Microsoft's December Patch Tuesday a real yawner, so far

Unless you use Internet Explorer or Edge, there’s very slim pickin’s in the patch pile this month. No need to apply any of the updates immediately, and every reason to sit back and see if mayhem ensues.

Microsoft's December Patch Tuesday a real yawner, so far
Current Job Listings

Microsoft released its Patch Tuesday passel a couple of hours ago, and it looks like we can all go home and enjoy some eggnog. There were two fixed vulnerabilities for Win7, and two for Win 8.1, and the (five) supported Win10 versions had three fixes apiece, all of them bundled into cumulative updates.

There were no “critical” patches for Windows this month, although Internet Explorer with 13 patched vulnerabilities (9 critical) and Edge with 13 vulnerabilities (12 critical) should certainly turn your head. Assuming you still use either or both. Not many folks do.

In the “everything old is new again” category, I was excited to see the reappearance of an old, old security bugaboo: Microsoft Compiled HTML Help files, or CHM files. I last wrote about them and their profligate CryptoWall ways in 2015.

The Zero Day Initiative has a quick recap about this month’s CHM stupidity:

This patch resolves an information disclosure vulnerability in the Windows its:// protocol handler. Not familiar with that one? I had to look it up as well. InfoTech Storage Format (ITS) is the storage format used in CHM files. IE uses several different ITS protocol handlers, including ms-its, ms-itss, its, and mk:@MSITStore to access components inside CHM files. In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update. It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info.

Yesterday, I started seeing reports about KB 3150513 appearing again. You may recall that it’s the “upgrade enabling” patch designed to make it easier for all versions of Windows to upgrade to the latest version — which is to say, Win10 Fall Creators Update. If you have no intention of ever upgrading to Win10 version 1709, you can safely uncheck the patch. Details here.

This month, at least on Windows 7, the Microsoft Malicious Software Removal Tool is checked by default. I’ve never encountered any problems with MSRT runs, and you shouldn’t be concerned about leaving it checked.

Bottom line: If you turned off Windows Update, as I recommended yesterday, you can breathe a sigh of relief. There’s nothing pressing. Best to wait and see if any major bugs appear. You need to apply this month’s patches sooner or later, but every chicken entrail I've seen so far says “later.”

Unless you’re still using IE or Edge, or course. In which case, you should start wailing and gnashing your teeth.

We’re covering the latest, as usual, on the AskWoody Lounge.

How collaboration apps foster digital transformation
Shop Tech Products at Amazon