MS-DEFCON 4: Got 22H2?

By Susan Bradley (AKA 'The Microsoft Patch Lady')

If you haven’t updated to Windows 10/11 22H2, now is a good time because I’m lowering the MS-DEFCON level to 4.

This month’s updates have now settled down to the point that I don’t anticipate any issues for the vast majority of readers, nor have I seen any surprises in my testing on Windows 10 or Windows 11.

22H2 is now my recommended version of Windows for both Windows 10 and Windows 11 for all editions and all types of users — with the single exception of gamers.

Be aware that not a month goes by when I don’t see complaints of some kind in a Windows 11 forum from  a gamer (or others, for that matter). Remember that every time we install updates and reboot our systems, the reboot will often trigger the exposure of an underlying problem — it’s not necessarily the patch that caused the issue.

As always, don’t believe everything you may see on the Web regarding side effects.

Highlights

Consumer and home users

The .NET updates this month do not include any new security fixes, but they do include a fix for a side effect that mainly affects self-built applications. As a result of its impact on the business community, Microsoft is offering up these optional .NET updates. However, the reboot sequence isn’t quite right, and it triggers a reboot separately from the Windows updates. You may see two or three reboots this month. Nothing is wrong per se — it won’t hurt the operating system or your computer. Just be aware that you may see more reboots than normal this month.

On October 10, 2023, Windows 11 21H2 will stop being supported so will no longer receive security updates (see Microsoft’s Lifecycle announcement). Just as with prior versions of Windows, it’s time to utilize the various familiar tools to defer feature releases and to adjust them so that you will receive the 22H2 release. If you can’t remember whether you used a registry key or a group policy setting to keep your Windows 11 on 21H2, the simplest method is to use Steve Gibson’s excellent (and free) InControl tool to adjust the feature release to 22H2.

My one concern is for gamers running Windows 11. I’ve seen the security features in Windows 11 22H2 interact with some gaming software — in particular, some software used by gamers to cheat the game. My general recommendation for Windows 11 22H2 remains the same, but gamers may wish to defer 22H2 until the 21H2 drop-dead date in October is closer. Perhaps by then some of these issues will have been resolved.

Office issues

If you’ve been having issues with Outlook connecting to Yahoo mail, you may want to review a recent Microsoft 365 support post encouraging folks to install a preview to get an early fix for an issue where Yahoo mail and Outlook fight one another.

When adding a Yahoo IMAP account to Outlook Desktop, some users find that they are unable to generate an App Password. On the Yahoo Account Security page, the App Password Generator gives an error “Sorry, this feature is not available right now!”.

The fix for this issue, which includes OAuth support for Yahoo IMAP accounts, has been inserted into Outlook, starting with build 16308.10000 in the Office Beta Channel and Current Channel (Preview). So either opt into the beta channel, or just hang tight and use the Web version of Yahoo mail for a few weeks.

Anytime Outlook misbehaves, wait to see whether there is a fix from Microsoft. If you use add-ins with Outlook, look to see whether the add-in vendor has released an update. I use several add-ins at the office, monitoring my add-in vendors, such as Sperry Software, and checking for newer versions to install. With Office updates in particular, keep an eye on what version of Office you have.

KB915597 went crazy

For a day or two starting on July 16, users saw the Microsoft Defender update file installed over and over again. As noted in this Polish forum post, KB915597 went crazy, not you. Microsoft had to fix this issue. Sometimes you just need to wait for Microsoft to realize there is a problem that it alone can deal with.

Business users

I’m taking my own medicine this month by re-reading all Microsoft security patch release notes a few days after the updates are released. I’m recommending you make a point of doing the same.

Lately, Microsoft has been posting additional advice and clarifications that drastically change how we should evaluate an update. Case in point is CVE 2023 36884. In its original release, Microsoft indicated that we could add a rule only to block child processes or a registry key, and there was no update that would protect us from the zero-day attack. A day later, Will Dormann tweeted that he couldn’t reproduce the security vulnerability. Another day later, Microsoft acknowledged that Dormann was right and the newer versions of Office actually were not at risk for this attack. Although these older versions are the more stable and less disruptive versions, Will points out:

For those of you still on the (deprecated) Microsoft 365 Semi-Annual Channel, you do know that this makes you more vulnerable to exploitation, right? It happened with Follina CVE-2022–30190. It’s happening with CVE-2023-36884. It will happen again.

Thus you may want to weigh stable and boring against more at-risk, especially if you haven’t taken the mitigation techniques linked above.

Lesson for this month: Release notes can — and obviously will — change.

Resources

Source