Say good-bye to Microsoft security bulletins

This is the last month we’ll see security bulletins from Microsoft—and I can’t wait. Patch numbers are currently interlocked, with security bulletins referencing KB numbers that aren’t available in the Windows 10 cumulative updates or in the Windows 7/8.1 security-only or monthly rollup patches.

But hang in there, it will get less complicated next month. I hope.

This month there were 12 security bulletins from Microsoft, six rated critical, six important, the obligatory Flash Player patch, updates for the Excel Viewer and the Office Compatibility Pack, and a bewildering array of previews, which you don’t want unless you’re testing software. There was also a welcome revamp in the way Win7/8.1 security-only and monthly rollup patches overlap/supersede each other.

The Win10 1607 cumulative update KB 3206632, as explained yesterday, fixed a major internet connection bug. Here’s what you need to know about the other Patch Tuesday updates.

There’s the usual massive list of Office 2003, 2007, 2010, 2013, and 2016 patches in KB 3208595, which combines the Dec. 6 nonsecurity updates with the Dec. 13 security updates. Almost 100 patches appear on the list. I haven’t heard of any problems with them, but the month is yet young.

The SANS Internet Storm Center says there are known exploits for four of this month’s patches – that’s the zero-day count. Two of the exploited patches are for Internet Explorer and Edge, which you probably aren’t using. One of them is for the .Net Framework patch KB 3205640 (more on that later). That leaves one “real” zero-day that most folks need to be concerned about: MS16-146 / KB 3204066, the security update for Microsoft Graphics Component.

Tyler Reguly at Tripwire describes the issue this way:

Two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defense-in-depth changes that are not fully documented in the bulletin.

It looks like the already exploited hole is CVE-2016-7272, a remote code-execution vulnerability that we have very little published information about.  If you see any in-the-real-world reports of exploits, let me know on AskWoody.com.

Which brings me to the morass known as .Net Framework updates: In October we had separate patches for .Net 3.5.1 security-only, and for .Net 4.x security-only. This month, we have a security-only update for .Net 4.6.2, and a monthly rollup for all versions of .Net (including 4.6.2). If you’re running Win7, you can find the security-only patch for .Net 4.6.2, KB 3205394, in the Microsoft Update Catalog. Or you can find the monthly rollup via Windows Update.

There’s a raging debate on AskWoody.com about the intrusive nature of .Net Framework Monthly Rollups. The general consensus is that most Windows users are OK installing the whole monthly rollup, instead of trying to pluck out the security-only portions.

Finally, for those of you still running Vista, I have this advice from AskWoody contributor ER about speeding up your Windows Update scans:

It looks like the KB3204723 security updates from MS security bulletin MS16-151 are the new Windows Update win32k.sys “speed-up” fixes for Windows Vista & Server 2008. Once again, KB3204723 is a new temporary “speedup” patch that will work from Dec. 13, 2016 to Jan. 9, 2017.

As usual, I recommend you hold off on applying any of these patches until the initial carnage has run its course. When it’s safe to patch, I’ll post full details, including download links for those of you who wish to stay in the Group B security-only camp.

The discussion continues on AskWoody.com.