Another Windows Update query

Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

Jo-Anne wrote on 2016/02/11:

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

That MS article was published February 9, 2016; however, if you look at
the description of each update instead of the MS article listing
multiple updates, you would see those updates have been around for 2 to
3 weeks. If they were not offered via WU until incorporate to MS016-019
then they may not have been noticed until the last 1 or 2 days.

Go back to the MS016-019 article. Do a search on those update numbers
(without the "KB" prefix) instead of relying on your eyes. On each hit,
look at the Windows version and bitness in which that hit applies. You
would see that both those updates apply to both the x86 and x64 version
of Windows 7.

KB31272220
Published: 1/22/2016
https://www.microsoft.com/en-us/down....aspx?id=50865
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

KB3127229
Published: 1/29/2016
https://www.microsoft.com/en-us/down....aspx?id=50919
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

Hi, Jo-Anne

Both 3127220 and 3127229 are shown for Win7x64 Sp1 systems as
'Information Disclosure' related updates for the .NET 3.5.1 and .NET
4.5.2 components.

cf.
https://technet.microsoft.com/en-us/...urity/MS16-019

Windows 7 for x64-based Systems Service Pack 1
Microsoft .NET Framework 3.5.1
Important
Denial of Service
(3122648)

Important
Information Disclosure
(3127220) =====

Windows 7 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.5.2[1]
Important
Denial of Service
(3122656)

Important
Information Disclosure
(3127229) =====


--
....winston
msft mvp windows experience

On 2/11/2016 11:37 AM, Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

Thank you both. I misread my "Find" results as 1 of 1 instead of 1 of
10. My apologies.

--
Jo-Anne

On 2/11/2016 12:37 PM, Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

I found some updates that are questionable, too.

KB2952664 Don't understand what it's for.

KB3102429
KB3123862
KB3135445

Last 3 have something to do with Win10

susan wrote:
On 2/11/2016 12:37 PM, Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

I found some updates that are questionable, too.

KB2952664 Don't understand what it's for.

KB3102429
KB3123862
KB3135445

Last 3 have something to do with Win10

These two act as a team. You won't be offered a free
copy of Windows 10 by GWX alone, without '664. But today,
receiving it via Windows Update, is a second delivery
mechanism. So even if this tag team is not installed,
you might still be offered Windows 10 when you didn't
particularly ask for it.

2952664 Engine components for qualifying OS analysis.
3035583 GWX (Get Windows 10) display and state machine.

The '664 update is referred to as a "servicing stack update".
Which doesn't tell you anything, but you can use such
a description in a web search, to see what duties such
an update performs.

Paul

On Thu, 11 Feb 2016 22:58:26 -0500, susan wrote:

On 2/11/2016 12:37 PM, Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

I found some updates that are questionable, too.

KB2952664 Don't understand what it's for.

KB3102429
KB3123862
KB3135445

Last 3 have something to do with Win10

I did a quick Google search for those last 4 updates and it seems to
me that MS would like to have a Windows 10 party for you and your PC.
Your invitation could appear on a PC near you any time soon.

As I have already upgraded to Win 10 from Win7 I can't tell whether
or not they were installed on my two PCs.

Paul wrote:
susan wrote:
On 2/11/2016 12:37 PM, Jo-Anne wrote:
Before installing Windows updates, I check the advice from a newsletter
I subscribe to; but occasionally an update doesn't appear in its
recommendations on whether to install. Two updates yesterday didn't
appear in the newsletter, so I checked them at the Microsoft website
https://technet.microsoft.com/en-us/...urity/MS16-019

I have a 64-bit Windows 7 Dell laptop. In WU, these two updates claim to
be for 64-bit Windows 7 machines. However, the Microsoft website says
that they're for 32-bit Windows 7 computers. The updates are

KB3127220
KB3127229

They both have to do with .NET Framework.

My question: Should I install them?

Thank you,

Jo-Anne

I found some updates that are questionable, too.

KB2952664 Don't understand what it's for.

KB3102429 KB3123862
KB3135445

Last 3 have something to do with Win10

These two act as a team. You won't be offered a free
copy of Windows 10 by GWX alone, without '664. But today,
receiving it via Windows Update, is a second delivery
mechanism. So even if this tag team is not installed,
you might still be offered Windows 10 when you didn't
particularly ask for it.

2952664 Engine components for qualifying OS analysis.
3035583 GWX (Get Windows 10) display and state machine.

The '664 update is referred to as a "servicing stack update".
Which doesn't tell you anything, but you can use such
a description in a web search, to see what duties such
an update performs.

Paul
2952664 supports the GWX app's Upgrade Advisor component.

--
....winston
msft mvp windows experience

On Thu, 11 Feb 2016 13:09:37 -0600, VanguardLH wrote:
KB31272220
Published: 1/22/2016
https://www.microsoft.com/en-us/down....aspx?id=50865
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

KB3127229
Published: 1/29/2016
https://www.microsoft.com/en-us/down....aspx?id=50919
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.


I hate, hate, HATE the generic descriptions of updates.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

In message , Stan Brown
writes:
On Thu, 11 Feb 2016 13:09:37 -0600, VanguardLH wrote:
KB31272220
Published: 1/22/2016
https://www.microsoft.com/en-us/down....aspx?id=50865
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

KB3127229
Published: 1/29/2016
https://www.microsoft.com/en-us/down....aspx?id=50919
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.


I hate, hate, HATE the generic descriptions of updates.

So do I. But if the choice is between that and nothing, I guess I'd
rather have that.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"quidquid latine dictum sit, altum viditur". ("Anything is more impressive if
you say it in Latin")

Stan Brown wrote on 2016/02/13:

VanguardLH wrote:

KB31272220
Published: 1/22/2016
https://www.microsoft.com/en-us/down....aspx?id=50865
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

KB3127229
Published: 1/29/2016
https://www.microsoft.com/en-us/down....aspx?id=50919
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

I hate, hate, HATE the generic descriptions of updates.

Yep, Microsoft has become well practiced in the last couple of years in
being vague about their updates, especially so for the Win10 updates
(and the Win10-oriented updates for Win7/8). However, regarding
security updates, I can see why they are vague. They are not interested
in providing instructions to script kiddies or malware wannabes on how
to code for a vulnerability so those a-holes can harm Windows users that
have yet to install the patches.

Microsoft is not in the business of educating malware authors so I fully
understand why they do not provide details on security updates. Do you
help those that are trying to hurt you?

I ran into the same situation in newsgroups that discuss malware. I
normally do not provide a valid e-mail address, not even an obfuscated
one, when posting in Usenet. However, in those newsgroups, you may want
to or should take offline any discussion of the details of malware or
for a vulnerability you have discovered or want to discuss. The point
of the newsgroup is to fight malware, not abet it.

It would irresponsible and reprehensible for Microsoft to describe in
detail a vulnerability via a public venue of communication. Not all
truth is for the public good.

Also, for the vast majority of their users, details would be far beyond
the expertise of their customer base to comprehend. While I research
all offered updates, some involve technologies to which I've never been
exposed because I never used, administered, or dealt with them before.
So I have to learn more than I wanted to determine if I want to permit
the install of some updates. Could take hours or days before I
understand enough of the technology to make a decision to install an
update. How many users do you know that will go through that much
effort to validate an update? Do you? Well, maybe you and I do but
even the majority of visitors here do not, so even much less so for the
general user community.

On 2/13/2016 1:24 PM, VanguardLH wrote:
Stan Brown wrote on 2016/02/13:

VanguardLH wrote:

KB31272220
Published: 1/22/2016
https://www.microsoft.com/en-us/down....aspx?id=50865
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

KB3127229
Published: 1/29/2016
https://www.microsoft.com/en-us/down....aspx?id=50919
A security issue has been identified that could allow an unauthenticated
remote attacker to compromise your system and gain access to
information.

I hate, hate, HATE the generic descriptions of updates.

Yep, Microsoft has become well practiced in the last couple of years in
being vague about their updates, especially so for the Win10 updates
(and the Win10-oriented updates for Win7/8). However, regarding
security updates, I can see why they are vague. They are not interested
in providing instructions to script kiddies or malware wannabes on how
to code for a vulnerability so those a-holes can harm Windows users that
have yet to install the patches.

Microsoft is not in the business of educating malware authors so I fully
understand why they do not provide details on security updates. Do you
help those that are trying to hurt you?

I ran into the same situation in newsgroups that discuss malware. I
normally do not provide a valid e-mail address, not even an obfuscated
one, when posting in Usenet. However, in those newsgroups, you may want
to or should take offline any discussion of the details of malware or
for a vulnerability you have discovered or want to discuss. The point
of the newsgroup is to fight malware, not abet it.

It would irresponsible and reprehensible for Microsoft to describe in
detail a vulnerability via a public venue of communication. Not all
truth is for the public good.

Also, for the vast majority of their users, details would be far beyond
the expertise of their customer base to comprehend. While I research
all offered updates, some involve technologies to which I've never been
exposed because I never used, administered, or dealt with them before.
So I have to learn more than I wanted to determine if I want to permit
the install of some updates. Could take hours or days before I
understand enough of the technology to make a decision to install an
update. How many users do you know that will go through that much
effort to validate an update? Do you? Well, maybe you and I do but
even the majority of visitors here do not, so even much less so for the
general user community.

I'd agree with your position on malware updates.
The two referenced at the top have sufficient detail.

Most of the discussion over updates has to do with MS pushing
update items that allow THEM to "compromise my system and gain
access to my data."

If an update allows MS to FORCE a OS upgrade on you, that should
be spelled out in big red letters and be OPT-IN.
Hell, they should go to jail for hiding it.

In message , mike
writes:
On 2/13/2016 1:24 PM, VanguardLH wrote:
[]
Microsoft is not in the business of educating malware authors so I fully
understand why they do not provide details on security updates. Do you
help those that are trying to hurt you?
[]
Also, for the vast majority of their users, details would be far beyond
the expertise of their customer base to comprehend. While I research
[]
I take your point(s). For the first one, it would do no harm if they
were to add, to the boilerplate text, "this update protects against xyz,
abc, and 123, among others" - that wouldn't tell the malware authors
much. But, as suggested by your second point, this information would
probably be of little use to most users.

I do agree with the OP that boilerplate text is irritating, though.
[]
Most of the discussion over updates has to do with MS pushing
update items that allow THEM to "compromise my system and gain
access to my data."

Yes - "bundling" of such things (which are not, IMO, strictly "updates")
with other things, especially genuine security updates, is at best
underhand.

If an update allows MS to FORCE a OS upgrade on you, that should
be spelled out in big red letters and be OPT-IN.
Hell, they should go to jail for hiding it.

Indeed. In fact I'd question whether it should be allowed to be
distributed via the "update" channel at all.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

A perfectionist takes infinite pains and often gives them to others

On Sun, 14 Feb 2016 11:57:03 +0000, J. P. Gilliver (John) wrote:
I take your point(s). For the first one, it would do no harm if they
were to add, to the boilerplate text, "this update protects against xyz,
abc, and 123, among others"


Not only would it do no harm, it would be helpful. That's probably
why they don't do it. :-)

And that brief description ought to appear in Windows Update on your
computer, instead of just "This fixes issues in Windows." It's
irritating to have to go out on the Internet, and even enable
Javascript, to get even basic information from Microsoft about an
update. I'm sure they do that on purpose, trying to pressure people
not to pick and choose among updates.

I like someone else's suggestion to google for the KB numbers and
read about a given update on sites other than Microsoft's. If a
update has been out for a few days, and nobody but Microsoft has
written about it, it's probably safe.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

Stan Brown wrote on 2016/02/14:

J. P. Gilliver (John) wrote:

I take your point(s). For the first one, it would do no harm if they
were to add, to the boilerplate text, "this update protects against xyz,
abc, and 123, among others"

Not only would it do no harm, it would be helpful. That's probably
why they don't do it. :-)

And that brief description ought to appear in Windows Update on your
computer, instead of just "This fixes issues in Windows." It's
irritating to have to go out on the Internet, and even enable
Javascript, to get even basic information from Microsoft about an
update. I'm sure they do that on purpose, trying to pressure people
not to pick and choose among updates.

One item Gilliver did mention (but somewhat independently of his prior
post or its replies) is the bundling of updates. I've seen updates that
address 2 totally different functions in Windows. For example, one was
about some login mechanism that did not apply in non-domain setups and
also had an update for some component in MS Office. To get the MS
Office update meant getting their other superfluous update (for my
setup).

As to the vague descriptions, quite often the KB article to which the WU
client links is too vague assuming the user actually even gets that far
to research an update. Alas, most users just ingest whatever Microsoft
spoon feeds them. Some of those generalized KB article have links to
"Additional Information" pages with more technical details.

For KB3127220:
https://www.microsoft.com/en-us/down....aspx?id=50865
links to
https://support.microsoft.com/en-us/kb/3127220
Obviously Microsoft should *not* be providing an example to script
kiddies and malware wannabes just what is a "specially crafted XSLT"
(https://en.wikipedia.org/wiki/XSLT).

For KB3127229:
https://www.microsoft.com/en-us/down....aspx?id=50919
links to
https://support.microsoft.com/en-us/kb/3127229
which is another XSLT vulnerability.

Both dealt with "specially crafted XSLT" content. The updates replaced
different files but that in itself is not sufficient reason to issue
separate updates. KB3127220 updates .NET 3.51. KB3127229 updates .NET
4.52 and why the updates are separate. So, in this case for those 2
updates, there is probably sufficient information to decided whether or
not to install them. I don't expect and would not want Microsoft to map
out and publicly disclose exactly what is the "specially crafted XSLT".

To be sure, there have been updates with too little technical
information but not in this case. Also, quite often to what an update
applies against is not what even experienced Windows users may be
knowledgeable so the user has to educate themself. Once the user has
more background in the technology the update addresses then it becomes
more apparent why the update is offered.

If a doctor where to get deeply involved in discussing why some blood
disorder caused a particular change in osmosis of sodium through the
cell wall for which types of cells and yadda yadda, it's all
gobblety-gook to you unless you educate yourself beyond what is expected
for patient knowledge but does not prevent the patient from educating
themself to further understand the blood disorder. Depends on how
self-motivated is the patient or even if the patient cares about getting
into that far greater level of detail.

Microsoft provides links to articles to give general and too often
overly vague descriptions of their updates; however, sometimes there is
a link providing more technical details on an update. I'm not sure that
I want Microsoft bloating network bandwidth and disk consumption to
include every document applicable to every update. Most users never
research an update so why bother doling out documentation they never
read? These are the same users that never read the help documentation
that comes with software or even bother to investigate what
configuration settings are available. They deliberately choose to
remain blind. I suppose Microsoft could provide a user-configurable
option to determine how much information was included in a downloaded
update package but that's a hindsight issue regarding adding new
functionality both in the WU client and up in the server and its
database. After all, you have to be online to get the updates so it
isn't a huge leap to go online to read the KB articles and use their
links, if available, to read more detailed technical descriptions.

Yes, Microsoft could do much better regarding their descriptions of
updates (and not bundling them for unrelated functionalities). Always
easier to tell someone else what to do than do it yourself. More info
available (even if only online) would allay increasing suspicions as to
what Microsoft is doing. To me, it doesn't seem that Microsoft
deliberately wants to make their customers distrust them. Seems more
like the old guard of programmers and documenters at Microsoft has faded
away (quit, fired, moved on, died) and the new guard is less capable.
The old was used to telephone conversations and face-to-face review
meetings. The new grew up with urgent immediacy and texting littered
with acronyms. Attention span is now less than for a goldfish.