Patch Tuesday is tomorrow. Get your system locked down.

[erek]

Hope it's a good one. Hope it goes smoothly this time.

"If you see an Optional update available (you can see one in the screenshot), DON’T click Download and install. You’ll be bit by those bugs soon enough.

Don’t be spooked. Don’t be stampeded. And don’t install any patches that require you to click “Download and install now.”

If there are any immediate widespread problems protected by this month’s Patch Tuesday — a rare occurrence, but it does happen — we’ll let you know here, and at AskWoody.com, in very short order. Otherwise, sit back and watch while our usual monthly crowdsourced patch watch proceeds. Let’s see what problems arise."

https://www.computerworld.com/artic...-is-tomorrow-get-your-system-locked-down.html

 

[zeroARMY]

It doesn't say what's so bad about this one?

 

[M76]

It doesn't say what's so bad about this one?

That's the fun part, you can never know.

 

[erek]

That's the fun part, you can never know.

hah

 

[1_rick]

That's the fun part, you can never know.

So in other words, they don't know there's actually going to be a problem this month and could be Chicken Littling us. (Or they could be right, of course.)

 

[Domingo]

Isn't the large Windows 10 "2004" (or whatever it ends up being) update due pretty soon? Those large updates tend to be more screwy that normal patch Tuesday stuff.

 

[Balkroth]

I'm in on the preview release, and I've liked 19041 since I've had it, were some hickups where audio devices would stop working after being on for a certain amount of time and streaming/gaming , but they seem to have fixed it. Otherwise no complaints here.

 

[Sycraft]

So in other words, they don't know there's actually going to be a problem this month and could be Chicken Littling us. (Or they could be right, of course.)

That would be correct, ti is chicken-little crap. He has no evidence there's anything wrong, it is just to get clicks, which it has successfully done here. He's also basically the computer equivalent of an anti-vaxxer: "You don't need those security updates, all the problems they said have never come to pass!" Same idea as "You don't need a vaccine, you've never seen someone with the disease!" Yes, in both cases is it BECAUSE of the fix. If there's an exploit, and it gets fixed quickly and people widely apply that fix, you don't tend to see anyone develop malware to exploit it. After all, what good is making something that could infect only a tiny number of systems with?

I will NOT be listening to some random fear monger with no evidence. My systems, and all the system at work, will be patching themselves normally, just as they always do. It's not that I've never seen problems with patches, I've seen a few (as in less than 5) over the last decade that would affect certain configurations. Annoying, but no big deal, just roll back. What I've seen a lot more of is systems getting owned and in those cases, it is way harder to clean up than a simple rollback. To truly make sure they are secure, a nuke-and-pave is required.

Unless you are a security professional that takes the time to read the patch notes, check the CVSS of vulnerabilities, and see how that impacts your systems... just let patches auto install. For Windows, for your browser, for your games, for everything. The chances you get bit by a patch issues are way less than the chances you get owned or run in to a nasty bug (remember patches don't only fix security issues) by running old code.

 

[Randall Stephens]

That's the fun part, you can never know.

it’s like ripping the skirt off a hooker. If there’s no penis there, score, but if there is...that’s when you really start thinking about your life choices.

 

[David-Duc]

Unless you are a security professional that takes the time to read the patch notes, check the CVSS of vulnerabilities, and see how that impacts your systems... just let patches auto install. For Windows, for your browser, for your games, for everything. The chances you get bit by a patch issues are way less than the chances you get owned or run in to a nasty bug (remember patches don't only fix security issues) by running old code.

I guess you have never been hit with a patch that make ALL USB ports on the PC "failed to start", have you? Couple that with a new desktop that doesn't have a PS2 port anymore, you'll have tons of fun. Especially on a computer belong to a C level executive. Luckily the PC was domain joined so it was possible to enable RDP & remote to it without the key&mouse.

Not saying never update your Windows but always test the update first or back your PC up before updating it.

 

[cjcox]

Tuesday afternoon
Patches promised to me
Now they're on their way
Uptime doesn't matter to them
Why not choose Azure today?

Incoming calls to me
The fires are already here
Managers are asking me why
Desperate voices so dear
I want Microsoft to die.

I'm pulling at my hair, resume good to go
It's just the time of year to leave this silly show
So ready for Linux, java and open source love
If you'll just come with me you'll leave the ugly of

Tuesday afternoon
Tuesday afternoon

Tuesday afternoon
Patches promised to me
Now they're on their way
Uptime doesn't matter to them
Why not choose Azure today?

Incoming calls to me
The fires are already here
Managers are asking me why
Desperate voices so dear
I want Microsoft to die.

Evening has come to pass
The time of day doesn't last
Evening,…

 

[Sycraft]

I guess you have never been hit with a patch that make ALL USB ports on the PC "failed to start", have you? Couple that with a new desktop that doesn't have a PS2 port anymore, you'll have tons of fun. Especially on a computer belong to a C level executive. Luckily the PC was domain joined so it was possible to enable RDP & remote to it without the key&mouse.

Not saying never update your Windows but always test the update first or back your PC up before updating it.

Never been hit with that one, the last one I can remember was about, I dunno, 3 or 4 years ago WiFi stopped working on a few systems. Was only a real specific config it caused trouble with. Just sent techs out to roll it back (since they couldn't be gotten at on the network) and continued on.

For us, we've decided that the overhead of testing and running WSUS is not worth it, we auto-patch everything other than the Hyper-V servers. That has been working fine for the 15 years I've been here. Like I said it isn't like we never have issues, but the number of issues we have is small, and they are easily fixed, particularly compared to security issues.

I'm not saying all organizations should do the same. I will never hate on an org that wants to legitimately do their own patch management. But only if they do it properly: Meaning have someone that audits the patches to decide what is and isn't needed (who has the requisite knowledge and skills to make those decisions), applies them to a test environment that is representative of production and then gets them out to production once verified. What I will hate on is orgs that claim they do it, but really just delay patching figuring they'll hear about issues. Not only is that a delay for no good reason, but it is entirely possible that you don't find out about an issue you'd have, so you get hit anyhow when you do patch.

What I'm really talking about with this thread though is home users. Ultimately an enterprise will have a policy on this and you have to follow it (if you don't have a formal policy, get one). This kind of thing is targeted at home users. If you are a home user, just patch your shit. It really will cause less problems, and you do ti with other stuff anyhow. For as much as people scream about Windows patches, they have their browser, their phone, their Roku, and so on auto patch and that just is what it is.

 

[workshop35]

Hope it's a good one. Hope it goes smoothly this time.

"If you see an Optional update available (you can see one in the screenshot), DON’T click Download and install. You’ll be bit by those bugs soon enough.

too late already did it

 

[OutOfPhase]

Having a full system image means never having to say I'm sorry.

 

[1_rick]

. If you are a home user, just patch your shit. It really will cause less problems

Not that it's easy, if you don't have a lot of disposable income, but not having really old hardware is a great way to minimize problems, too.

I've had a couple of showstoppers in the last few years, on the Windows Insider platform, where a bad update froze up my computer, and I had to roll it back, and then it tried to autoinstall itself again, but the Pause Updates feature made that much less of a problem.

 

[blackmomba]

That would be correct, ti is chicken-little crap. He has no evidence there's anything wrong, it is just to get clicks, which it has successfully done here. He's also basically the computer equivalent of an anti-vaxxer: "You don't need those security updates, all the problems they said have never come to pass!" Same idea as "You don't need a vaccine, you've never seen someone with the disease!" Yes, in both cases is it BECAUSE of the fix. If there's an exploit, and it gets fixed quickly and people widely apply that fix, you don't tend to see anyone develop malware to exploit it. After all, what good is making something that could infect only a tiny number of systems with?

I will NOT be listening to some random fear monger with no evidence. My systems, and all the system at work, will be patching themselves normally, just as they always do. It's not that I've never seen problems with patches, I've seen a few (as in less than 5) over the last decade that would affect certain configurations. Annoying, but no big deal, just roll back. What I've seen a lot more of is systems getting owned and in those cases, it is way harder to clean up than a simple rollback. To truly make sure they are secure, a nuke-and-pave is required.

Unless you are a security professional that takes the time to read the patch notes, check the CVSS of vulnerabilities, and see how that impacts your systems... just let patches auto install. For Windows, for your browser, for your games, for everything. The chances you get bit by a patch issues are way less than the chances you get owned or run in to a nasty bug (remember patches don't only fix security issues) by running old code.

Wow I would not like to work at your place, seeing my shit get btfo'd from one day to the next with no warning because IT can't be bothered to read changelogs

I don't advocate for the blind hatred a lot of IT departments get, but with shit like this, I understand

 

[Sycraft]

Wow I would not like to work at your place, seeing my shit get btfo'd from one day to the next with no warning because IT can't be bothered to read changelogs

I don't advocate for the blind hatred a lot of IT departments get, but with shit like this, I understand

If your shit blows up form one day to the next, you have a problem that is not Windows patching. Like I said, we have actual experience behind our decision, not just fearmongering.

 

[blackmomba]

Thats the kind of attitude that actually kills user experience. You want to work with people, not against them

It's only common courtesy to give users a warning about any changes that are being made to the tools they use to earn a living. Patching with your eyes closed and using roll backs as a way to fix things doesn't seem responsible IMO. You've got one job, might as well do it right no? That is from start to finish, from communication to execution. You work for your users, not the other way around

I imagine some low level guy in some operations center like I don't need patch Tuesday to break my spaghetti code Excel macros that have been handed down to me from the last guy who were handed down to him from the last guy and so on. They're basically the only way I can do my job efficiently and without them my work takes 3 times as long. IT guy strolls along around 11 AM ready to "roll back". Start working around 1. Productivity into the toilet

 

[Randall Stephens]

The fact that rollbacks exist is evidence enough that QA is lacking in the process.

 

[GoldenTiger]

For as much as people scream about Windows patches, they have their browser, their phone, their Roku, and so on auto patch and that just is what it is.

This always cracks me up. They all want Android updates day 1 minute 1, yet for windows they whine and cry "you can't make me!".

 

[blandead]

why install patches as soon as they are out. I like to stay a solid month behind, by then the known issues in the cumulative update section will have something or not.

 

[erek]

Nothing came through today so far

 

[Domingo]

I've found that these updates don't usually roll out for me until mid-afternoon (mountain time). I usually make a quick image back-up prior to them rolling out, just in case, but I've never had an issue outside of those large biannual updates.
Both Adobe CC and MS Office had large updates early this morning, though.

 

[KarsusTG]

Bleh, why today.

I needed my windows machine today for the first time in over two weeks. Log in and freeze... Hmm, reboot. Windows boots, login and no video after login. Figured windows must be forcibly installing new video driver (because you cannot stop driver updates, for "reasons"...) and I was correct. Eventually get video back and freeze. FFS. Reboot and windows update churning, get to login screen, enter pin, and freeze... F-this, going to figure it out on linux side. Shutdown and got back to work.

 

[Sycraft]

Thats the kind of attitude that actually kills user experience. You want to work with people, not against them

It's only common courtesy to give users a warning about any changes that are being made to the tools they use to earn a living. Patching with your eyes closed and using roll backs as a way to fix things doesn't seem responsible IMO. You've got one job, might as well do it right no? That is from start to finish, from communication to execution. You work for your users, not the other way around

I imagine some low level guy in some operations center like I don't need patch Tuesday to break my spaghetti code Excel macros that have been handed down to me from the last guy who were handed down to him from the last guy and so on. They're basically the only way I can do my job efficiently and without them my work takes 3 times as long. IT guy strolls along around 11 AM ready to "roll back". Start working around 1. Productivity into the toilet

See but what you are asking for here is just head in the sand "Never patch and hope for the best". The reason is that you are talking about a custom, legacy, setup that applies just to you. What I mean is:

If you have an organization with a highly homogenous setup, then IT can reasonably test things. So let's say you have a place where you have only three system configurations: The ones you just bought, the ones form last year, and the ones form the year before. You replace systems 1/3rd every year. You also have extremely locked-down configurations. Nobody gets admin, and everyone uses a standard loadout, the same software patched to the same versions. So management all has a setup, finance has one, customer service has one, and production has one. That's then 12 total platforms to regression test. That's doable. When a new patch comes out, IT can very reasonably have 12 test platforms they load it on, see what happens, and then test with all the software.

However that doesn't work in a heterogenous setup, where there are lots of differences in hardware and software used which is what I have at work, and what you are describing. When you have custom setups, where people can be running their own code on their system, where they have admin and put on their own software, etc you quickly approach a situation where to test you would literally need a copy of every single system. Also, since it is something users control, you'd need the copy to be auto-updated all the time. No IT department has the manpower to do that, and to then run hundreds or thousands of separate tests, nor are they going to have all the systems to do it on. So that means you either want them to treat you special, to have a test setup just for you, something they don't do for everyone or, what I'm sure you really want, is to just not patch your system because it is "inconvenient".

There never-patch thing is one of those that to you might seem fine, because it avoids problems... and it is right up until it isn't. Everything goes ok until one of the security issues that have been building up gets owned. Then things are much, MUCH worse than an issue caused by a patch. Things like all your data being encrypted or just gone, multiple other systems getting hit, millions of dollars in fines for failing to comply with regulations, lost business, etc.

 

[jfreund]

This always cracks me up. They all want Android updates day 1 minute 1, yet for windows they whine and cry "you can't make me!".

I've never had an Android update crash my phone. I have had Windows updates cause my PC to fail to start.

It seems Google, handset manufacturers, and carriers do QA on their updates before release as opposed to "QA" by rolling out updates to see what happens.

 

[erek]

 

[GoodBoy]

The update installed fine.

 

[viivo]

I installed the update and now I can't get an erection. Damn you Microsoft.

 

[gtrguy]

That would be correct, ti is chicken-little crap. He has no evidence there's anything wrong, it is just to get clicks, which it has successfully done here. He's also basically the computer equivalent of an anti-vaxxer: "You don't need those security updates, all the problems they said have never come to pass!"

Actually, what he advocates is don't update immediately, wait to see if there are issues being reported, then update if there aren't. Basically let other people be the guinea pigs. It's a valid strategy although not for every user or every situation and the site is targeted at single users not IT professionals managing networks.

 

[ManofGod]

Updated all three systems yesterday, zero issues.

 

[odditory]

This always cracks me up. They all want Android updates day 1 minute 1, yet for windows they whine and cry "you can't make me!".

You're either goofing around and actually understand that's a false equivalence since Android/iOS updates aren't known for bricking/releasing untested, or just forgotten Microsoft's insane track record of botched windows 10 patches, and fixes that required fixes that required fixes. I've been the victim of several - even with all the deferred options supposedly enabled - and they cost me money and required rollbacks and reimaging.

When Satya Nasella fired the QA department and made customers the perpetual beta team, the writing was on the wall.

 

[ManofGod]

You're either goofing around and actually understand that's a false equivalence since Android/iOS updates aren't known for bricking/releasing untested, or just forgotten Microsoft's insane track record of botched windows 10 patches, and fixes that required fixes that required fixes. I've been the victim of several - even with all the deferred options supposedly enabled - and they cost me money and required rollbacks and reimaging.

When Satya Nasella fired the QA department and made customers the perpetual beta team, the writing was on the wall.

Who cares, not like Android updates go for more than a year or two anyways. On the other hand, I have yet to run into a single problem on any of my personal systems, unless I was using the Insider builds. I personally have decided to skip the Insider builds just because, for now, anyways.

 

[1_rick]

You're either goofing around and actually understand that's a false equivalence since Android/iOS updates aren't known for bricking/releasing untested

It does happen, though.

https://support.google.com/pixelphone/thread/15314017?hl=en

I particularly like the suggestion to "reach out to a Support Specialist and have them investigate - via Settings > Tips & support" on a phone that won't boot.

 

[odditory]

It does happen, though.

https://support.google.com/pixelphone/thread/15314017?hl=en

I particularly like the suggestion to "reach out to a Support Specialist and have them investigate - via Settings > Tips & support" on a phone that won't boot.

Absolutely once in a while man bites dog, but the exception doesn't disprove the rule. With Windows 10 the botched patches have been *chronic* for five years.

If iOS or Android system updates were bricking devices or erasing user data the way W10 has, people would be more apprehensive with those too.

 

[odditory]

That would be correct, ti is chicken-little crap. He has no evidence there's anything wrong, it is just to get clicks, which it has successfully done here. He's also basically the computer equivalent of an anti-vaxxer: "You don't need those security updates, all the problems they said have never come to pass!"

You're uninformed. Maybe you haven't been in the IT/computers/Windows space very long, but Woody Leonhard, and Susan "the patch lady" Bradley - aka askwoody.com - have been pro-Microsoft, pro-Windows advocates for decades. They are not some random clickbait bloggers.

However things got so bad with botched and untested Windows 10 being forced onto people that they finally had to start speaking truth to power and penning open letters to Microsoft about the lack of QA, and to consider overhauling their entire process. And meantime they've encouraged a default position of "wait and see" rather than blindly click install on day one.

 

[SamuelL421]

You're uninformed. Maybe you haven't been in the IT/computers/Windows space very long, but Woody Leonhard, and Susan "the patch lady" Bradley - aka askwoody.com - have been pro-Microsoft, pro-Windows advocates for decades. They are not some random clickbait bloggers.

However things got so bad with botched and untested Windows 10 being forced onto people that they finally had to start speaking truth to power and penning open letters to Microsoft about the lack of QA, and to consider overhauling their entire process. And meantime they've encouraged a default position of "wait and see" rather than blindly click install on day one.

I have a customer who needed optional updates installed on 2 Windows 2008 R2 systems earlier this year, both systems trashed as a result and OS couldn't be recovered. We typically wait a week or more before running new patches for this very reason - apparently that particular customer's config on 2008 R2 is enough of an edge-case these days that no one caught it. Never patch on day one, avoid patching on week one unless you have backups and/or can accept and deal with any potential issues.

Blessing in disguise with those 2008 R2 servers since that forced the customer to allow us to replace with OS that aren't EOL...

 

[Dullard]

My HTPC is the only W10 machine I have running 24/7 and it took the updates yesterday. I installed them yesterday evening with no ill effects.

 

[Red Falcon]

Just dealt with a 1909 update that reset the 802.1X settings on the workstation's NIC, not to mention reset a myriad of other settings.
Getting really tired of Microsoft's bullshit with these rolling updates, and it is making me miss the days of service packs with long term support.

 

[1_rick]

Blessing in disguise with those 2008 R2 servers since that forced the customer to allow us to replace with OS that aren't EOL...

Ah, the "we haven't applied a single update to our database server machine in 11 years. Never know what could break it!" people.