Patch Tuesday’s tomorrow. We're in uncharted territory. Get Automatic Updates paused.

Credit to Author: Woody Leonhard| Date: Mon, 09 Mar 2020 07:06:00 -0700

It’s always a good idea to pause Windows updates just before they hit the rollout chute. This month, we’re facing two extraordinary issues that you need to take into account. Wouldn’t hurt if you told your friends and family, too.

Take last month’s Windows patches. Please. We had one patch, KB 4524244, that slid out on Patch Tuesday, clobbered an unknown number of machines (HP PCs with Ryzen processors got hit hard), then remained in “automatic download” status until it was finally pulled on Friday. We had another patch, KB 4532693, that gobbled desktop icons and moved files while performing a nifty trick with temporary user profiles. Microsoft never did fix that one.

Those aren’t isolated incidents. We see the same pattern, over and over again. Microsoft releases patches that aren’t adequately tested. Screams of pain ensue. Microsoft fixes some of the patches, doesn’t fix others. Wash. Rinse. Repeat. 

Getting out of the automatic update-induced karmic crapwheel is a mighty pain — and one that’s entirely avoidable. Just avoid the automatic updating, wait and see while crowdsourced beta-testing runs its course.

As if you needed more incentive, this month two additional problems loom.

First, the “optional, non-security, C/D Week” patch that rolled two weeks ago, KB 4535996, has had all sorts of problems. Mayank Parmar at Windows Latest and Lawrence Abrams at BleepingComputer document an impressive list of freezes, crashes, broken drivers, lousy performance, and black and blue screens. Microsoft hasn’t officially acknowledged any of the bugs.

The only bug that has been acknowledged, one that breaks the signtool.exe app in Visual Studio used to sign projects, drew a reference in one blog post from one Microsoft engineer. “We are working on a resolution and estimate a solution will be available in mid-March.”

In normal times, we’d expect the bugs in the “optional” patch to get ironed out by the time the regular cumulative update appears. The past couple of weeks, though, have been anything but normal times.

Almost all of Microsoft’s staff in the Northwest has been working from home for the past week. Microsoft announced late last week that two of its employees in the Seattle area have tested positive for COVID-19, the new coronavirus. You would think that the transition to telecommuting would be easy — after all, Microsoft’s been selling telecommuting-friendly software for decades — but word from the trenches is that there are plenty of bumps in the road.

That brings me to my second concern about this month’s patches. Even if Microsoft gets its act together and fixes the known (and unknown!) bugs in this month’s Patch Tuesday patch, we have exactly zero experience with Microsoft handling new bugs in this coronavirus-influenced work-from-home environment. 

Microsoft has a hard enough time fixing bugs when the whole crew’s in one building, in shouting distance. Heaven only knows what’s going to happen this month.

You have to patch sooner or later. But there’s even more reason this month to not be in the “sooner” cohort.

Those who paid for Win7 Extended Security Updates should be plenty cautious about installing patches immediately. Those who didn’t will either ignore the patches (large majority there), or wait to see if free alternatives appear. We’ll be covering both intently on AskWoody.com.

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.

By now, almost all of you are on Win10 version 1903 or 1909. Not sure which version of Win10 you’re running? Down in the Search box, near the Start button, type About, then click About your PC. The version number appears on the right under Windows specifications.

If you’re using Win10 1803 or 1809, I strongly urge you to move on to Win10 version 1909. If you insist on sticking with Win10 1809 (hard to blame ya!), you can block updates by following the steps in December’s Patch Tuesday warning. Be acutely aware of the fact that Microsoft won’t be handing out any more security patches for 1809 Home or Pro after the May Patch Tuesday. Two months to go.

In version 1903 or 1909 (either Home, Pro, Education or Enterprise, unless you’re attached up an update server), using an administrator account, click Start > Settings > Update & Security. If your Updates paused timer is set before March 30 (see screenshot), I urge you to click Resume Updates and let the automatic updater kick in — and do it now, before noon in Redmond on Tuesday, when the Patch Tuesday patches get released.

If Pause is set to expire before the end of March, or if you don’t have a Pause in effect, you should set up a patching defense perimeter that keep patches off your machine for the rest of this month. Using that administrators account, click the “Pause updates for 7 days” button, then click it again and again, if necessary, until you’re paused out into late March or early April.

If you see an Optional update available (you can see one in the screenshot), DON’T click “Download and install.” You’ll be bit by those bugs soon enough.

Don’t be spooked. Don’t be stampeded. And don’t install any patches that require you to click “Download and install.” 

If there are any immediate widespread problems protected by this month’s Patch Tuesday — a rare occurrence, but it does happen — we’ll let you know here, and at AskWoody.com, in very short order. Otherwise, sit back secure in the knowledge that you aren’t in the first round of cannon fodder. Let’s see what problems arise.

We’re at MS-DEFCON 2 on AskWoody.

http://www.computerworld.com/category/security/index.rss

Leave a Reply