Chapter 3: Using and Avoiding Windows Update
In This Chapter
Finding out the trouble with patches
Choosing your update level
Patching selectively
Looking at a security bulletin
Removing Windows patches
Windows Automatic Update is for chumps.
I’ve taken a lot of flak over the years for advising people to turn off automatic updating. If you’re sophisticated enough to be reading this book, you’re sophisticated enough to keep Windows from clobbering your system.
I think you should tell Windows to advise you when patches are available and then wait and see whether the patches do more harm than good before applying them to your PC.
Face it: You have to patch, sooner or later. Patching isn’t like brushing your teeth, where you can ignore it for a year or two and things turn smelly and then gradually rot and fall out. If you don’t patch today, by next month, your computer can look and act and feel like toast. The bad guys know what’s been patched, and they prey on people who don’t get their updates.
On the other hand, you don’t need to follow Microsoft’s dictates and apply patches the moment they’re available. More than a few Dummies have seen their computers melt down because of a bad patch that has been force-fed to them by the Automatic Update mechanism.
Almost everyone — certainly, anyone reading this book — needs to check out the latest Microsoft missives before applying updates. Blindly updating Windows can lead to all sorts of problems.
Windows Update stinks. Massively. Permit me to elaborate: Both the security patches that Microsoft dribbles out to users and the method by which Microsoft delivers those patches to users stink. Massively. But you can still keep your system patched while working around the worst that these patches and Windows Update have to offer.
If you’re setting up a Windows computer for someone else to use and she shows no interest at all in keeping her system safe, by all means, set her up with Automatic Updates. Sooner or later, everybody should patch. But if you’re savvy enough to be reading this book and concerned enough to check the Internet from time to time, you can save yourself a whole lotta headache by waiting for other people to shake out the problems with new patches. Let them get the arrows in their backs. Patch in haste; repent in leisure. Wait until Microsoft has had a chance to test its monthly patches on a hundred million PCs — and zapped a few hundred or tens of thousands along the way. It’s easy. I explain it all in this chapter.
Patching Woes
Any large computer program has bugs. Heck, any small computer program has bugs. When a program grows as large as Windows — tens of millions of lines of code — the bugs start stacking up like planes at O’Hare in a snowstorm.
Microsoft issues hundreds of updates each year. Some updates fix bugs that make Windows crash. Many updates plug security holes. Most updates come in the form of patches or fixes to an individual Windows program that isn’t working right. Some patches are small. Most are big. Many Microsoft security bulletins, which appear to handle a single bug and its patch, in fact cover many big, frequently unrelated, patches.
Microsoft periodically releases security and “high priority” patches for Windows, generally on the second Tuesday of every month. Anyone with a recent copy of Windows (including Windows 7, Windows Vista, and Windows XP) who has taken the defaults when first running Windows or chosen the Install Updates Automatically (Recommended) option gets those patches pushed, automatically, to their machines, as soon as the PC is connected to the Internet. You don’t need to lift a finger: When automatic updating is turned on, you come in one morning, and your PC has been patched and you never hear a word about it.
Or, you come in one morning and your machine sits there with a blue screen and you can’t get it to start, or you can’t print your tax forms, or the patch installer runs and runs but Windows says it still needs to be patched, or running a program you’ve always run suddenly locks up your machine, or your machine has re-booted itself and all the work you left open is gone . . . and you have no idea why.
Most of the time, on most machines, the patches perform as advertised — they fix a defect in the product. Fair enough. Beats a product recall, I guess. Sometimes, though, the patches don’t work right, or they offer bonus, uh, features that users neither asked for nor want. A few of my favorites:
The tax printing predicament: On April 10, 2012, a Tuesday, Microsoft released an update to the Windows programming package .NET Framework, known cryptically as MS12-025. (For a description of the “MS12-XXX” patch numbers, see the “Decoding a security bulletin” section, later in this chapter.) Most Windows users in the United States didn’t get the patch until Thursday or Friday. On the weekend before tax returns were due, thousands (possibly tens of thousands) of Windows consumers found themselves unable to print their TurboTax forms because of Microsoft’s botched patch. On Saturday, Microsoft pulled the patch from Automatic Update.
The installer won’t stop: On February 14, 2012, Patch Tuesday, Microsoft released another .NET Framework update, this one called MS12-016. Many Windows users with ATI video cards reported the control program locked up their machines because of the patch. An unknown number of users reported that Windows tried installing the patch over and over again.
Everything crashes: On January 10, 2012, Patch Tuesday, Microsoft released a patch, MS12-006, that was supposed to solve a problem with Secure Sockets Layer, the “s” in https://. Except it broke dozens of programs. Microsoft pulled the patch, reinstated it, and then pulled it again, and issued a warning on the MS Developer Network blog about ongoing problems.
That’s just the first four months of 2012. Going back to 2011, a big bunch of bad patches occurred in August (MS11-066, MS11-069, and others), and another run of really bad patches in June, several of which (MS11-039, MS11-044) couldn’t be fixed: You had to remove Windows programs and re-install them to get them to work. In January, 2011 was a Windows 7 “reliability update” delivered by Automatic Update — KB 2454826 — that started crashing Windows 7 machines. That same month, Automatic Updates inexplicably started installing the MS10-090 October 2010 Internet Explorer patch all over again. December 2010 saw a big problem with MS10-092, which crashed or froze many machines.
2013 wasn’t any better. At one point in the summer of 2013, four — count ’em four simultaneous — patches were giving people fits, and Microsoft didn’t even acknowledge the problems for days on end, much less fix them. The following month, six (yes, six!) patches were so bad Microsoft had to re-release them. This time, though, it acknowledged the problems within a day or two — a huge improvement over leaving customers hanging.
Get the picture here? I didn’t even mention the time a Windows patch on tax weekend made it impossible to see your Documents folder (MS06-015), or the one that broke Outlook Express (MS06-016), or the way Microsoft used the Automatic Update mechanism to surreptitiously install new registration validation software, declaring many perfectly valid systems “not genuine” — the “Windows Genuine Spyware” incident.
Almost every batch of patches that Microsoft releases these days contains at least one stinker — a patch that, on a certain percentage of PCs, makes things much worse. It’s like the cure is worse than the disease.
I’ve been at this business for a long time — I’ve used Windows since the days of Windows 286, which shipped on a single floppy disk, and I wrangled with DOS long before that. Of all the Microsoft features that I don’t trust — and there are many — Windows Automatic Update rates as the single Microsoft feature that I trust the least. Microsoft has gone to extraordinary lengths over the past decade to reinforce my distrust and to demonstrate plainly and unambiguously that when it comes to updating Windows, Microsoft doesn’t have a clue.
Don't get me wrong. You need to apply Windows patches at some point — Windows Update itself is a hugely complex program that works reasonably well most of the time. The problem is with Automatic Updates. Month after month, Microsoft pushes out updates, automatically, that break things. By far the best approach is to let Microsoft push whatever it wants to push, while you sit back and watch how its updates fare with those who uninstall them automatically — the cannon fodder. After a week or two or three, when the dust has settled and Microsoft has had a chance to fix its fixes, that's when you should apply the patches. I have a (free!) website that will help you judge when patching time is right for you at AskWoody.com (www.askwoody.com).
Choosing an Update Level
When you install Windows or when you first start a new Windows PC, if you don’t take the default Installation settings, Windows asks you to Help Protect and Update Your PC, allowing you three choices (see Figure 3-1):
Automatically Install Important and Recommended Updates: You allow Microsoft to turn on Automatic Updates (more about that in this section) and generally let Microsoft have its way with your computer.
Those may be the recommended Microsoft settings. They certainly aren’t mine.
Automatically Install Important Updates: You allow Microsoft to turn on Automatic Updates. See the theme here?
Don’t Set Up Windows Update (Not Recommended): This option is — you guessed it — my recommendation.
Figure 3-1: A loaded question.
No matter which option you choose, Windows Defender updates itself automatically. That’s as it should be: Bad Windows Defender updates aren’t unheard of, but they’re usually fixed in short order, and I’ve never heard of one that froze a thousand machines. I also have no problem with updates to the junk mail filters in various Microsoft packages, which also update automatically, regardless of your choice here.
Microsoft wants you to turn on Automatic Updates. Heck, most Windows gurus suggest that you turn on Automatic Updates. One of those gurus says that it’s better for Microsoft to automatically install its software on your PC than to leave your system wide open for some malicious kid to install his software on your PC.
He has a good point.
Still, I disagree. I believe that Microsoft has proven conclusively that it can't be trusted to produce reliable security fixes. If Microsoft distributes an automatic patch that's so badly flawed that thousands or tens of thousands of PCs suddenly stop working, the people with those PCs won't have the slightest idea that the culprit was a bad patch from Redmond. In my opinion, savvy Windows users should let the Automatic Update service advise them when new patches are available — but they should wait to apply those patches until there's enough real-world experience with the patches to ensure that they solve more problems than they create. I cover the latest problems and recommend when to patch and when to hold off on AskWoody.com (www.askwoody.com). You can also get important, up-to-date analyses by subscribing to Windows Secrets Newsletter, (www.windowssecrets.com).
No matter what you chose when you first started Windows, it’s never too late to take back control of your computer. Here’s how:
1. From the desktop, swipe from the right, choose the Settings charm, and then choose Control Panel; or right-click the Start screen in the lower-left corner of the desktop and choose Control Panel.
The full-fledged Control Panel appears, not the tiled side Wimpy version.
2. Tap or click System and Security; under Windows Update, tap or click the Turn Automatic Updating On or Off link; and then choose how you want to work with Important Updates.
Windows Update lets you choose from four different levels of control so that you have some choice over what it does — or doesn’t do — to your system. It’s worth taking a few minutes to peruse Table 3-1, think through what Windows has to offer, and decide which approach works best for you.
I recommend the third option, Check for Updates but Let Me Choose Whether to Download and Install Them, as shown in Figure 3-2.
Figure 3-2: You can keep Microsoft’s mitts off your machine, until you’re ready to install patches.
Although the gestation period for new worms is shrinking — the bad guys are picking up on the Microsoft security patches and figuring out how to exploit the holes shortly after the patches are announced — it’s quite rare that a freshly patched security hole turns into an active exploit in a few days. And generally, word of botched security patches surfaces within a few days.
On the other hand, if Great-Aunt Mildred frets about breaking her computer if she plays a round of Solitaire, she’s a good candidate for automatic updating. Go ahead and set it up for her — but as you do so, recognize your technological co-dependence: You may be bailing her out of patch problems for as long as she has your telephone number.
3. Select the Give Me Recommended Updates the Same Way I Receive Important Updates check box.
There’s a very thin line between Important and Recommended in Microsoft parlance. (See the nearby “What’s a critical update?” sidebar.) As long as you have a chance to review the updates before they’re installed, you may as well look at recommended updates, too.
4. Take note of the, uh, note.
The note warns you that Windows Update may update itself automatically first when checking for other updates. It’s the Microsoft response to widespread criticism in August 2007, when it started changing the Windows Update program even if automatic updates were turned off.
Microsoft feels that Windows Update has to be able to update itself, even without your permission: “Windows Update automatically updates itself from time to time to ensure that it is running the most current technology, so that it can check for updates and notify customers that new updates are available.”
Windows Update updated itself, without permission, in July 2012 to revoke certain, scandalously ancient, Microsoft security certificates that had been used in widely publicized attacks in the Flame virus.
5. When you’re happy with your settings, tap or click OK.
Your changes take effect immediately.
Table 3-1 Choosing a Windows Update Option
|
Option |
What It Does |
Recommended For |
|
Install Updates Automatically (Recommended) |
Windows checks with the Microsoft update site daily to determine when new updates are available, downloads them when you’re not on a metered Internet connection, and installs them automatically for you — typically, in the middle of the night. |
People who are easily confused by the process of telling Windows that it’s okay to install new updates. It’s also a good option if you don’t have the time or inclination to look online to see whether a specific update has major problems, or if you have a PC located in a public place. |
|
Download Updates but Let Me Choose Whether to Install Them |
Windows checks with the Microsoft update site daily to determine when new updates are available. If updates are available, WU downloads them when you’re not on a metered Internet connection and then asks your permission to install them. |
Not recommended. Unfortunately, because of the way Windows shuts down, you may be forced to install updates before you’re ready. |
|
Check for Updates but Let Me Choose Whether to Download and Install Them |
Windows checks with the Microsoft update site daily to determine when new updates are available. If they are, Windows notifies you and asks for your permission to download and install them. |
Folks who are willing to wait a week or two to install a new patch and who check online to see whether a patch is causing more harm than good. |
|
Never Check for Updates (Not Recommended) |
Automatic Update is turned off for Windows (although Windows Defender and spam filter updates still go through). |
Not recommended. (See, I can sound like Microsoft when I have to.) It’s hard to imagine any situation where this option makes sense. |
When Windows Update reaches into your computer to see what you have installed, which patches have been applied, and so on, it doesn’t retrieve any personally identifiable information. It doesn’t even retrieve your activation key. As far as I’ve been able to tell, Microsoft doesn’t attempt to spy on your machine via the Automatic Update program. So don’t turn it off entirely unless you’re really, really paranoid.
What’s a critical update?
Microsoft has extremely strict definitions for its various levels of security patches. The official Severity Rating System defines these levels of security holes:
Critical: “A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.”
Important: “A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.”
Moderate: “Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.”
Low: “A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.”
In addition, Microsoft publishes an Exploitability Index that reflects the company’s anticipation that some cretin will produce a piece of malware that can take advantage of the security hole in relatively short order. Here are the ratings:
Consistent Exploit Code Likely: The Microsoft security team figures that somebody can come up with a piece of malware that uses the security hole to zap systems left and right.
Inconsistent Exploit Code Likely: This rating also anticipates that somebody will be able to come up with a working program that takes advantage of the security hole, but the program probably won’t work reliably.
Functioning Exploit Code Unlikely: For any number of reasons, the security hole is well protected by other security settings, or it’s so obscure that a big attack probably isn’t in the cards.
Lest you truly believe that you should install critical updates before you install important updates — or that you can, say, ignore moderate updates — you need to realize that Microsoft’s use of the terms is, in fact, quite arbitrary and at times, highly debatable. Many “critical” patches don’t address unassisted worm propagation. In at least one instance, the severity level of a security hole was changed after enough people complained. One “critical” update removed a symbol from one font in Office 2003. The assignment of a security level seems to reflect internal Microsoft politics more than anything else. So take the severity level and Exploitability Index ratings with a grain of salt, okay?
Selectively Patching: A Panacea for Those Woes
Microsoft really, really wants you to allow Windows to automatically update itself. Unless you have much more faith in Microsoft than I do, seriously consider defying the Party Line and decide for yourself when (and whether!) patches should be applied. The Windows Genuine Spyware debacle alone (see the “Patching Woes” section, earlier in this chapter) amply demonstrates that Microsoft automatic updating can’t be trusted.
Let Microsoft notify you when it wants to install something on your computer, but don’t blindly allow the ’Softies to install whatever they want. Wait until millions and millions of hapless Windows customers unknowingly run the Microsoft patch beta tests and then install the patch after the cannon fodder has raised the alarm.
Microsoft officially releases new security patches on the second Tuesday of every month (except when it doesn’t). If you hear of a security patch coming out on any date other than the second Tuesday of the month — an out-of-band patch — chances are good that a major security breach needs to get fixed fast. Microsoft also tends to release non-security patches on the fourth Tuesday of the month. These patches generally aren’t as interesting as the security patches, but they can still hose your system.
Patching Windows manually
In the best of all possible worlds, patching Windows manually isn’t a difficult process. It takes a little bit of time, but in the end, your computer’s worth it, yes?
Here’s how I patch. You can do it, too, with a little help from your friends. Follow these steps:
1. Make sure you’ve followed the steps in the “Choosing an Update Level” section, earlier in this chapter, so that the Windows updater notifies you when a patch is available but doesn’t download or install it.
That’s easy.
Whenever a patch (or, more likely, a slew of patches) becomes available, you see a balloon in the notification area, near the clock, that says something like Updates Are Available for Your Computer. Click Here to Download Updates.
2. When you have a few spare minutes, tap or click the balloon.
The exact terminology may change, but you see a notification that updates are ready. Don’t worry if you can’t get to the updates right away. If the balloon disappears, you can bring it back by tapping or clicking the flag in the notification area (down near the clock) and choosing to read the message.
When you click the balloon or the flag, Windows Update shows you a notification box like the one shown in Figure 3-3.
Figure 3-3: Updates are ready to download.
3. Don’t click the Install Updates button. Instead, tap or click the X Important Updates Are Available link.
The updates offered appear, as shown in Figure 3-4. The term Important is meant to reflect a level in Microsoft’s rating system for patches. See the earlier sidebar, “What’s a critical update?” for details.
Figure 3-4: Windows Update offers details about each available patch.
4. Select the box next to each patch you want to install.
On the left, you can alternate between important and optional patches. Important patches are usually selected automatically (although there can be exceptions — when Microsoft pulls a flakey patch, it will show the patch in the “important” list but deselect the box). Optional patches may or may not be selected — you have to select the check boxes next to the ones you want.
You can tap or click any links in the update list, refer to the appropriate security bulletin or Knowledge Base article (see the “Getting What You Need from a Security Bulletin” section, later in this chapter), check my MS-DEFCON status (see the “MS-DEFCON: Your guide to patch safety” sidebar, later in this chapter), look at your favorite security website or consult that really wired astrologer who hangs out in the park. Bring your own tea leaves.
5. Don’t be afraid to wait; tap or click the X to get out of the list and come back at any time.
The world may be jumping up and down. Heck, the U.S. Department of Homeland Security once issued an emergency bulletin recommending the immediate installation of a Microsoft security patch — a patch that turned into a dud. Keep your head while those about you are losing theirs.
Within a few days, problems with new patches appear — sometimes with disastrous vigor. The mainstream press frequently carries distorted, sensationalized reports either (a) warning you to patch immediately because the sky is falling (I call them Chicken Littles), or (b) describing disasters that didn’t really occur (I call them he-said-she-said rumors — or something distinctly less printable).
Windows continues to pester you, mercilessly, with the same balloon warning, Updates Are Ready for Your Computer. That’s good. You need to hear the geese cackling.
MS-DEFCON: Your guide to patch safety
Big companies hire people — sometimes groups of people — to check the latest Microsoft patches, verify that they don’t break anything, and then deploy the patches, slowly, throughout the corporate network.
If you can afford to hire a patch-busting team, my hat’s off to you. But what are you, a typical Windows user, to do? Where can you turn for understandable, unbiased reporting on Windows flaws and fixes — and flaws in the fixes?
I have a rating system on my website, AskWoody.com (www.askwoody.com), that lets individual Microsoft consumers know when it's safe to install patches. I call it the Microsoft Patch Defense Condition Level — MS-DEFCON, for short. It's modeled after the U.S. Armed Forces DEFCON system, with the following levels:
The MS-DEFCON level advises you when it’s safe to install patches.
MS-DEFCON 1: Current Microsoft patches are causing havoc. Don’t patch.
MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.
MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.
MS-DEFCON 4: Isolated problems exist with current patches, but they are well known and documented on www.askwoody.com. Check the site's latest entries to see whether you're affected, and if things look okay, go ahead and patch.
MS-DEFCON 5: All’s clear. Patch while it’s safe.
Watch the MS-DEFCON level for an independent, somewhat jaundiced analysis of threats, from hackers and from Microsoft.
6. When you’re convinced that patching will cause more good than harm, click that infernal balloon (or click the flag), open the update details (refer to Figure 3-4), make sure that you want to take the plunge, and tap or click Install.
The Windows update routine retrieves the updates and asks you for permission to install them.
7. Follow the prompts from Windows.
Downloading and installing updates can take anywhere from a few minutes to a few hours.
8. When Windows finishes installing the updates, restart your computer.
Even if Windows doesn't require a reboot, it's an excellent idea. Keep your eyes open for any problems and if you encounter one, check AskWoody.com (www.askwoody.com) or use your favorite search engine to get to the bottom of it.
Windows reboot improvements
Some patches require a reboot. There’s nothing you can do about it. Like changing a wheel while your Maserati’s in motion, you just have to shut off the dern thing to get the innards fixed.
Historically, Microsoft’s combination of automatic updating and forced, unattended rebooting led to an interesting phenomenon: You sat down at your PC in the morning, and it suddenly didn’t work. Blue screens, black screens, no screen at all. The patch that was automatically installed clobbered the machine when it rebooted. If you have Automatic Updates installed, that’s always going to be a problem.
There’s a different problem with rebooting. Windows 7 had a nasty habit of installing updates when you turned off or manually rebooted the computer. There was no way to avoid the (sometimes very lengthy) installation sequence when you wanted to shut down the PC. Sometimes the Do Not Shut Off Your PC message sat on the screen for an hour or two while you waited for the updater to do its thing. I winged and whined about the problem during the Windows 7 testing phases, but Microsoft didn’t listen to me. Again.
Windows 8.1 has a little more class. Two disturbing behaviors have been improved, if not fixed:
First, Microsoft promises that it will consolidate patches that require a reboot, regardless of when they come out during the month, and synchronize the rebooting step to coincide with the once-a-month Patch Tuesday releases (see the nearby “Selectively Patching: A Panacea for Those Woes” section for an explanation of Black Tuesday).
Second, Microsoft promises you that it will warn you at least three days before a reboot takes place. You see notifications in the lock screen, when you log in, warning that a system reboot is imminent.
Will Microsoft live up to those promises? I doubt that it can all the time, but it can probably do it most of the time. The changes are certainly a step in the right direction.
Once more, for emphasis: You have to keep Windows patched. But you don’t have to do it on Microsoft’s terms. Take the bull by the horns, be mindful about the potential problems, and go out and do it your way.
Checking for updates manually
You can also check for patches manually, any time they become available, by running Windows Update. Here’s the easy way:
1. From the Start screen, swipe from the right or hover your mouse in the upper-right corner to bring up the Charms bar. At the bottom, choose Settings.
2. At the bottom of the Settings pane, choose Change PC Settings; on the left, choose Update & Recovery, then choose Windows Update.
The Windows Update settings pane appears. If you’ve told Windows to Check for Updates but Let Me Choose Whether to Download and Install Them, as I recommend earlier, or Download Updates but Let Me Choose Whether to Install Them, a screen similar to the one in Figure 3-5 appears.
3. If there are any updates on offer, tap or click the View Details link.
Windows Update runs out to the Microsoft mother ship and sees which updates are available. If it finds updates, it presents you with a list (see Figure 3-6) and, in some cases, offers an option to Choose Important Updates (tap or click this link to flip over to the Control Panel).
Figure 3-5: The simple Windows Update settings on the tiled side of Windows.
Figure 3-6: Windows patches are available.
4. If you want to pick and choose updates, tap or click the Choose Important Updates to Install or Install Optional Updates link.
That flips you over to the old-fashioned desktop and puts you in the Select Updates to Install Control Panel dialog box (refer to Figure 3-4). If you go over to the old-fashioned desktop side, you can complete the update over there, if you feel so inclined (you aren’t returned to the tiled side automatically).
5. If you’re absolutely convinced that you want to install the updates Microsoft has chosen, tap or click outside of the X Important Updates box to return to Figure 3-5 and then tap or click Install.
The installation proceeds exactly the same way as it would if you installed updates from the old-fashioned desktop side of Windows.
You may need to restart your computer for all the changes to take effect. In general, it’s a good idea to restart after applying any major update.
Getting What You Need from a Security Bulletin
When Microsoft patches a security hole in Windows, it issues a security bulletin (like the one shown in Figure 3-7). A security bulletin gives you some brief information about a particular patch (or patches) and offers a way to download patches without Windows Update. Security bulletins contain official notice from Microsoft about things that go bump in the night. They’re frequently laden with so much jargon that the interpreters need interpreters to translate them into plain English.
To find the latest security bulletins, check the Microsoft Security Response Center blog, http://blogs.technet.com/msrc. Notices of new or revised security bulletins frequently appear on the MSRC blog long before any of the other Microsoft delivery mechanisms get the word out.
Figure 3-7: Security bulletin MS12-023.
Decoding a security bulletin
When you open a security bulletin, you need a few helpful pointers on interpreting what Microsoft has to say:
Security bulletins are assigned sequential numbers, such as MS12-002, denoting the second security bulletin issued in 2012.
You may think that Bullet1in MS12-002 would talk about the second security patch in 2012, but you’d be wrong. Microsoft bunches up security patches, sometimes releasing several completely unrelated patches in one security Bullet1in. Why? Because it knows that the world at large correlates the number of security Bullet1ins with the relative “holiness” of its software. If Windows releases only 30 patches in a year and Linux releases 48, which operating system sounds more secure?
This particular security Bullet1in, MS12-023 (refer to Figure 3-7), is an Internet Explorer rollup patch. Microsoft releases similar patches every couple of months. This one includes fixes for five separately identified security holes that affect 42 different versions of Internet Explorer. In total, more than a thousand files are patched by this one security Bullet1in.
Security bulletins are dated. Usually they get revision numbers, too, but revision numbering seems to be, uh, subject to revision, if you know what I mean — the numbering can be a bit subjective. If you see a security bulletin that has been updated recently, there’s a reason — usually something has gone wrong. If you see a security bulletin with a revision number such as 2.3 or 4.2, you know that problems bedevil the patches and that Microsoft has had to revise and re-revise (and re-re-revise) its explanations.
Each security bulletin refers to one or more Knowledge Base (KB) articles, which give further details about the patch. The six-digit KB article number appears at the end of the description of the patch.
The Knowledge Base article number is important if you need to remove a patch. Frequently, this number is the only way you have to identify the patch. If you need to remove the patch because, say, it clobbers an important part of Windows, you need the KB article number. (See the “Checking and Uninstalling Updates” section, later in this chapter.)
Many patches have a second Knowledge Base article, referenced in the Caveats section, which exists solely to track the (acknowledged) bugs in the patch. These KB articles contain a list of the bugs, updated as they’re identified.
Getting patches through a security bulletin
Although you can use Windows Update to identify the patches your computer requires, download the patches, and even install them, you can download a patch manually and run it without Windows Update’s interference, er, assistance. That can come in handy if you need to apply the same patch to numerous PCs or if you want to download the patch when your Internet connection isn’t busy but wait to install the patch later.
To download and install a security bulletin patch manually, tap or click the Download the Update link for Windows 8.1 in the security bulletin and then follow the instructions to download the patch.
Generally, it’s much simpler to have Windows keep track of which patches are required and to download them automatically by using Windows Update, but if you need to apply the same patch to multiple machines, a manual download can save hours of trouble.
Checking and Uninstalling Updates
Want to know which patches have been installed? Do you suspect that a wayward patch has clobbered your machine, so you want to uninstall it?
As long as you don’t mind wading through a bunch of Knowledge Base article numbers, getting to the list is easy. Here’s how:
1. On the desktop, to bring up the Control Panel, swipe from the right, choose Settings, and then tap or click Control Panel; or right-click the Start screen in the lower-left corner of the desktop and choose Control Panel.
2. Tap or click the System and Security link; then in the Windows Update section, tap or click the View Update History link.
Windows Update presents you with a list of installed updates, as shown in Figure 3-8.
Figure 3-8: Installed updates appear with cryptic names and Knowledge Base article numbers.
3. (Optional) If you want to see details about a particular update, tap and hold or double-click the update and then, at the bottom, tap or click the More Information link.
The Knowledge Base article for that particular patch appears.
4. To remove a patch, at the top, tap or click the Installed Updates link.
You see a list like the one in Figure 3-9.
Figure 3-9: Only updates that can be uninstalled make it on this list.
Some Windows patches cannot be uninstalled — after you got ’em, you got ’em, and no amount of wailing or gnashing of teeth will tear them out of Windows.
5. To uninstall a patch, tap or click it and choose Uninstall. When you’re done, tap or click the X (Close) button to close the Installed Updates window.
Although you don’t have to, you should restart your computer to ensure that the uninstalled patch is truly uninstalled.