Newsletter Archives

• MS-DEFCON 4: Watch out, but go ahead and install April patches

  Posted on April 24, 2009 at 08:52 CDT by woody • Comment in the Forums

  The crop of April Black Tuesday patches looks reasonably stable. The SANS Internet Storm Center reports that Symantec has raised an alert about possible MS09-013 / KB 960803 based infections – “but it could also be old vulnerabilities from 2002 (both Apache and IIS).” MS09-013 and MS09-014 are the (now expectable) monthly humongous Internet Explorer patches.

  There are known problems with all of the following:

  MS09-010 / KB 960477 Wordpad and Office converter patches may refuse to install, and they change the way Wordpad handles Word 6 and Write files. When you install this patch, go ahead and install the new Office Compatibility Pack immediately after. I haven’t seen any advice as to whether the new Compatibility Pack eliminates the need to install MS09-010 or not, so to be safe, install the patch, then the new converters.

  MS09-014 / KB 963027, the massive Internet Explorer patch, may trigger a bogus “Connection Denied” message which requires a Registry change to eliminate. Of course, you’re using Firefox, so you aren’t overly concerned. Go ahead and patch.

  MS09-015 / KB 959426 has an interesting problem: if you install the patch on a Windows 2000 computer, you have to dig into the Registry to make the patch work. Kinda makes me feel warm and fuzzy about the testing that goes into these patches…

  At any rate, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

  I still recommend that you HOLD OFF on these patches:

  KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

  KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

  KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

  I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

  I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  Uncategorized, Windows Patches/Security April Black Tuesday, Internet Explorer 8, KB 936929, KB 950718, KB 951847, KB 959426, KB 960477, KB 960715, KB 960803, KB 963027, KB 967715

• MS-DEFCON 2: Eight Security Bulletins are out

  Posted on April 15, 2009 at 07:16 CDT by woody • Comment in the Forums

  April’s Black Tuesday has come and gone, and we have eight new Security Bulletins to watch.

  MS09-009 / KB 968557 is the promised patch for the 0day hole in Excel that I first wrote about on February 25. The hole is considered “critical” for Excel 2000, but only “important” for other versions of Excel because in order to get zapped you have to click through a warning dialog. There’s no big rush for home users to apply the patch because attacks, to date, have been focused on a small number of companies. Besides, you’re using Office XP, 2003 or 2007, aren’t you? I’ll be watching this one closely, though, because it could spread.

  MS09-010 / KB 960477 is a strange one because it covers the Office text converters (and, of all things, Wordpad). There’s a detailed explanation on the MS Security Research & Defense blog, but it all boils down to a bug in the converter that allows you to open old document formats in Word. If you get a file that was saved in Word 6 or Word 97 doc format, it could be infected. (And, no, there’s no way to tell by looking at the file name if it’s an oldie.) You could also get infected by opening a Word Perfect, RTF, HTML or Works file in Word. Note that the hole exists in the converter itself – it doesn’t matter if you have Word rigged to block macros. The fact that you can get infected by using Wordpad speaks volumes. This is an old, old known hole that Microsoft acknowledged four months ago.

  MS09-011 / KB 961373 is an obscure DirectX bug that can kick in when you play a bad AVI file. No known exploits as yet.

  MS09-012 / KB 959454 resolves the “Token Kidnapping” hole in Windows that Microsoft acknowledged in KB 951306 more than a year ago.

  MS09-013 / KB 960803 fixes three separate bugs that are not common in a home environment. Microsoft says the problem appears when “a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution.”

  MS09-014 / KB 963027 another monster Internet Explorer patch, covering at least a half dozen different security holes. You will need it eventually if you have Internet Explorer 6 or 7 installed. If you’ve already upgrade to IE 8, you’re covered.

  MS09-015 / KB 959426 fixes a hole (and adds a new low-level function to Windows) that involves the sequence in which Windows searches for files. Ho-hum.

  MS09-016 /KB 961759 is yet another fix for ISA, the Internet server package. If you run ISA, you already know it. Chances are good you don’t, and you can ignore this patch.

  I’ll keep you posted. In the interim, we remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  Uncategorized, Windows Patches/Security April 2009 Black Tuesday, KB 951306, KB 959426, KB 959454, KB 960477, KB 960803, KB 960906, KB 961373, KB 961759, KB 963027, KB 968272, KB 968557, MS09-009, MS09-010, MS09-011, MS09-012, MS09-013, MS09-014, MS09-015, MS09-016