Time to install the August Windows patches — but watch out for the bugs

Credit to Author: Woody Leonhard| Date: Fri, 06 Sep 2019 08:16:00 -0700

August brought loads of drama to the Windows and Office patching scene. Microsoft’s first round of patches killed Visual Basic, Visual Basic for Applications and VBScript in certain situations — on all versions of Windows. Fixes for the bugs dribbled out three, four, six and 17 days after the original infection. 

Those Microsoft-introduced bugs were all the more daunting because the August patches are the ones intended to protect us from DejaBlue — the recently announced “wormable” malware infection vector that (thankfully!) has yet to be exploited. The mainstream press picked up the Chicken Little cry to install August patches right away. Then the buggy offal hit the impeller, and the press fell silent.

Funny how that works.

At any rate, if you’ve been following along here, you’re ready to get the August patches installed. Here’s how to do it.

Those of you running Win10 version 1903 have reason to be … perturbed. 

Microsoft put the “optional, non-security” second August cumulative update through its Insider beta-testing process for an extra couple of weeks. All of the other versions of Windows had their VB/VBA/VBScript bugs fixed on Aug. 16, 17 and 19. The fix for 1903 sat in the Windows Insider Release Preview ring — supposedly getting a thorough shine — until Aug. 30.

Now it looks as if all of that extra delay in delivering the patch didn’t do much.

Microsoft finally acknowledged the Cortana/SearchUI.exe redlining bug in the KB 4512941 patch four days after the bug was originally reported. We got a single tweet that said:

We are currently investigating an issue where users are reporting high CPU usage linked to SeachUI.EXE [sic] after installing the optional update on August 30 (KB4512941). We will provide an update in an upcoming release.

The next day, the KB article was updated to say:

Microsoft is getting reports that a small number of users may not receive results when using Windows Desktop Search and may see high CPU usage from SearchUI.exe. This issue only occurs on devices that have disabled searching the web using Windows Desktop Search.

We are working on a resolution and estimate a solution will be available in mid-September.

This isn’t a fringe case. Microsoft has encountered so many complaints about searching the web in Windows Desktop Search that they published a Knowledge Base article with step-by-step instructions for disabling it. If you followed those instructions, and installed the second monthly cumulative update, part of your machine is redlining.

The July Windows 7/Server 2008 R2 “Security-only” patch brought an unwanted surprise: it installs the same kind of telemetry found in the Monthly Rollups. Many of the folks who go to the bother of downloading and manually installing the Security-only patches specifically do so to avoid the snooping, but if you want the July security fixes, telemetry comes along for the ride.

I’m happy to report that the August “Security-only” patch only includes security patches. Who woulda thought?

Here’s how to get your system updated the (relatively) safe way.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 24 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’ve been relying on the Security-only “Group B” patching approach to keep Microsoft’s snooping software off your PC, you’re stuck again this month. You can install the August Security-only patch without bringing in the snooping routines. But unless you install the telemetry-laden July Security-only patch, you’re missing a month of (not really all that important) patches. Think of it as a preview of your January 2020 Win7 end-of-support conundrum.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. You should have two Windows patches, one dated August 13 (the Patch Tuesday patch) and the other dated August 17 (the patch for the pernicious Patch Tuesday patch). Say that ten times real fast. They should both be checked.

Realize that some or all of the expected patches for August may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the August Monthly Rollup, you won’t need (and probably won’t see) the concomitant patches forJuly. Don’t mess with Mother Microsoft.

If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.

If you want to stick with your current version of Win10 Pro — a reasonable alternative — you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on August 28, and will update again on September 25. Don’t touch a thing and in particular don’t click Check for updates.

For the rest of you, including those of you stuck with Win10 Home, go through the steps in “8 steps to install Windows 10 patches like a pro.” Make sure that you run Step 3, to hide any updates you don’t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.

If, after the update, you bump into a message that says “Procedure call error,” realize that you didn’t do anything wrong. Microsoft did. If you get that error message, you have to go through the “8 steps” again, but this time install KB 4512509 (for Win10 version 1803) or KB 4512534 (for Win10 version 1809), and curse the patching gremlins. Some day Microsoft will figure out this patching thang. Or maybe not.

If you see a notice that “You’re currently running a version of windows that’s nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements” you can safely chill. Win10 1803 is good through November. If you see a link to “Download and install now,” ignore it — for the same reason.

Windows Update in Win10 version 1903 has gone through a major makeover in recent weeks. The result, if it works the way it’s been described, will be a major step forward in Windows 10 patching.

There’s a legacy fly in the ointment, though. If you’ve moved to Win10 Pro version 1903, and you set 15 day deferral on quality updates (as shown in the earlier screenshot), you’ll no doubt discover that the settings shown in the screenshot are no longer available on your machine. Microsoft hasn’t yet deigned to tell us what’s going on, but you can rest assured that your 15 day deferral was obeyed — and you got the August patches on Aug. 28. Don’t worry about changing the deferral settings. You’re protected until Sept. 25.

Long story short, the setting shown in the screenshot may not be visible on your machine. Not to worry. You have a belt-and-suspenders kind of second choice. If you’re on Win10 version 1903 (either Home or Pro), click the link on the Windows Update page that says “Pause updates for 7 days,” then click on the newly revealed link, which says “Pause updates for 7 more days,” then click it again.

By clicking that link three times, you’ll defer cumulative updates for 21 days from the day you started clicking — if you do it today, you’ll be protected until Sept. 27 — which is typically long enough for Microsoft to work out the worst bugs in its patches.

There are several group policies and a handful of registry settings working in the background when you make those changes. But if you’re using Pro and set the quality update deferral to 15 days, and punch the “Pause updates for 7 days” button three times (on either Home or Pro), you should be in good shape.

If you encounter the “Procedure call error” bug, you need to install the second August cumulative update. Lucky you. To do so, click Check for updates (yes, you read that correctly), then under Optional updates available, look for 2019-08 Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB 4512941) (see screenshot) and click Download and install now.

That’ll introduce even more bugs, but at least it’ll fix the “Procedure call error” bug.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss

Leave a Reply