Get Windows and Office patched – but watch out for creepy-crawlies

Patch Tuesday brought horrors for some admins, but those problems are gone and others have abated somewhat. Still, be careful when updating this month.

Windows logo with padlocks
Thinkstock/Microsoft

Those of us who have to keep Windows 10 working have hit yet another rough course. This month’s patches haven’t been pretty. In fact, if your admin set the WSUS or SCCM update servers to automatically approve Windows 10 updates, you may have had to deal with oceans of blue screens.

Right now, the biggest threat is not KRACK – Computerworld's Gregg Keizer has an overview here and the Krackattacks.com site has the latest details; it hasn’t (yet) started infecting normal Windows users. The big threat now is from that Wacky Wascal BadRabbit, which started with a fake Flash update on a Russian site and an ancient DDEAUTO field exploit in Word (and Excel and Outlook and OneNote) and is being used to carry Locky and other ransomware.

The DDEAUTO exploit isn’t a bug, according to Microsoft, because you have to click through three warning dialogs before it’ll bite. (The first of which is “Enable Editing.” Sound familiar?) See Catalin Cimpanu’s overview in Bleepingcomputer, and a drill-down on the DDE-born Hancitor malware from Brad Duncan on the SANS Internet Storm Center.

The good news is that there are steps you can take to manually block each of those potential nasties:

  • Disable KRACK from the Windows side by installing this month’s patches. Be aware of the fact that, eventually, you’ll have to update your router(s), too.
  • Whack BadRabbit by making sure you have MS17-010 installed (that’s the EternalBlue buster that also plugs EternalRomance). If you’re attached to a corporate network that might get infected, turn off access to the infpub.dat and cscc.dat files by using this technique from Cybereason researcher Amit Serper.
  • Disable DDEAUTO by following these steps from Martin Brinkmann at ghacks.  Note that this is a rather draconian approach, with consequences for OneNote,  Outlook and others described by Will Dormann. If you find that something breaks after you've clobbered DDEAUTO – most likely, an older document that no longer updates properly – you won’t have much choice but to turn DDEAUTO back on. While you’re at it, tattoo inside your eyelids: “Do NOT Enable Editing.”

Microsoft’s cleared up some of the problems with this month’s patches, but plenty of problems persist. Here’s where we’re stuck.

.NET Patches

Microsoft continues its push users to move from .NET 4.6 and later to .NET 4.7 or 4.7.1. If you really want to stay with .NET 4.5.2, you have to manually install updates. It looks like .NET 4.7 works – even on Windows 7. Your life will be much simpler if you simply join the borg and use the Monthly Rollups to get .NET updated. As usual, don’t check anything that isn’t checked for you by Windows Update.

Office Patches

Some good news. The disaster that we saw with merged cells in tables in Word and Outlook has been fixed in KB 4011140, as have the garbled language problems in Outlook.

The Outlook script-disabling patches KB 4011089, KB 4011090 and KB 4011091 – the ones that turn off printing in some circumstances, disable retrieval of archived emails in others – are still there. But we’re seeing more vendors issue warnings and workarounds. Earlier this week, Veritas published a workaround for the Veritas Enterprise Vault archiving system.

I’m ready to throw in the towel and recommend that you install those Office patches, if they’re offered. If something breaks – you used to be able to click on an Outlook form and it doesn’t print any more, or you can’t retrieve archived messages – the company that made the broken add-in should have a solution for you. Or you can uninstall the patch.

Microsoft has a list of other known problems with Office apps.

Windows 7 and 8.1 patches

The big news this month is with a Monthly Rollup Preview. Remember that I never, ever recommend that you install Monthly Rollup Previews. Here’s one good reason why.

AskWoody poster abbodi86 has detected a retrograde bug in KB 4041686, the 2017-10 Win7 Preview of a Monthly Rollup. If you install it, an SFC (System File Check) scan will report and fix an error in \system32\drivers\en-US\usbhub.sys.mui – even though there is no error. This is precisely the problem @abbodi86 reported to Microsoft after installing the old KB 3125574, which is the “convenience rollup” I call “Win7 SP 2.” The bug was fixed in KB 3181988, but it’s back again. If you install KB 4041686, you’ll trigger a bogus SFC error, even if you have KB 3125574 installed.

It looks like Microsoft is making good on its promise to gradually put old patches into the Monthly Rollups. Unfortunately, in this case, it's reinstating old bugs, too. Progress. If next month’s Win7 Monthly Rollup rolls out with this bug intact, you’ll know that Microsoft isn’t listening.

Apparently Microsoft has fixed the bug in the September Windows 8.1 patch that made it impossible to use a Microsoft Account to log on after the patch was applied.

Microsoft is still blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” – security patches only – isn’t dead, but it’s no longer within the grasp of typical Windows customers. We’re actively discussing whether it’s worthwhile continuing to post information about the security-only patching path. Microsoft has made that option considerably more obtuse than it was a year ago. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian).

Watch out for driver updates – you’re far better off getting them from a manufacturer’s website. After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines.

Windows 10 patches

If you’re in the unpaid beta testing phase of Windows 10 Fall Creators Update, version 1709, you’re already up to build 16299.19. Nothing you can do about it. There are plenty of problems with FCU, which I documented earlier this week. Susan Bradley added several more to the list. Of course, I recommend that you proactively block the upgrade to 1709. There's still more than three months to go before we're in Current Branch for Business territory, no matter what Microsoft calls it.

The big build 15063.674 update for Creators Update version 1703 has a few acknowledged problems:

  • The bug that blue-screened PCs attached to update servers that allowed patches to go through unattended has been fixed.
  • The “Unexpected error from external database driver” error hasn’t been fixed, but there’s a workaround that requires you to download the Access Database Engine 2010 and manually change your apps.
  • The bug that halts UWP applications using JavaScript hasn’t been fixed, but you can get around the bug by uninstalling the UWP app and then re-installing it.

There was a big patch for the Anniversary Update, version 1607, on Patch Tuesday, and another huge patch a week later. If you install the latest patch, you’ll be up to build 14393.1794. That patch also has the acknowledged bugs with “Unexpected error from external database driver” and borked UWP apps.

Anyone still on 1511, the Fall Update (later renamed to “November Update”), needs to move to 1703 now. The last 1511 security patch, build 10586.1176, is now history.

To get Windows 10 patched, go through the steps in "8 steps to install Windows 10 patches like a pro."

Keeping in mind the persistent problems with Office and the .NET funnies documented above, all of the other updates should be okay, including Servicing stack updates and  Office, MSRT or .NET updates (go ahead and use the Monthly Rollup if it’s offered).

As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED.

Time to get patched. Tell your friends, but make sure they understand what’s happening. And for heaven’s sake, as soon as you’re patched, turn off automatic updating! Full instructions are in the referenced guides to patching.

Have a patching problem? Join the club on the AskWoody Lounge.

How to protect Windows 10 PCs from ransomware
Shop Tech Products at Amazon