It’s still too early to install the latest patches for Win7, 8.1, and Office, but next month things will get less complicated Credit: Thinkstock This is the last month we’ll see security bulletins from Microsoft—and I can’t wait. Patch numbers are currently interlocked, with security bulletins referencing KB numbers that aren’t available in the Windows 10 cumulative updates or in the Windows 7/8.1 security-only or monthly rollup patches. But hang in there, it will get less complicated next month. I hope. This month there were 12 security bulletins from Microsoft, six rated critical, six important, the obligatory Flash Player patch, updates for the Excel Viewer and the Office Compatibility Pack, and a bewildering array of previews, which you don’t want unless you’re testing software. There was also a welcome revamp in the way Win7/8.1 security-only and monthly rollup patches overlap/supersede each other. The Win10 1607 cumulative update KB 3206632, as explained yesterday, fixed a major internet connection bug. Here’s what you need to know about the other Patch Tuesday updates. There’s the usual massive list of Office 2003, 2007, 2010, 2013, and 2016 patches in KB 3208595, which combines the Dec. 6 nonsecurity updates with the Dec. 13 security updates. Almost 100 patches appear on the list. I haven’t heard of any problems with them, but the month is yet young. The SANS Internet Storm Center says there are known exploits for four of this month’s patches – that’s the zero-day count. Two of the exploited patches are for Internet Explorer and Edge, which you probably aren’t using. One of them is for the .Net Framework patch KB 3205640 (more on that later). That leaves one “real” zero-day that most folks need to be concerned about: MS16-146 / KB 3204066, the security update for Microsoft Graphics Component. Tyler Reguly at Tripwire describes the issue this way: Two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defense-in-depth changes that are not fully documented in the bulletin. It looks like the already exploited hole is CVE-2016-7272, a remote code-execution vulnerability that we have very little published information about. If you see any in-the-real-world reports of exploits, let me know on AskWoody.com. Which brings me to the morass known as .Net Framework updates: In October we had separate patches for .Net 3.5.1 security-only, and for .Net 4.x security-only. This month, we have a security-only update for .Net 4.6.2, and a monthly rollup for all versions of .Net (including 4.6.2). If you’re running Win7, you can find the security-only patch for .Net 4.6.2, KB 3205394, in the Microsoft Update Catalog. Or you can find the monthly rollup via Windows Update. There’s a raging debate on AskWoody.com about the intrusive nature of .Net Framework Monthly Rollups. The general consensus is that most Windows users are OK installing the whole monthly rollup, instead of trying to pluck out the security-only portions. Finally, for those of you still running Vista, I have this advice from AskWoody contributor ER about speeding up your Windows Update scans: It looks like the KB3204723 security updates from MS security bulletin MS16-151 are the new Windows Update win32k.sys “speed-up” fixes for Windows Vista & Server 2008. Once again, KB3204723 is a new temporary “speedup” patch that will work from Dec. 13, 2016 to Jan. 9, 2017. As usual, I recommend you hold off on applying any of these patches until the initial carnage has run its course. When it’s safe to patch, I’ll post full details, including download links for those of you who wish to stay in the Group B security-only camp. The discussion continues on AskWoody.com. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe