October 11, 2016

Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

brokenwindowsZero-day vulnerabilities describe flaws that even the makers of the targeted software don’t know about before they start seeing the flaws exploited in the wild, meaning the vendor has “zero days” to fix the bugs.

According to security vendor Qualys, Patch Tuesday updates fix zero-day bugs in Internet Explorer and Edge — the default browsers on different versions of Windows. MS16-121 addresses a zero-day in Microsoft Office. Another zero-day flaw affects GDI+ — a graphics component built into Windows that can be exploitable through the browser. The final zero-day is present in the Internet Messaging component of Windows.

Starting this month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. For example, I’ve often advised home users to hold off on installing .NET updates until all other patches for the month are applied — reasoning that .NET updates are very large and in my experience have frequently been found to be the source of problems when applying huge numbers of patches simultaneously.

But that cafeteria-style patching goes out the…err…Windows with this month’s release. Microsoft made the announcement in May of this year and revisited the subject again in August to add more detail behind its decision:

“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed,” wrote Nathan Mercer, a senior product marketing manager at Microsoft. “This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems:

  • Various combinations caused sync and dependency errors and lower update quality
  • Testing complexity increased for enterprises
  • Scan times increased
  • Finding and applying the right patches became challenging
  • Customers encountered issues where a patch was already released, but because it was in limited distribution it was hard to find and apply proactively

By moving to a rollup model, we bring a more consistent and simplified servicing experience to Windows 7 SP1 and 8.1, so that all supported versions of Windows follow a similar update servicing model. The new rollup model gives you fewer updates to manage, greater predictability, and higher quality updates. The outcome increases Windows operating system reliability, by eliminating update fragmentation and providing more proactive patches for known issues. Getting and staying current will also be easier with only one rollup update required. Rollups enable you to bring your systems up to date with fewer updates, and will minimize administrative overhead to install a large number of updates.”

Microsoft’s patch policy changes are slightly different for home versus business customers. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. 

What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). I have no doubt this simplifies things for Microsoft and likely saves them a ton of money, but my concern is this will leave end-users unable to apply critical patches simply due to a single patch breaking something.

It’s important to note that several update types won’t be included in a rollup, including those for Adobe Flash Player. As it happens, Adobe today issued an update for its Flash Player browser plugin that fixes a dozen security vulnerabilities in the program. The company said it is currently not aware of any attempts to exploit these flaws in the wild (i.e., no zero-days in this month’s Flash patch).

brokenflash-aThe latest update brings Flash to v. 23.0.0.185 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version).

Finally, Adobe released security updates that correct a whopping 71 flaws in its PDF Reader and Acrobat products. If you use either of these software packages, please take a moment to update them.


104 thoughts on “Microsoft: No More Pick-and-Choose Patching

  1. IRS ITUNES CARDS

    I didn’t have any problems with my Windows 8.1 machine , it seemed like the install process was a lot more simplified during the reboot.

  2. Elwwod

    Microsoft has been downloading and installing patches for Microsoft Project – which I do not have on my PC.

    1. David Hall

      You probably have the free viewer and it’s updating some components common with the full MS Project.

      1. Sykophantes

        Is there a Microsoft Project viewer ? They have free viewers for other Office applications, Visio, Report, etc. But I failed to find a Project viewer made by Microsoft when I needed it and ultimately asked the sender to output it in .pdf format. There is third party software claiming to be able to view MPP files but from various fora I understood it does not work very well and even when installed on ones computer would not explain the (autometic) patching of Microsoft Project.

  3. Bill

    That’s fine in theory. But they install patches that have nothing to do with the software on your PC and patches that break your PC. Sometimes you can’t even use the PC after a bad patch. Plus this gives them unrestricted access to force all So does users to accept spyware.

    1. Bill

      Dang autocorrect. *unrestricted access to force Windows users…

  4. B Brodie

    the windows update is hopelessly broken right now. just google ‘windows 10 update loop’

    one colleague’s windows 10 machine was stuck in a windows 10 update loop for three days, he tried some things on the web, got it going again, then it started hanging up again

    I installed a virgin copy of Windows 7 SP1 and it will not update – churns endlessly unless I try a series of interventional actions, which seem to work except it never shows an updated status.

    at least its not an exploding galaxy 7

    1. SeymourB

      There are a number of updates you can manually download and install on a fresh installation to speed up the process.

      At least your friend’s W10 system runs. My PC bluescreens during the second installation step after installing off USB or DVD and never finishes installing. Until 7 is off life support I’m not going to lose any sleep over it.

    2. Eric

      Regarding Windows 7, you have to let it run for a day or two – eventually the thing will come up with a list of updates.

      A few weeks ago, I have used an earlier “Rollup” right after having installed Windows. After installing that, the system only found 24 updates to apply (but it did take about a day to figure that out). Once you start to install the tools you use, it will start finding more (mostly .NYET).

      I would hope that this new way of doing things will turn out to be more robust than what we had before, but I am not optimistic.

  5. mike

    The motive for this policy change may include our pick-and-choose method to avoid the forced downgrading to Windows 10.

    1. Sasparilla

      Since users could just choose to get all patches automatically already (and their business accounts, the ones they really value, can still just get security only – user experience must be good for that still) Microsoft’s explanation seems to be BS.

      Microsoft obviously didn’t like users being able to avoid/uninstall the updates that brought them the obnoxious/backhanded Windows 10 update software and they probably really didn’t like the users being able to uninstall / avoid the Windows 10 data monitoring software they backported into Windows 7/8.1 via patches too. Now we get all that whether we like it or not.

      http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/

      This is also about Microsoft firing their Windows Testing staff (they did) and turning the general (non business) user pool of Windows 7/8 users into a update Beta testing area (like happens on Windows 10).

      There is a way around this on 7/8, but requires active work on the users part. You have to turn off Windows Update and download the security only updates (whatever they are) from their Update Catalog website (or some name like that) on a monthly basis.

  6. David

    Win10 pro seems to allow update avoidance by not selecting update and shutdown or reboot. After the last seven hour loss of use which ended in a fallback I am choosing not to update. I have lost confidence in Microsoft. They need to fix their quality problem.

    1. The Phisher King

      Which one?
      There are so many to choose from.

  7. David Hall

    I can’t help but think this is probably a good thing in most use cases.

    I have a bunch of Windows devices at home including custom built PCs which you might expect to be relatively sensitive to updates and a bunch of Microsoft surface devices which you would expect shouldn’t be.

    I rately get a problem. I think that the most likely reason why updates break is a complez dependency chain where users apply individual patches subsequently breaks (a rolled up) update.

    If everyone is at a consistent level of patching across various windows components I guess updates will be more reliable. Only time will tell I guess.

    But if it does work then it will probably be a good thing in some ways because the broader windows user base will get some kind of herd immunity from a well patched install base.

    Equally I guess that’s also very convenient if you are building a chain of zero days…

    Would be fascinating to see how that pans out.

    1. TSSG

      “I can’t help but think this is probably a good thing in most use cases.”

      The only good use case I can think of is that Windows security updates never break anything. Ever.

      The more probable use case is that the patches do break something, forcing you to make a decision between having a broken app, system, etc. or uninstalling an entire security roll-up. So instead of being exposed to a single (probably) vulnerability you will be potentially exposed to every vulnerability that was supposed to be fixed by the patch.

      Horrible decision by MS.

      I have some anecdotal evidence that there are a lot of CEO/CIO/CISO/General Counsel letters being sent to MS demanding an immediate change in policy.

      1. SeymourB

        Indeed, even enterprises taking part in a program Microsoft has that sends them patches ahead of time are going to be rather perturbed, since the decision many times is to simply not install a particular patch until they get their internal software updated. Now they have to not install all patches until their software is updated, which exposes them to legal liability for not running with any current patches installed. One patch they could argue in court over but all patches? That’s got to hard for a judge to swallow.

        For most end users though this isn’t a big deal. I can’t think of the last time an update broke something, even at my workplace. I think it was some horribly outdated software that the VAR refused to update without charging us $20K for a whole new copy, despite the fact that the manufacturer would send me the update for free… if I was a VAR.

        So we virtualized it, disconnected it from the network, and left it in an isolated environment talking over its serial ports to other isolated equipment. (shrug) Cheaper than $20K, took all of an afternoon to implement.

      2. SalSte

        Corporate customers generally aren’t using regular Windows Updates for their Windows patching (at least competent ones aren’t).

        Systems like WSUS and SCCM offer the ability for sys admins to offer more granular patches that won’t be offered through the consumer update site. Besides that, most corporations deploy patches in stages after testing so the chances of widespread issues from the new update model will likely be caught before they go out to the regular user population.

  8. Steve

    I have been having fun for a couple of months with MS updates with my 8.1 system. Select the updates to install, then go through the installation process, which results with an update failed. The update reboots the system and uninstalls the updates. Closer inspection reveals that update nnn must be installed. Get and run update nnn, and it responds it’s already installed….
    Time for a full reinstall and hopefully my installed applications will still run…..
    With this new deployment method of pushing out all patches, it will be interesting to see how long it takes before the backlash grows to the point of another review of the deployment methodology is performed by the MS teams.

  9. Phil

    All the more reason to try and move to Linux or something similar. Windows 10 is just too invasive. Now they’re telling you, nay FORCING you, to update. I’d rather have an Apple product tbh. I can do my Warcrafting, spreadsheeting, “surfing…” and email. Between MS and Google, THEY ARE COMING TO GET ME!

    1. SalSte

      Considering the number of unpatched Windows machines out in the wild, other than obstinance there’s no real reason why making updates required isn’t a step forward.

      1. dARTH pEANUT

        It’s not a step forward because it adds spyware telemetry, it WOULD be a step forward if they had the spyware ‘updates’ as optional or opt-in updates. To simply force it on everyone is instead draconian.

  10. somguy

    I believe .NET updates are still separate. Since they are an application update.

  11. Vince

    Given how many times recently (past 12 months or so) there have been issues with individual patches that have caused increasingly serious issues, the all or nothing approach is really bothering me.

    Nothing will be the normal route until it can be established there is no issue – because in reality the security risk in many environments is less of a problem than the loss of service/systems when the patches royally hose things.

    Microsoft can’t even get this patching thing right for Windows 10 which doesn’t have that legacy of individual patches and has hosed many a system, so I cannot believe they’ll do a better job here.

    Windows is becoming worse and worse.

  12. Grit

    Windows Update has been notoriously unreliable for quite some time – especially in dealing with new Windows 7 installs. 90% of the time it takes a significant amount of technical user intervention to resolve and get all of the relevant patches installed.

    IF this move to update rollups resolves those aforementioned issues and results in the average end-user having a more seamless and reliable experience, thats good news. It’s obviously an important goal for Microsoft with this change, apart from just saving money.

    Too bad it comes at the expense of IT professionals and businesses, as Brian and everyone else has pointed out. Microsoft has a track record of less than stellar QA for their updates, so its certainly not uncommon for single patch to break functionality that is critical business operations in one way or another.

  13. cc

    I haven’t applied an update since Windoze 10 came out. I just don’t trust anything they do any more.

  14. Arbee

    > I’ve often advised home users to hold off on installing
    > .NET updates until all other patches for the month are
    > applied

    On a W7-Pro 64bit installation, today’s (Tues 11 Oct 2016) offering included a *stand-alone* 5.7MB .NET update:

    KB3188740 – October, 2016 Security and Quality Rollup for .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1 for x64

    as well as a 119.4MB KB3185330 monthly rollup plus a 3.5MB KB890830 monthly malicious software removal tool.

    Also (nothing new here), there was a stand-alone *optional* Silverlight package that I hid.

    The good news: as in the past, I installed the .NET update *after* installing the monthly rollup and the malicious software removal tool (restart required); so far, so good. Also, along with some other folks, I’m uninterested in Silverlight. I’m glad it continues to be optional.

    I haven’t yet checked what’s on offer for a W7-Pro 32-bit installation. If the experience is similar, this isn’t as unpleasant as what I’d steeled myself for.

    Unknown to me specific to this topic: whether any / some / all of the W10-related fone-home stuff some of us have assiduously skipped is now unavoidably within the monthly rollup. Anyone have any insight into this?

    1. Arbee

      replying to myself —

      The W7-Pro 32-bit update was almost as seamless as the 64-bit version.

      Essentially the same offerings with smaller file sizes were available: a large-ish (74MB) monthly rollup, a malicious software removal tool, and a 4.7MB NET Framework update. First pass, I delayed the NET download.

      For reasons unknown, Windows Update canceled my first attempt to install the monthly rollup. I’m clueless. My second attempt succeeded. After a restart, the NET update also installed successfully.

      Still unknown: whether any of the unwanted W10-related fone-home stuff has been bundled in the monthly rollup.

      My admittedly limited experience suggests this new arrangement seems to work.

      Time for a martini….

    2. Sasparilla

      Microsoft did say they are going to backport (rollup) the prior updates into the monthly update blob over time so that at some point, sooner or later, they’ll force the install of the user data monitoring software.

      You can turn off Windows Update and download the security updates manually supposedly (I’m going to do that). Here is the website for the downloads (you have to know the name of what you want before you get there) and its I.E. only (installs some tool to work – thinking to myself probably ActiveX):

      https://catalog.update.microsoft.com/v7/site/Home.aspx

  15. Dean Marino

    ….. and it is HERE that our family bids Windows Update adieu….

    Jumbo patches are wonderful – as long as the patch issuer has credibility. MS lost that in the Windows 10 push.

    We are simply DISABABLING Windows Update, sticking with 7, and accepting that MS has de-supported Windows 7, well ahead of the time advertised.

    1. x

      Just go to:

      http://www.techspot.com/downloads/

      And search for it. They have the full download of the Flash plug-in for Windows.

      Most download sites only feature a small stub file which you must be on-line to use it and download the complete plug-in. Not so with techspot, they have the real deal. Now whether or not you trust them is another matter.

  16. VW

    Most of you complain about the Windows updates but I find it more concerning that every time they patch a zero day exploit in Internet Explorer they also patch it in Edge per the article description.

    I had the impression Edge was using a different engine and code but every IE hole seems to also affect Edge which would make Edge just as insecure and vulnerable as Internet Explorer but yet, I didn’t see one single hack or attack targeted against Microsoft Edge exploited in the wild.

    I had the impression Edge was even more secure than Chrome. Maybe not? Who knows…

    1. SeymourB

      Windows 10 adoption rates for business and enterprise customers is pretty much a non-issue… since they aren’t adopting it. This is why you don’t see much talk about Edge and other Windows 10 specific features.

      Edge typically runs with security mitigation features enabled that allows vulnerabilities not to break past the mitigation. Of course every application can run with those mitigation features enabled too.

      Microsoft likes to claim Edge is superior to everything else, but they have a long history of doing that. They used to claim that a vaporware products they never intended to develop were superior to someone’s actual finished shipping product just to influence customers into not buying the competitors product.

      1. somguy

        Not entirely correct. We have a state mandated application that will force 1/3rd of our users into win 10. And since we are doing it for them, we will end up doing it for all.
        Even if that wasn’t the case, eventually some execs would insist.
        Or it would happen towards end of win 7 support. Can’t have an unsupported OS running in an enterprise.

        And that habit of MS’s, they still do that lol.

      2. KFritz

        In case you didn’t see it, thanks for good advice two months ago.

      3. Catwhisperer

        With good reason nobody is much using Edge. It’s incompatible with some websites such as Uhaul, UPS World Ship, etc.

        Good luck, BTW, on getting the average Windows 10 user to know how to do a rollback on an update, whilst the machine is crashed stuck in an update loop or worse…

    2. Sasparilla

      Edge is just I.E. rebranded with the ActiveX and plugin links taken out so they could be deleted (ActiveX) and rewritten to be more secure (think they are going with the Chrome model).

      I.E. was a very damaged brand since it was a main vector for malware – so marketing!. Microsoft changed the name, changed the plugin architecture (more secure, which was very needed), update the HTML engine (marketing speak “New Engine”) and there you go – but that’s why its the same security updates, its still I.E. at its heart.

  17. Jim

    Last month KB5319 caused a security warning each time I clicked a favorite URL. Uninstalled and hid the fix.

    This time KB5330 caused the same problem. However, this time the update tries to install again after I hid it. Redmond is becoming a PIA.

    I have Win 7 Pro with all updates except the 2 mentioned.

  18. KFritz

    About 99% of my www use is via Ubuntu, so my strategy for Windows is to hold off updates for at least a week and keep up with the horror stories until Redmond fixes its usual mess up–and then update. The comments here are one useful source of info.

    Also, it’s entertaining to see Microsoft do its own astroturfing.

  19. Dan Melius

    Brian,
    I appreciate all your advice on cyber-security, so thank you for that.
    My reason for contacting you is to get your professional opinion of Windows vs. Mac. Which is more secure and requires less updates to remain secure ? Your answer will determine which operating system will be in the next laptop I buy.
    Thank you …………..Dan

  20. bob

    How about a month (or better still, forever) without Windows?

    To keep it simple, I’d suggest Linux Mint or Linux Ubuntu. For starters, most Linux distributions are free. They are prone to many times fewer security problems than Windows. After a few months, your productivity will increase and you’ll wonder why you ever bought into that windoze BS in the first place.

    Tell ’em Bill Gates sent you.

    1. JohnnyS

      And to add to what bob said: If you are an “enterprise” and you think you just can’t function without MS Windows, give Canonical a call and ask them about what they can do for you.

      At least you can set up a “pilot” program to test it out in your enterprise setting, which should help you out next time you negotiate pricing with MS!

      Disclaimer: I do not work for Canonical and I get no remuneration or other benefit for posting this message. I’m just a happy xubuntu user.

  21. Mr K

    Surprised no one discussed Monthly Rollup vs Security Only. Which one are you choosing for the Enterprise.

  22. IA Eng

    making anything mandatory, is simply foolish. As much as they want to consider themselves pushing the envelope for security, they do NOT understand all the different software scenarios out there to make this a good plan. Its more of the same – slap the patches out, here you go, whether you like it or not. Sounds like a cafeteria style setup with a bunch of grumpy people serving up whatever they want to offer.

    That corporation has been at this for decades. Its sad to think that the process is started over and over and over again every month without any forward thinking other than, HEY ! we will build a new operating ? system and throw the crooks off course for a little bit.

    Its a shame when free software operates better than a typically paid for product.

  23. Tom Noll

    Mr. Krebs,

    Thanks for another informative post, and a great website.

    One reader posted a request for your opinion of OS X in terms of overall security. I’d like to second that request.

    Since several commenters mention Linux as a safer, more convenient alternative, a comparison of these *nix systems would probably find an interested readership.

  24. Alan McConnaughey

    I find it amusing that Microsoft is taking so much flack for this new update process. Apple does the exact same thing along with Linux unless you get technical and choose to pin packages instead of the apt-get install update / upgrade.

    1. Sasparilla

      As a Windows and OS X user I don’t find this to be true (although Microsoft keeps repeating it, on purpose of course). Apple separates their OS X updates out into security and non security updates and (unlike Windows) actually gives a good description of what each will do – and users can choose to install what they want on OS X. Microsoft wants our PC’s to be their smartphones (where they install anything all the time), but PC’s are different, like our Mac’s and we should have more control over them.

      Same goes for the little bit of data that goes back to Apple so their search functionality can work beyond the Mac, user can easily turn that off. In Windows 10 and via updates on Windows 7/8 the data monitoring is in their whether you want it or not.

      Remembering Microsoft willingly partnered (without a warrant forcing it) with the NSA to provide pre-encryption access to all customers communications (Hotmail.com, Outlook.com, Skype) – the user monitoring information is certainly not in good hands with them.

  25. Election_Fraud

    I had two machines at home running a stripped down version of Windows 7 and reluctantly upgraded tthem to W10 about three months before I had to pay for it.
    Surprisngly to me it went very well and the performance of both actually improved. I was happy with Microsoft, possibly for the first time.
    Until…
    The release of the Windows 10 Anniversary Update. After that disaster it has all gone to hell.
    Business as usual with the Redmond Rednecks.

  26. Mike

    MS forcing these kinds of things is part of why I’m not installing Windows on anything else (atleast as far as what I have personally). My machines are mine and they are here to do what I want them to. If I can’t have it that way then I don’t need them.

    ———-

    There seems to be a sense of absolutism out there. People are thinking that a refusal of Windows automatically means Mac. A kind of thinking where it is either a Windows laptop or Ipad. I never understood this. This is not the way things really are.

    The single greatest thing about computer technology is that it can be whatever you want it to be. These things are so flexible and so versatile that the only true limitation is your imagination. It’s more that everyone gets so caught up in the fear of hackers counteracted by the command of MS and Apple when they say they will protect you, that the true ‘joy’ of having these machines and devices gets lost.

    Linux is a great alternative. It’s what I have decided on moving forward. This IS an option.

    But, it should not be viewed as which one is more secure that the other based on what someone else says. They ALL have certain issues. Regardless of what OS you use, the single best thing that any individual user can do is to simply decide to know and understand what they have and what they don’t. Know your computer. If you don’t take control of it, someone else will. Wether it be MS, Apple, a botnet, or a blackhat.

  27. pboss

    More annoying, Windows 10 (at least the home version) now “features” an Updater that automatically restarts your machine when it thinks you aren’t doing anything with no way to change this behavior. Sure, you’re supposed to be able to set “active hours” but you’re limited to 12 hours and it defaults to standard working hours, a nasty surprise when I was left it downloading something and came back to find that it decided to reboot.

    1. Moike

      I ran into this also. Very nasty behavior, and it always chooses the time where it can lose the maximum possible amount of unsaved work.

      I may resort to some heavy handed tweaking so that I can go back to controlling when updates are checked and installed.

Comments are closed.