Yes, Windows patches are a mess, but you should still install them

March and April patches had their share of bugs, but with a Word zero-day threatening now's the time to update your Windows PCs. Here's how to navigate the minefields

Windows patches are a mess, but you should still install them
Pixabay

With a zero-day Word exploit nipping at our heels, it’s time to work around the recent crop of bugs and get your Windows systems patched.  

Windows and Office patches have presented many challenges the past few months. February Patch Tuesday was dropped, then Microsoft came back with an obviously forgotten Flash patch. March had a big batch of bugs. April has had more than its fair share of bugs, too, including one that dismantles Windows Update on certain AMD Carrizo computers.

Here’s where we stand with this month’s patches:

  • April was the first month with no security bulletins, and it’s been challenging to keep up with the 644 patches—210 of them marked “critical.” Gregg Keizer at Computerworld has an insightful analysis that quotes Susan Bradley (who knows more about Microsoft patches than any human alive) taking Microsoft to task.
  • Users who tried to run Win7 or 8.1 on newer PCs—or older Carrizo DDR4 computers—had Windows Update summarily and permanently shut down. Fortunately, there are a few precautionary steps that can be taken, as well as a fix. But make no mistake: Microsoft doesn’t want users to run Win7 or 8.1 on newer PCs, and it’s not backing off.
  • The Word zero-day that (in)famously affects all versions of Word (even WordPad!) on all versions of Windows appeared in a Dridex banking malware email campaign. As details rolled out, it became apparent that the zero-day fires if you use Word to open a booby-trapped document attached to an email message. If you’re using Gmail, the doc opens in a preview that doesn’t infect the computer. If you double-click on the attached doc in Outlook, you still have to click Enable Editing before the malware takes off. The only way to fix the hole (aside from avoiding Word to open docs attached to emails) involves patching both Office and Windows.
  • Both the .Net Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 Monthly Rollup KB 4014551 and the Security-Only update KB 4014985 (and a bunch of additional patches) blast away the PowerShell Stop-Computer cmdlet; Microsoft has a workaround that involves an old-fashioned DOS (elevated command prompt) command.
  • Visual Basic 6 crashes after the April Monthly Rollup is installed.
  • Various documented problems with the Kerberos Key Distribution Center service are reported in the main Update listings.

I undoubtedly missed a few problems, but those are the big ones. 

There’s a new version of the much-maligned KB 3150513, which you want to avoid unless you’re planning an in-place upgrade to Win10 Creators Update soon. Günter Born reported a problem with the latest Malicious Software Removal Tool; something is messing up the Microsoft Baseline Security Analyzer.

With that as preamble, here are the steps I recommend.

Windows 10

Follow my tip on installing Win10 updates. If you want to stay on Win10 Anniversary Update and prevent Microsoft from forcing you on to Creators Update (which has plenty of bugs but fewer than I expected), follow these instructions. You may want to use wushowhide to hide any driver updates. All of the other updates should be fine, including Servicing stack updates, Office, MSRT, and .Net updates (go ahead and use the Monthly Rollup if it’s offered). I recommend reporting any problems you might encounter.

Windows 7 and 8.1

If you have a newer computer (built in the past 18 months), watch out because you might get slipped a Microsoft Mickey Finn.

There’s a big controversy over Microsoft’s heavy-handed approach to coercing users to move to Windows 10 by disabling Windows Update on newer 7th-generation PCs. It looks like Microsoft will use this month’s patches to shut off Windows Update on computers running Intel Kaby Lake and AMD Ryzen processors. It isn’t clear why earlier Carrizo DDR4 PCs were included in the dragnet or if older Skylake-based computers are immune from the shutdown.

If you’re running Windows 7 or 8.1 on a PC made in the past 18 months, check to see if installing this month’s Windows patches will block Windows Update. That’s not as simple as it sounds; Microsoft hasn’t bothered to provide a hit list of blocked chips or a program that’ll scan your system and tell you if running the updates will block your PC. Here’s the next-best alternative:

Step 1. Download and run Speccy. It’s a free system scanner that will tell you both the type of CPU you’re using and the RAM memory specs (screenshot).

speccy IDG

Step 2. If Speccy says you’re running an Intel Kaby Lake processor or an AMD Ryzen processor, seriously contemplate whether you want to apply this month’s security patches—or if it’s easier to jump to Windows 10.

Step 3. If Speccy says you’re running an Intel Skylake processor, you can breathe a little easier. Although Microsoft is still being coy about whether all Skylakes will be supported with Win7 and 8.1 updates, I haven’t heard of anyone with a Skylake who’s been shut down. Given Microsoft’s year-long waffling on this topic, I doubt we’ll ever know for sure, but for now Skylake looks safe.

Step 4. If Speccy says you have a Celeron processor, your patching future isn’t so clear. I have a report from an Intel Celeron T3000 owner who got clobbered. Intel officially lists the Celeron 3965U as a 7th-generation chip, so it will likely be prevented from getting Win7 and 8.1 patches. I can’t find a definitive, official list of banned Celeron processors, but the Wikipedia page for Kaby Lake lists the Celeron G3930, G3930T, and G3950 as 7th generation and thus probably banned. I say “probably” because we don’t have any official confirmation or documentation from Microsoft.

Step 5. If Speccy says you have an AMD Carrizo CPU and DDR4 RAM memory, you’re in the throes of a documented bug. If you install this month’s Monthly Rollup or Security-Only patch on a Carrizo DDR4 PC, Windows Update will be blocked—even though Microsoft explicitly said Carrizo chips would be supported with Win7 updates. Apparently Carrizo DDR4 owners are collateral damage.

Users with Win7/8.1 PCs that fail Microsoft’s ill-defined test are caught between a rock and a hard place. Preventing the Word zero-day involves installing this month’s Monthly Rollup or Security-Only patch. But installing the patch also shuts down Windows Update. There’s a vigorous game of Win7 whack-a-mole going on, with GitHub poster Zeffy providing a way to unblock Windows Update on clobbered Win7/8.1 computers. The process isn’t pretty, but if you want to run Win7 or 8.1 on a newer PC, you don’t have much choice.

If you have an older computer or decide to take a chance on blowing up Windows Update on a newer PC, you need to choose whether to install the security-only updates or get all that Microsoft has to offer—including “telemetry” patches—by using the monthly rollup. If you’re in “Group A” (the monthly rollup group), updating’s easy. If you’re in “Group B” (those who don’t want Microsoft snooping), it’s considerably more complex. I provide details in my patchocalypse article.

For those in Group A:

Step A1: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the boxes marked “Give me recommended updates the same way I receive important updates” and “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Click OK.

Step A2: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) If you’ve done a Group A run in previous months, the check should go quickly. If it lingers for hours, follow these steps. Don’t check any unchecked boxes. If you have no intention of updating this machine to Win10 in the near future, look for KB 3150513 and make sure it’s unchecked.

Step A3: Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with the April Monthly Rollup; all of your Office patches; maybe some .Net patches; Adobe Flash fixes; the Microsoft Security Essentials update; and the usual MSRT scanner. After the reboot, everything will be set to block automatic updates. You’re ready, but be sure to watch this column next month to see when the unpaid beta testers are done.

For those in Group B:

Step B1. Get the Security-Only patches. If you want security patches only, you have to reach out and grab them, then install them manually. That’s a nontrivial task. Since the Security-Only patches are not cumulative, you need to make sure you have the October, November, and December 2016 Security-Only patches installed. If you use Win7, there’s also a January 2017 Security-Only patch. No Security-Only patches were issued for either Win7 or 8.1 in February, but there are March and April patches. You also need to manually download and install the Internet Explorer patches. There’s a big jumble of KB numbers and download links involved. AskWoody AKB article 2000003, maintained by PKCano, lists them all.

Download any patches that you haven’t yet installed, double-click on the downloaded MSU file, and let the installer run its course. If you get the Unsupported Hardware notice (screenshot), seriously reconsider your decision to stay with Windows 7 or 8.1. If you decide you really want to thumb your nose at Microsoft, try playing whack-a-mole with Zeffy.

unsupported hardware IDG

Step B2: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the box marked “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Uncheck the box marked “Give me recommended updates the same way I receive important updates” (yes, Group B is different from Group A), and click OK.

Step B3: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, follow these steps.

Step B4: Get rid of the Monthly Rollup. Click the links to look at the Important and Optional updates. Don’t check any unchecked boxes. If you see any entries marked “Monthly Quality Rollup,” uncheck the boxes—if you’re in Group B, you don’t want them. For heaven’s sake don’t ever check anything marked “Preview.” If you see any “Security and Quality Rollup for .Net Framework” boxes checked, leave them checked.

Step B5: Get rid of problematic updates. If you have no intention of updating this computer to Win10 in the near future, look for KB 3150513 and uncheck the box.

Step B5: Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with Office patches, .Net patches, possible Adobe Flash fixes, Security Essentials update, and the usual MSRT scanner. After the reboot, you’re done. Pat yourself on the back, and watch this column next month for the all-clear.

Patching Windows and Office has always been a chore, but conscientiously applying updates has turned into a minefield.

Comments and suggestions most welcome on the AskWoody Lounge. I’m looking at the ongoing viability of the “Group B” Security-only patching approach. Care to join the discussion?

Windows 7 to Windows 10 migration guide
  
Shop Tech Products at Amazon