. Once you purchase a server WSUS is just an optional install away.

        I’m all for bashing MS when they do something wrong but this really is a setup that’s been misconfigured. Probably through ignorance, but ignorance is not an excuse.

        Although this does illustrate why you should have a functional QoS system to stop one system from destroying everyone’s ability to use the internet. Again, something the business owner should have setup and configured…

        • Home users with multiple PCs suffer the same consequences, and generally have no recourse or skill available to find out what went wrong.

          Designing the update system to be so cavalier with the end user’s bandwidth is a problem. Providing hardly any controls to manage it is a problem.

          “Purchasing a server” is historically an expensive solution, not just in money but in the skills needed to properly secure and manage it. This is simply not an option at all for home users, and likely impractical for most small businesses.

  9. Isn’t this simply another step by Microsoft to make Windows more like Android? They desperately want to gain a foothold in mobile devices. When a new Android version comes out by a manufacturer you don’t pick and choose. You either update or you don’t.

  10. Microsoft: No More Patching for Windows 7?

    Windows Update now churns away endlessly. By manually installing KB3185911, I was able to energise Windows Update on the previous Patch Tuesday, September 2016. My system last automatically installed updates on 22 September 2016. Thanks to Microsoft’s ‘improvements’, I am now denied security and other updates.

    Is there something going terribly wrong with Windows 7?

    I tried manually installing the October monthly rollup using Windows6.1-KB3185330-x64.msu but this behaved like Windows Update, churning away and achieving nothing.

    • I’ve got the hang of it now. It’s manual updates from now on for me. Internet Explorer still must be used for access to the Microsoft Catalogue as non-ActiveX still appears not to be ready.

  11. I wish I could ditch Flash forever but Hulu forces me to use it and I haven’t found a work-around yet. Sad.

    • Ditching Hulu works for me.

      I should probably check on this, but for a while Amazon would serve HTML5 video to mobile devices but required &*(!@*( Silverlight for desktops. Gotta love MPAA contracts…

  12. Just to add a point (not sure if someone else did) – the .net patches will be separate patches.

  13. I got the big 100MB packet today, and tried to find out what was in it. I came up essentially empty handed, but contrary to the habit I learned over the past three years of Microsoft aggressively pushing its crap/mal/ad/spy/ware on my machine, I clicked “install”. How long will it take until I regret it?

    I used to review pretty much every single update, and installed most of them, even when concerned points as crucial as summer time settings for Sakhalin or the currency symbol for Uzbekistan.

  14. For update problems, if necessary I would highly recommend Macrium Reflect Free for imaging and restoring the Windows partition to rollback the entire disk. A build for a boot DVD or USB drive is provided and I have rolled back 5 or more home computers for various issues, like won’t load Windows, or some nagging issue comes up that you can’t fix. The Macrium image has never failed to restore and work and is very fast, often 20 minutes to restore the OS.

  15. After all of the sneakiness by MSFT with Win10 and “updates” designed to capture user info over the last couple of years, I no longer trust MSFT. Still using Win7 with security other than MSFT’s and doing just fine.
    Not gonna use the big, bulky “patch” method of updates. It’s MY computer, and I want to decide what to install! When this computer fails, I’ll be going to LINUX, as will so many others.
    Bye. bye MSFT!

  16. Up to now I have only accepted the rollup for .net and left the W7 rollup to see if anything turned up regarding problems after installation on sites like this one. I’ve got (up to now) three programs working strangely and my audio has flipped from monitor 1 to monitor 2, with no way to get it back to where I want it to play.

    It also appears that the rollup is not listed in the installed updates under the kb number it was designated, but each part of the rollup is listed with a different kb number.

  17. I had to use system restore to remove the security rollup update KB3185330 for Windows 7. Applying the update caused a massive slow down in performance and affected functions for some IE11 add-ons (most notably-blocking the Google toolbar history from appearing and not allowing suggestions while typing in searches).

    • Mike, I had the exact problems you described with IE11 and Google Toolbar. I was able to remove it with Update remove installed updates. Restart and IE11 and Toolbar are back to normal.

  18. I had no issues downloading the security only updates for Windows 7 Pro SP1 from Microsoft Update Catalog on Tuesday. MS has been saying this would be possible ever since they announced the updating change.

    Never used auto updating because I want to be in control of my systems. As a pro audio Windows user, I can’t afford my systems being messed up by a non-security update they think I need.

  19. There seems to be a lot of Microsoft-hate in these comments. My experience with Windows 10 is that, while there are some things I would nitpick, it is a stable, solid operating system.

    A lot of the MS-hate is based on nothing more than myth, as illustrated by this article:

    http://thehackernews.com/2015/02/vulnerable-operating-system.html

    Granted, that is (slightly) pre-Windows 10, but the point is made. And the paradigm MS in moving to (in this krebs article) will increase the security of the OS.

    I work in a shop where most everyone runs Windows on a VM, on Apple laptops. This asinine methodology allows them to save face in the tavern after work.

    Until Apple makes a laptop that doesn’t have (what is seemingly) 4pt font by default, I’m sticking with Windows so I can get some work done.

    • And while I’m on the subject of OSes, to you Linux fans (and I myself use Linux Mint on a machine), consider this about your favorite OS: there is one guy – Linus Torvalds – who has a god-like say over what does and does not go into that OS. Linux has it’s place, and it is good that it exists. But it is no utopia. And that paradigm is troubling.

      And, Apple is the most closed paradigm of the three. Look at Xamarin (recent MS acquisition). Build an app once in C# that runs natively on Android and iOS. But guess what. You must have an Apple machine to run the iOS emulator. Why? Because Apple doesn’t want you to run it on Windows. Just one example of their closed ecosystem.

      • Linux would be a great place to be for professionals, et al. who rely upon key third part software–which are not coded for Linux. For those who don’t need third party software–Linux is a very good option to escape MS. Linux would be my choice–if I wasn’t reliant upon third party software.

  20. I have an opinion on this, but the fact that I am typing this message on my laptop which is running Debian 8 says enough.

  21. Not a good thing for MS to be forcing on any of its OS customers–not at all surprising considering who runs this company.

  22. Have no idea why Windows Update says I have no updates available and no updates hidden. I did not get any of the October 2016 security patches. I know its a single rollout, but was not offered on my Windows 7 PC. Now Security Essentials is frozen on updates too. Are they just dropping service on Windows 7 users, even though security support is supposed to still be in effect? I can’t even see if a hidden update has to be installed because they are gone. I had several due to the Windows 10 nagging. Really getting fed up with this company. Any help would be appreciated.

    • I have a similar problem (Win 7 x 64 Pro). All updates not downloaded disappeared on Oct 12. Then they reappeared the next day (including optionals). Have not gotten the new rollup on my Windows update. Maybe I should download the recommended ones first? Anyway, in times past all new updates appeared regardless of whether or not I have downloaded the previously issued ones. MSE does update new definitions though.

  23. Good to see the use of a proxy is brought up, and how it can facilitate criminal conduct. It’s important to note a proxy also provides anonymous speech too. Nonetheless, thank you for your post.

  24. And Now, For Something Completely Different

    Checking for Windows Updates today (Tues 18 Oct) I was offered

    October, 2016 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3192403)

    This is a 120.5 MB file. (Same KB number but for 32-bit systems it’s 72.6 MB.)

    Here’s the link for more information from Microsoft

    https://support.microsoft.com/en-us/kb/3192403

    which in turn directs you to

    https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

    for additional information.

    In the depths of my ignorance, this update appears to be benign. In this context, “benign” means the W-10-related fone-home features (aka “diagnostic telemetry”) remains optional.

  25. So as a follow up, in my efforts to get updates going again I change my setting to automatic download. Nothing happened until the next day when I was notified of updates ready to download. That’s when a saw the above October Preview, Security Rollout and Malicious Tool. So they did not go thru automatically, but I was able to install them. Security Essentials also caught up to date. Still have no idea what will happen with November updates. All hidden updates have been wiped. At least I think I’m patched for now. Will keep settings the same for awhile and hope for the best.