As Patch Tuesday approaches, turn off Automatic Update temporarily and — especially — disengage IE

Tomorrow’s Patch Tuesday and, given all the havoc we’ve seen with the latest Windows patches, you need to get Automatic Update turned off for now. Based on a security report hidden behind a $690 Microsoft paywall, I also recommend that you ensure Internet Explorer is cut off at the knees.

putting on a band-aid patch with binary code
Thinkstock

It’s hard to overstate the problems caused by Microsoft’s second, third and fourth September  cumulative updates for all Windows 10 versions. For example, Win10 version 1903, the latest and greatest, saw cumulative updates on Sept. 10 (KB 4515384), Sept. 23 (KB 4522016), Sept. 26 (KB 4517211) and Oct. 3 (KB 4524147, which some characterize as a super-early October cumulative update).

As Microsoft kept flinging buggy fixes at the zero-day problem known as CVE-2019-1367, customers kept complaining about problems with:

  • Print spooler crashes No, they weren’t fixed with the fourth cumulative update, KB 4524147, in spite of Microsoft’s assertions. In fact, Mayank Parmar at Windows Latest documents complaints about KB 4524147 breaking PCs that were working after the third cumulative update, KB 4517211. So we have separate printer bug reports for the second, third and fourth cumulative updates. A royal printer flush.
  • Start Menu bugs — Click Start on a patched system and you get the message “Critical Error/ Your Start menu isn’t working,” which is my latest candidate for a D’oh! illuminating error message award.
  • Older JScript-based program bugs
  • Can’t type into the Cortana Search box
  • VMWare won’t start, with the warning “VMware Workstation Pro can’t run on Windows”
  • Machines won’t boot after installing the fourth cumulative update (see Lawrence Abrams’ report on BleepingComputer), or can’t install the update at all.

Microsoft hasn’t acknowledged any of those bugs, except for the printer spooler bug in the second September cumulative update. Yes, that’s the bug that is known to persist (reappear?) in the fourth cumulative update.

There were bugs in the first September cumulative update — audio problems, and the inability to install .Net 3.5 — that appear to be fixed in one of the later updates.

The main source of those lingering problems? Microsoft’s pursuit of the IE frumious bandersnatch, the zero-day security hole known as CVE-2019-1367. Snicker-snack.

Security info locked behind a Microsoft paywall

I was shocked to discover that Microsoft has published details about the CVE-2019-1367 security hole — but they’re hidden behind a pricey paywall. Late Friday night, Susan Bradley posted an excerpt from the Windows Defender Security Portal, which says, in part:

For attacks to be successful, targets will need to use Internet Explorer or another application that utilizes the Internet Explorer scripting engine to open a link containing the exploit. Initial reports of attacks indicate the use of Microsoft Word documents (.docx) with lure content that entice recipients to click on malicious links. …

Customers have encountered Microsoft Word documents (.docx) containing a link to web pages with exploit code for CVE-2019-1367. … On many machines that run older platforms such as Windows 7, the link opens on Internet Explorer by default. … 

Apply these mitigations to reduce the impact of this threat. … Customers are encouraged to use Microsoft Edge or other modern web browsers where possible. For tasks that require Internet Explorer, customers should limit its use to these tasks and set a different application as the default browser.

If you can’t click through to the Windows Defender Security Portal, you’re not alone. As Bradley explains:

I get to the site courtesy of a Microsoft Defender Advanced Threat Protection license which you can only get with a Windows 10 E5 license or a Microsoft 365 E5 license. Mere mortals can't get this info, it's an E5 license only. I purposely pay for one E5 license just to get this info.

The E5 license currently costs $690 per seat. I'm not easily shocked, but that faux pas is one for the record books.

The buggy bottom line

If you’ve been following along as Microsoft pushed September patches, you’ve been exposed to a lot of potential headache. Not everyone got bit by a bug in the second, third, or fourth cumulative updates last month (or for Win7 and 8.1, the Monthly Rollup Preview, followed by the second Monthly Rollup). But those who did get bit have reason to howl.

Microsoft has tried over and over to fix a security hole that almost everyone can counter by simply blocking Internet Explorer. At some point, you’ll have to install whatever fix Microsoft finally delivers. But for now, all roads lead through IE. If you don’t use IE, and you have a different default browser, the methods for invoking this particular vulnerability become much, much more difficult — and much less likely. According to that $690 paywalled report.

How to set a browser such as Firefox or Chrome as the default? It’s easy.

Obviously, it starts with installing the browser of your choice. I use Google Chrome most of the time, but if snooping makes your skin crawl, try Firefox or one of many alternatives. Typically, setting your new browser as the default is part of the setup process. Just follow the instructions.

What if the browser you want as the default is already installed? Here’s how to make the change in Windows:

Windows 10: Click Start/Settings/Apps. (On older versions of Win10, you need to choose System.) In the left column of options, click Default Apps. Next, under the “Default apps” heading, find Web browser and click on whatever browsers Microsoft has chosen for you (usually Edge). In the “Choose an app” list, pick anything except Internet Explorer.

You don’t need to click Save, just close Settings.

Windows 8.1: Click Start/Settings, then pick Search and Apps. Click Default Programs, then select Set your default programs. Choose your preferred browser from the list and click Set this program as default.

Windows 7: Click Start/Control Panel. Under Programs, click the Default Programs link. On the left, select the browser you want to use and, on the right, choose Set this program as default.

There are many variations on the theme — most browsers have handy shortcuts in their settings that let you make them the default. But at its most rudimentary, the aforementioned paths should get you there.

Yes, I know some of you need Internet Explorer some of the time. Even if you’re backed into that corner, disable IE as your default browser and only use it when absolutely necessary. That will certainly protect you from all disclosed attack vectors.

Blocking Automatic Update, October 2019 version

If you followed my instructions about installing last month's updates as soon as they appeared, you got the first set of September patches installed, and you defended your machine against Microsoft’s second, third and fourth volleys. That, and ensuring IE isn’t your default browser (see preceding section), is the best of all possible worlds.

If you somehow missed the September patches, I say don’t worry about it. We’ll have new — and hopefully better — versions shortly. There’s nothing in the September patches that comes even close to outweighing the mayhem brought down by the re-releases and re-re-releases.

Yes, you have to patch sooner or later. In some rare cases you need to install specific patches shortly after they’re released. We’ll warn you about the stinkers. But in almost all cases, you can afford to wait a couple of weeks to get patches installed — and that’s usually enough time for the bad bugs to show themselves.

Blocking automatic update on Win7 and 8.1

It’s true. Windows 7 originally shipped with an automatic update feature that was turned off by default. How times change, eh?

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

Blocking automatic update on Win10 Pro version 1803 or 1809

If you’re using Win10 Pro version 1803 or 1809 I recommend an update blocking  technique that Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash)

Step 1. Using an administrative account, click Start > Settings > Update & Security. 

Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. You see the settings in the screenshot.

1809 sac 365 15 1 Woody Leonhard/IDG

Step 3. To pull yourself out of beta testing (or, as Microsoft would say, to delay new versions until they’re ready for broad deployment), in the first box, choose Semi-Annual Channel.

Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 120 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 120 days after a new version is declared ready for broad deployment before upgrading and re-installing Windows on your machine.

Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued.

Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.

Step 7. Don’t click Check for updates. Ever.

If there are any real howlers — months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of last year — we’ll let you know, loud and clear. 

Tired old approach for Windows 10 Home version 1803 or 1809

Here’s the thing about Windows 10 Home. Microsoft considers Home customers fair game. They really should call it Win10 Guinea Pig edition. Microsoft has no qualms whatsoever in pushing its new, untested (perhaps I should say “less-than-thoroughly-tested”) updates and upgrades onto Windows 10 Home machines.

If upgrading to Win10 version 1903 isn’t an option — 1903 lets you defer updates (see the next section), but I still run 1809 on my production machines — your only other reasonable option is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.

To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.

To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.

If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.

Defer updates on Win10 version 1903

We finally have enough experience with Win10 version 1903 to recommend bug-busting settings. Unfortunately, we don’t have any experience at all with the upgrade to 1909 — due to happen any day now — so you may have to modify these instructions when the 1909 baby hits the water.

If you’ve already paused updates for 21 or more days by following the instructions in my September patch go-ahead post, you don’t need to do a thing. You already have Windows set to block automatic updates until October 23 or so, which should be more than enough to protect you.

If you don’t have updates paused, here’s how to proceed with caution:

Step 1. Using an administrative account, click Start > Settings > Update & Security. 

Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. 

Step 2A. If you see the settings in the preceding screenshot, you have a relatively untouched system. (If you don’t see those settings, go on to Step 3.) If they’re there, set Semi-Annual Channel (the term doesn’t mean anything any more, but nevermind), and put feature update deferrals at 365 days, quality update deferrals at 15 days or more. And realize that after you make those changes, you’ll never see this part of the Advanced options pane again. That’s OK. Take a screenshot if you’re feeling nostalgic.

Step 3. Back on the Windows Update pane (see screenshot; you may have to click the back arrow in the upper left corner), click Pause updates for 7 days. Then click on the newly revealed link, which says “Pause updates for 7 more days.”

1903 pause 7 days 1 Woody Leonhard/IDG

If you do that today, you’ll keep Microsoft’s mitts off your machine until Oct. 21, which (fingers crossed) should keep you out of harm’s way.

Step 4. You don’t need to click Save. Just “X” out of the Settings app.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

We’ve moved to MS-DEFCON 1 — a rare red flag setting — on the AskWoody Lounge.

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon