In a big crop of Windows fixes, Patch Tuesday includes a few surprises


I haven’t seen any explanation for — Microsoft isn’t saying why or how it missed a month of patches. But they came rolling back with a vengeance yesterday, plugging the best-known major security holes (the and reported by Google’s Project Zero), answering many open questions, and posing a few new ones.

Among the surprises: After promising, in November, that it would discontinue the , we got a , along with new entries (the searchable database of KB numbers, with 64 new entries) and a new (detailed list of KB numbers broken out by product and platform, with 230 new entries).

Topping it all off, Nathan Mercer at Microsoft published details of another documentation effort called . That project will convert the current skeleton update listings for Win7 and 8.1 (see screenshot for the ) and add information about the individual KB patches.


Assuming Security Bulletins will be discontinued at some point, the new Update History pages will give a more focused method to check the latest fixes. Those of us who follow these matters closely used to wail about the dearth of information. Now we’re drowning in it — a welcome change.

brings version 1607 up to build 14393.953. Microsoft lists many dozens of fixes in this patch, including updates to IE and Edge, the SMB fix, and all of the pertinent security fixes.

The Update & Security applet now contains that the Win10 Creators Update is on its way (see the screenshot below). The advanced warning isn’t as bad as the Get Windows 10 campaign urging you to “,” but those who remember the GWX campaign may be twice shy about being one of the first to get Creators Update.

say installing the patch takes a long time. Per Apollo503, “i7/SSD laptop sitting next to me at ‘Getting Windows ready – Don’t turn off your computer’ for 13 minutes and still going.” The usual advice applies: Wait for it.

  • There’s an apparent conflict with Microsoft Dynamics CRM 2011. Installing the patch breaks some — but not all — CRM apps. from an anonymous poster on
  • If you have a problem with KB 4013429, please post it on the devoted to this update. Microsoft is actively monitoring the thread, and your report may help improve cumulative updates for all of us.

    Ed Bott on ZDnet of a new feature called Delta Updates that are only available through the Microsoft Update Catalog. If you you see three entries for Delta Updates. Microsoft announced the arrival of Delta Updates (also called Express Updates) in that appeared in January.

    express updatesIDG

    Microsoft is posting only the deltas to reduce download size. Those who patch Windows through a standard Windows Update connection only have to download what’s changed — the difference between their currently installed build of Win10 and the one delivered. Windows Update handles the pruning.

    For those who download the cumulative updates as a whole and apply them to multiple machines, the size of the cumulative updates has grown unwieldy. The latest cumulative updates for 1607 and 1511 now run over 1GB. These new Delta Updates run about one-third the size of the full Cumulative Updates — but they cover only one step up in patching levels.

    Oddly, differential updating, Express Updates, and Delta Updates aren’t covered in the latest Microsoft .

    Win10 1607 users also saw these patches:

    • , the latest Servicing Stack update. Think of it as Windows Update updating itself. In the Windows Update list it only appears as “Update for Windows 10 Version 1607.”
    • which is the separate security update for Flash, MS17-023. Remember that Windows 8.1 and 10 both have the Flash Player built into Internet Explorer and Edge. This patch fixes them both.

    As always, I recommend that you wait a week or two before installing any of them.

    Win10 1511 brings version 1511 up to build 10586.839. There’s another very long list of patches, exactly like Win10 1607 Cumulative Update. This one is also accompanied by , the latest Servicing Stack update, and for Flash.

    Win10 1507 runs the original Win10 to build 10240.17319. Microsoft in May, though it flinched a couple of times. Many more patches, mirroring 1511. Those of you who are using 1507 in any situation other than the should abandon ship.

    Windows 7 and 8.1

    Not to be outdone by the massiveness of Windows 10 updates, Win7 and 8.1 patches fell like snow in New York.

    The has 18 entries, nine deemed critical, with 136 uniquely identified exploits (CVEs). The says there are known exploits for three of the security holes, (the inevitable cumulative update for Internet Explorer), (an SMB vulnerability) and (Graphics components, which covers the Project Zero exploits). SANS ISC goes on to say that “six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited.”

    Those who are installing Security-Only patches (the folks I call “”) need to be aware of the fact that Internet Explorer patches arrive separately from the download-only Security-Only patches. I’ll have full download and installation details later this month, when the patches have had time to stew a bit.

    Our old KB 2952664 (Win7) and KB 2976978 (Win8.1) are back, as anticipated. An on the AskWoody Lounge says they’re identical to the versions posted last week. This time they’re “Recommended,” so if you have “Give me recommended updates the same way I receive important updates” selected in Windows Update, the patches will be checked and thus installed the next time you run Windows Update — which I don’t recommend, of course.

    As usual, Windows 7 users need to (IE in Win8.1 is updated by Microsoft).

    There’s a compact list of patches and links on Günter Born’s .


    If you’re still on Vista, which goes off next month, you should note two oddities:

    • , which in the case of Vista is for the Messaging API only, contains this little gotcha: “If you are running Windows Vista or Windows Server 2008, install this security update () in addition to security update , in order to be fully protective from this vulnerability.”
    • Lounger that “New ‘magic’ win32k.sys updates for Windows Vista SP2 to speed up Windows Update scans on Vista: . Replaces KB 3204723 & previous win32k.sys fixes.”


    Office patches for this month are listed on . I count:

    • 16 patches for Office 2016, four of which are security patches
    • Nine patches for Office 2013, with four security patches
    • Five patches for Office 2010, all security
    • 10 patches for Office 2007, six security including two for the Office Compatibility Pack

    The nonsecurity patches were released last week, but they’re repeated here for completeness.

    The says there are new versions of Office Click-to-Run:

    • Office 2013 Click-To-Run is available: 15.0.4911.1002
    • Office 2010 Click-To-Run is available: 14.0.7179.5002

    In addition, the main Office 365 version 1702 is now up to build 7870.2024.

    Discussion continues on the .