The fourth Tuesday of the month has come and gone, and it now looks reasonably safe to patch Windows and Office. I was expecting two big releases yesterday—one to fix numerous bugs in Win10 Creators Update, version 1703; the other to plug the bugs introduced by June’s Office security patches—but neither trove appeared. Given Microsoft’s past patterns, it’s unlikely that we’ll see any more serious patches until next month’s Patch Tuesday, on Aug. 8.
There’s also a bit of additional impetus right now. On July 17, security researcher Haifei published a proof of concept for running malware scripts directly in Office apps. I haven’t seen any exploits in the wild as yet, but it would be a good idea to install KB 3213640 (Office 2007), KB 3213624 (Office 2010), KB 3213555 (Office 2013) and/or KB 3213545 (Office 2016) in the short term. (Thx to @LeaningTowardsLinux.) Note that none of these patches, as best as I can tell, correct the Office bugs introduced in June.
July was a particularly problematic month for Windows and Office patches. At this moment, I see the following outstanding problems — none of which are overwhelming, but all of which may prove to be a pain to you, depending on your configuration and expectations:
- The June bugs introduced by faulty Office security patches still aren’t fixed. Those of you using Outlook to open attachments or run custom macros may encounter problems. The easiest solution, of course, is to avoid Outlook. I’ve seen no confirmation that running July patches will affect the June patches, which have appeared and disappeared in an unpredictable pattern.
- The July patches reset Internet Explorer so it can print inside iFrames, but in so doing they reintroduce the CVE-2017-8529 security vulnerability. That’s a big deal if your company relies on IE to print customized pages, but the easiest solution is to just avoid IE. If you use Chrome or Firefox and couldn’t care less about IE’s problems, you might want to wade through the considerable mess documented here and avoid installing patches that fix IE but leave you exposed.
- KB 4025331 for Server 2012 and KB 4025336 for Server 2012 R2 break client connections in WSUS and SCCM. Both need a manual registry key change to enable a fix for CVE-2017-8563.
On the brighter side, the Surface Pro 4/Surface Book firmware/driver update difficulties I talked about two days ago didn't turn into major problems. Microsoft has provided the documentation, at last, and it looks like the driver update is good to go.
As always, I strongly recommend that you avoid installing the Preview Rollups on offer, such as KB 4025335. That’s easy—you have to check the right box to install the Preview, and you shouldn’t be checking any boxes!
Here are my recommendations:
Windows 7 and 8.1
If you’re very concerned about Microsoft’s snooping on you, and only want to install security patches, realize that the path’s getting more difficult. The old “Group B”—security patches only—isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on installing security patches only, follow the instructions in @PKCano’s AKB 2000003.
Microsoft is still blocking updates to Win 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old, or newer, follow the instructions in AKB 2000004 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx @MrBrian).
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Watch out for driver updates — you’re far better off getting them from the manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Win7 and 8.1 machines.
It’s still too early to jump to Win10 Creators Update, version 1703. Wait for it to be designated “Current Branch for Business” or, using the new bafflegab, “Semi-annual Channel (Broad)” ready. You can block the upgrade with a few simple steps, detailed in this Computerworld post. If you’re presented with an option to review your privacy settings (screenshot), click "Remind me later" and forget about it.
To get Win10 patched, run the steps in AKB 2000005: How to update Windows 10 — safely. You may want to use wushowhide to hide any driver updates. All of the other updates should be OK, including Servicing stack updates, Office, MSRT or .Net updates (go ahead and use the Monthly Rollup if it’s offered).
As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED.
Time to get patched. Tell your friends, but make sure they understand what’s happening. And for heaven’s sake, as soon as you’re patched, turn off automatic updating! If you can follow these instructions, you don't have to serve as Microsoft patch cannon fodder.