This month has seen a whole lotta hand waving and sky-is-falling-caliber rhetoric, but the reality is much more prosaic. If you aren’t running a major network (and thus aren’t susceptible to the imminent problems with Remote Desktop Gateway, the Citrix network bugs or the whopping 334 patches in Oracle), there’s been little reason to install this month’s updates.
Still, work on cracking the CurveBall CVE-2020-0601 security hole continues at a furious pace. Some security companies are using CurveBall to sell more product, but the free Microsoft Defender catches at least some afflicted programs; Firefox, Chrome and Edge won’t fall for it; and pre-Win10 versions of Windows (Seven Semper Fi!) have never been exposed.
With several working proof-of-concept routines readily available — but no attacks, and indeed no sign that a general attack is imminent — patching for CurveBall falls in the “abundance of caution” bucket. Since we’ve seen few weird problems with the January patches, now seems like a good time to get patched up.
Here’s how to get your system updated the (relatively) safe way.
Make a full backup
Make a full system image backup before you install the latest patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
Patch Win7, Win8.1 or associated servers
This is the last month we’ll see free Win7 patches — or so we’ve been promised. (I find it hard to believe that Microsoft won’t patch the Win7 Internet Explorer JScript security hole CVE-2020-0674, but Microsoft, eh?)
We are working on a resolution and will provide an update in an upcoming release for organizations who have purchased Windows 7 Extended Security Updates (ESU).
Bottom line, for you Win7 folks: Do yourself a favor and change your wallpaper so it isn’t Stretched, before installing the buggy January patch. Follow Lawrence Abrams’s instructions on BleepingComputer.
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 24 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. You should have one Windows patch, dated Jan. 14 (the Patch Tuesday patch). If you see a Monthly Rollup Preview, ignore it.
If you insist on manually installing Security-only patches for Win7 and Server 2008 (I call that the “Group B” approach on AskWoody), get the full list from @PKCano on the AskWoody site. If in doubt, ask questions on the site! It’s easy and free.
Realize that some or all of the expected patches for January may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the January Monthly Rollup, you won’t need (and probably won’t see) the concomitant patches for December. Don’t mess with Mother Microsoft.
If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.
Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.
If you’re worried about Windows 7 hitting end-of-support, don’t be alarmed. The first missed security patch isn’t until next month. Besides, you have lots of alternatives, and not all of them involve Windows. We watch your options intently in the Seven Semper Fi series on AskWoody.
Patch Win10 and associated servers
If you’re running Win10 version 1803, 1809, Server 1809, Server 2019, or any earlier version of Windows 10, I urge you to upgrade to Win10 version 1903. (You can find your version by typing winver in the Search box in the lower left corner and pressing Enter.) There are detailed instructions in the article Why — and how — I’m moving Win10 production machines to version 1903.
Win10 1903 is far from perfect, but it seems to be relatively stable at this point. The one huge advantage to version 1903: It lets everybody pause updates with a few simple clicks. That feature has my vote for the most important (perhaps the only important) upgrade to Win10 in the past four years.
If you insist on using Win10 version 1809, go through the steps in All’s clear to install Microsoft’s November patches to get 1809 updated. If you’re on Win10 1909, I figure you’ve jumped the gun, but the following instructions will work.
If you’ve been following my usual advice — to click “Pause updates for 7 days” three times — your machine is probably waiting further instructions, displaying an “Updates paused” notice in the Windows Update pane (Start > Settings (the gear icon) > Update & Security > Windows Update). If you see that updates have been paused, click “Resume updates.” Windows will go out and install the January cumulative update, plus any other ancillary patches (for example, for .Net) that you require.
I’m very happy to say that clicking “Resume updates” will not automatically move you to Win10 version 1909. In order to move to the next version — which continues to suffer from bugs, most notably the File Explorer Search bug — you need to click a link that says, “Download and install now.” Don’t click it.
Once you’re updated and rebooted, pause updates for 28 days: Click Start > Settings > Update & Security. Click Windows Update on the left side, then click “Pause updates for 7 days.” Next, click on the newly revealed link, which says “Pause updates for 7 more days,” and click it again, and one last time, for a total of four clicks. That pauses all updates for 28 days, until Feb. 21. With a little luck that’ll be long enough for Microsoft to fix any bugs it introduces in February.
If you see an offer of an Optional update (screenshot), don’t click Download and install now. There’s a reason why Microsoft deems such patches “optional.”
February’s Patch Tuesday is on the 11th. That’ll be the first day Win7 users will miss a security update (unless they pay for it). Expect much hand wringing and clucking, but not many fireworks.
Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.
We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.