Time to install Microsoft's mainstream September patches – and avoid the dregs

This month’s lightning rod patch — the fix for the peek-a-boo Internet Explorer zero-day CVE-2019-1367 — still isn’t in any of the pushed updates. Unless you’re a Chicken Little acolyte, avoid it, but get the rest of the September patches installed now. Here’s how.

Broken window with band-aid patch
Thinkstock

It’s a smelter-weight slapdown. 

In one corner you have the Chicken Little contingent, which insists that September’s IE zero-day patch must be important because Microsoft marked it as “Exploited: Yes” and memorialized it with an extremely odd patch on a Monday, followed in Keystone Kops fashion with a stumbling trail of follow-ons

In the other corner you have Dummies like me who say Microsoft obviously didn’t care that much about the security hole because it didn’t really push out a fix. If Microsoft were serious about the zero-day, the Dummies insist, it would’ve gotten its act together by now. Demonstrably, the act is still in progress.

And in the middle you have a billion or two Windows customers who really don’t care. They just want their computers to work and not suddenly get whopped by a WannaCry wannabe.

Welcome to Windows as a service.

Internet Explorer choices

With Internet Explorer usage share rapidly swirling down the drain, you might wonder why anybody would care about a patch for a zero-day bug in IE. The problem is that some security holes in IE can be exploited even if you aren’t using IE because Microsoft spreads IE plumbing throughout Windows. Fair enough. But Microsoft hasn’t said if the CVE-2019-1367 exploit can be harnessed even if you aren’t using IE. So the long and short answer is we don’t know if you really need to install the IE patch(es).

That’s true in spite of what you heard on your local evening news right after the weather report — or read in one of a gazillion Chicken Little articles rumbling in the Windows echo chamber.

In what follows, I’ll show you how to install the official, approved patches for all versions of Windows. That’ll leave you unprotected from the CVE-2019-1367 ghoul. If the Chicken Little approach appeals to you, when you’re done with these steps, you have one of two choices for Windows 10:

  • Manually download and install the Sept. 23 one-off patch for your version of Windows (1903 is here, 1809, 1803). If you do that, realize that after you’ve installed the patch, you won’t be able to install .Net 3.5, which probably isn’t a big deal unless you’re using the SAP ERP package. Make sure you have the latest Servicing Stack Update working before you install.
  • Use Windows Update to install the Sept. 24 or 26 “optional, non-security” patch (for 1903 that’s KB 4517211, for 1809 it’s KB 4516077, for 1803 it’s 4516045). When offered the choice (see the screenshot at the end of this article), click Download and install now. The “optional, non-security” patch which contains a security patch will protect you from the IE zero-day, but it also may clobber your printer.

If you’re using Windows 7 or 8.1 (or Server variants) and you follow the instructions here, you’ll get all the recommended September patches, but you won’t be protected from the CVE-2019-1367 mess. If you’re in the Chicken Little party, the easiest way to get protected is to manually install a single standalone patch, KB 4522007, that applies to IE in Win7, 8.1, Server 2012 and Server 2012 R2. It’s a plain-vanilla IE patch (which means it’s a rollup), arriving at a weird time. It’s NOT a Windows patch. 

More telemetry for Win7 and 8.1

This month brought three cumulative updates for each version of Win10. The last cumulative update, marked “optional, non-security” is in fact a security patch. But you Win10 users shouldn’t feel special. Win7 and 8.1 this month have precisely the opposite problem — their “Security only” patches include the full suite of Microsoft snooping/telemetry updates, and installing them sets up scheduled tasks to use them.

It’s the same shenanigans we saw in July.

Fortunately, there are ways to circumvent the telemetry — or at least minimize it. Details follow.

Update

Here’s how to get your system updated the (relatively) safe way.

Step 1. Make a full system image backup before you install the latest patches

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Step 2. For Win7 and 8.1

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 24 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’ve been relying on the Security-only “Group B” patching approach to keep Microsoft’s snooping software off your PC, you’re stuck again this month. You can install the August Security-only patch without bringing in the snooping routines. But unless you install the telemetry-laden July and September Security-only patches, you’re missing a couple of months of (not really all that important) patches. Think of it as a preview of your January Win7 end-of-support conundrum.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. You should have one Windows patch, dated Sept. 10 (the Patch Tuesday patch). If you’re very paranoid about the CVE-2019-1367 IE zero-day exposure, use the separately downloaded and manually installed IE update, KB 4522007

Realize that some or all of the expected patches for September may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the September Monthly Rollup, you won’t need (and probably won’t see) the concomitant patches for August. Don't mess with Mother Microsoft.

If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.

Step 3. For Windows 10 prior to version 1903

If you want to stick with your current version of Win10 Pro — a reasonable alternative — you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on Sept. 25, and will update again on Oct. 16. Don’t touch a thing and in particular don’t click Check for updates.

1809 sac 365 15 Woody Leonhard/IDG

For the rest of you, including those of you stuck with Win10 Home, go through the steps in "8 steps to install Windows 10 patches like a pro." Make sure that you run Step 3, to hide any updates you don’t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.

If you see a notice that "You're currently running a version of windows that's nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements" you can safely chill. Win10 1803 is good through November. If you see a link to “Download and install now,” ignore it — for the same reason.

Step 4. For Windows 10 version 1903

Windows Update in Win10 version 1903 went through a major makeover last month. The result, if it works the way it’s been described, will be a major step forward in Windows 10 patching.

There’s a legacy fly in the ointment, though. If you’ve moved to Win10 Pro version 1903, and you set 15 day deferral on quality updates (as shown in the preceding screenshot), you’ll no doubt discover that the settings shown in the screenshot are no longer available on your machine. Microsoft hasn’t yet deigned to tell us what’s going on, but you can rest assured that your 15-day deferral was obeyed — and you got the September patches on Sept. 25. Don’t worry about changing the deferral settings. You’re protected until Oct. 16.

Long story short, the setting shown in the screenshot may not be visible on your machine. Not to worry. You have a belt-and-suspenders kind of second choice. If you’re on Win10 version 1903 (either Home or Pro), click the link on the Windows Update page that says “Pause updates for 7 days,” then click on the newly revealed link, which says “Pause updates for 7 more days,” then click it again.

By clicking that link three times, you’ll defer cumulative updates for 21 days from the day you started clicking — if you do it today, you’ll be protected until Oct. 23 — which is typically long enough for Microsoft to work out the worst bugs in their patches.

There are several group policies and a handful of registry settings working in the background when you make those changes. But if you’re using Pro and set the quality update deferral to 15 days, and punch the “Pause updates for 7 days” button three times (on either Home or Pro), you should be in good shape.

1903 third sept cumulative update offered Woody Leonhard/IDG

If you see an offer of an Optional update (screenshot), don’t click Download and install now. Even more bugs await.

And, no, I don't know how to reliably keep Win10 1909 off your 1903 machine. For now, the Pause updates button should keep you protected. At some point Microsoft will have to explain exactly how the feature-upgrade-in-cumulative-update-clothing gets installed.

I think.

Stay tuned.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon