Newsletter Archives

• Where are we with the patches?

  Posted on April 30, 2009 at 14:36 CDT by woody • Comment in the Forums

  Reader BH writes:

  Before the current MS update release on Tuesday you were at Defcon 4
  and stated to install the patches. Did that statement include:

  Microsoft.NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)

  KB952004

  KB956572

  KB959426

  KB960803

  Update Rollup for Actice X Killbit for Windows Vista (KB960715)

  I have been sitting on these for awhile and wish to know what to do with them.

  Your post regarding loading the patches did not specify the above and all along you have been stating not to load the Net Framework and Active X Killbit updates for some time now.

  I follow your MS-DEFCON and only load when you say so and I would guess many others follow the same procedure. Wish you would incorporate a chart with each to the updates listed and what to do with them. It would only involve the lastest listing plus those from past months  that you do not wish us to update.

  Wish I had time to do that! But it would be a monstrous task.

  Here’s what I recommend:

  I’m still ambivalent about KB951847. It breaks a lot of stuff. The ActiveX Killbit rollup also breaks a lot of stuff. I talk about both here.

  KB952004 and KB956572 are MS09-012. You should’ve installed that already, but if you haven’t, wait.

  KB959426 is MS09-015. Same comment.

  KB960803 is MS09-013, part of the massive Internet Explorer patch. Same comment, especially if you use Firefox.

  In general, if you follow the MS-DEFCON level, you’ll apply patches when they’re safe, and avoid applying patches when they aren’t. There are always a few stinkers – the ActiveX Killbit and .NET Framework patches fall into that category – but by and large you can apply the patches, when they’re fully baked, en masse.

  For now, hold off.

  Windows Patches/Security KB 951847, KB 952004, KB 956572, KB 959426, KB 960715, KB 960803

• Do I need to patch Internet Explorer?

  Posted on April 26, 2009 at 06:41 CDT by woody • Comment in the Forums

  Reader DS writes:

  I’m using Firefox.

  I updated some of the April 2009 Black Tuesday patches, but haven’t patched KB952004, KB596972, KB959426, KB960803.

  Vista is running so good I don’t want to mess it up. Should I just go ahead and patch with finger’s crossed?

  Yep. The MS-DEFCON 4 status applies to everyone using Firefox. The April 2009 patches seem to be working. Unfortunately, you have to patch Internet Explorer even if you use Firefox, because IE is baked into Windows.

  Windows Patches/Security KB 596972, KB 952004, KB 959426, KB 960803

• MS-DEFCON 4: Watch out, but go ahead and install April patches

  Posted on April 24, 2009 at 08:52 CDT by woody • Comment in the Forums

  The crop of April Black Tuesday patches looks reasonably stable. The SANS Internet Storm Center reports that Symantec has raised an alert about possible MS09-013 / KB 960803 based infections – “but it could also be old vulnerabilities from 2002 (both Apache and IIS).” MS09-013 and MS09-014 are the (now expectable) monthly humongous Internet Explorer patches.

  There are known problems with all of the following:

  MS09-010 / KB 960477 Wordpad and Office converter patches may refuse to install, and they change the way Wordpad handles Word 6 and Write files. When you install this patch, go ahead and install the new Office Compatibility Pack immediately after. I haven’t seen any advice as to whether the new Compatibility Pack eliminates the need to install MS09-010 or not, so to be safe, install the patch, then the new converters.

  MS09-014 / KB 963027, the massive Internet Explorer patch, may trigger a bogus “Connection Denied” message which requires a Registry change to eliminate. Of course, you’re using Firefox, so you aren’t overly concerned. Go ahead and patch.

  MS09-015 / KB 959426 has an interesting problem: if you install the patch on a Windows 2000 computer, you have to dig into the Registry to make the patch work. Kinda makes me feel warm and fuzzy about the testing that goes into these patches…

  At any rate, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

  I still recommend that you HOLD OFF on these patches:

  KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

  KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

  KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

  I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

  I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  Uncategorized, Windows Patches/Security April Black Tuesday, Internet Explorer 8, KB 936929, KB 950718, KB 951847, KB 959426, KB 960477, KB 960715, KB 960803, KB 963027, KB 967715

• MS-DEFCON 2: Eight Security Bulletins are out

  Posted on April 15, 2009 at 07:16 CDT by woody • Comment in the Forums

  April’s Black Tuesday has come and gone, and we have eight new Security Bulletins to watch.

  MS09-009 / KB 968557 is the promised patch for the 0day hole in Excel that I first wrote about on February 25. The hole is considered “critical” for Excel 2000, but only “important” for other versions of Excel because in order to get zapped you have to click through a warning dialog. There’s no big rush for home users to apply the patch because attacks, to date, have been focused on a small number of companies. Besides, you’re using Office XP, 2003 or 2007, aren’t you? I’ll be watching this one closely, though, because it could spread.

  MS09-010 / KB 960477 is a strange one because it covers the Office text converters (and, of all things, Wordpad). There’s a detailed explanation on the MS Security Research & Defense blog, but it all boils down to a bug in the converter that allows you to open old document formats in Word. If you get a file that was saved in Word 6 or Word 97 doc format, it could be infected. (And, no, there’s no way to tell by looking at the file name if it’s an oldie.) You could also get infected by opening a Word Perfect, RTF, HTML or Works file in Word. Note that the hole exists in the converter itself – it doesn’t matter if you have Word rigged to block macros. The fact that you can get infected by using Wordpad speaks volumes. This is an old, old known hole that Microsoft acknowledged four months ago.

  MS09-011 / KB 961373 is an obscure DirectX bug that can kick in when you play a bad AVI file. No known exploits as yet.

  MS09-012 / KB 959454 resolves the “Token Kidnapping” hole in Windows that Microsoft acknowledged in KB 951306 more than a year ago.

  MS09-013 / KB 960803 fixes three separate bugs that are not common in a home environment. Microsoft says the problem appears when “a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution.”

  MS09-014 / KB 963027 another monster Internet Explorer patch, covering at least a half dozen different security holes. You will need it eventually if you have Internet Explorer 6 or 7 installed. If you’ve already upgrade to IE 8, you’re covered.

  MS09-015 / KB 959426 fixes a hole (and adds a new low-level function to Windows) that involves the sequence in which Windows searches for files. Ho-hum.

  MS09-016 /KB 961759 is yet another fix for ISA, the Internet server package. If you run ISA, you already know it. Chances are good you don’t, and you can ignore this patch.

  I’ll keep you posted. In the interim, we remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  Uncategorized, Windows Patches/Security April 2009 Black Tuesday, KB 951306, KB 959426, KB 959454, KB 960477, KB 960803, KB 960906, KB 961373, KB 961759, KB 963027, KB 968272, KB 968557, MS09-009, MS09-010, MS09-011, MS09-012, MS09-013, MS09-014, MS09-015, MS09-016