June 8, 2010

In its largest patch push so far this year, Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it. Separately, Apple has shipped another version of Safari for both Mac and Windows PCs that plugs some four dozen security holes in the Web browser.

Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.

According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.

Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.

The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.

Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.


28 thoughts on “Microsoft, Apple Ship Big Security Updates

  1. GSG

    Thanks for the warning, Bryan.
    My desktop (XP) had the fixes downloaded already, but my Vista laptop did not indicate anything

    To those who have problems bringing up your page : I have no problems reading your website even though NoScript is set to block everything.

    Now for my installation of the fixes.

    Desktop Dell Dimension 4700 Windows XP.
    No problems downloading and installing the fixes.

    Laptop : Toshiba Satellite L305-S5933
    Pentium T3400 3G 250G HD
    Vista Home Premuim

    Download of one of 12 fixes fails. Error 80070643
    Microsoft website says Problem with .NET Framework.
    Offers fix for this problem.
    Trying to download this fix, takes a while, then says Error … (LONG reference number).
    Succeeds on retry.
    Microsoft Fix It shows up and does its job.

    Try to dowload the “1 out of 12” missing fix, but the system insists on restart.
    Restart system.
    Last fix downloads and installs.

  2. JohnJ

    Brian, do you recommend that Vista x64 users immediately install the Microsoft patches, or should we wait (a week?) to make sure that there are no patch bugs?

    1. BrianKrebs Post author

      Given that there aren’t any signs that hackers are actively exploiting these bugs, I’d say it’s probably safe to wait a few days before installing these updates, just to make sure none of them are causing any stability or usability problems.

      1. Rick

        Safari 5 (Mac) is causing usability problems. We were sent the following screen dump last night.

        http://bit.ly/a3UhLa

        There are other issues with flash compatibility, pages rendering really funky, etc. The MacRumors threads can be of help.

        Wait on Safari 5 (Mac) for an update – you can’t reasonably revert to 4.0.5 what we understand.

  3. Alan

    And now Apple and Microsoft have fixed those ones there are more awaiting their attention:

    http://www.infoworld.com/d/security-central/windows-7-and-mac-os-x-both-hit-fundamental-flaws-679

    And we are waiting, as always, for Adobe to catch up with the latest Flash and Reader bugs across Windows, OS X and Linux:
    http://blogs.adobe.com/psirt/2010/06/update_to_security_advisory_fo.html

    It’s never ending. Keep patching, don’t run as admin if it can be avoided, use ASLR and DEP, be aware of social engineering attacks, configure key apps like browser, PDF reader, etc. to be more secure.

    1. Rick

      The DMA attack is like a flashback to the warnings of David Maynor several years ago – you know, the ones that the industry (primarily Apple) wanted to keep out of the public eye.

  4. Rick

    Too bad for Windows users but we’d recommend people hold off on downloading a Safari 5 update. All the data we’ve been sent so far indicates it’s a royal mess.

  5. Paul 'it could be' Virgo

    Here at our gov site, we’ve noticed that the Microsoft patches ‘broke’ the ability to do network drive mapping. Had to have clients uninstall Microsoft Client Network module, reboot, install it, reboot again, and then users could map to their network drives. Anyone else experiencing this??

    1. Paul 'it could be' Virgo

      @Brian – Not sure. I checked the ‘Add/Remove Software’ area, but nothing stands out. Is there any
      place else I should check?? Sorry–I’m a Linux guy who
      only uses the XP box for Windows-based clients and for
      my mandated email client.

  6. JBV

    Microsoft updates downloaded completely to old computer with XP, but installation needed to be done in two parts – computer froze up while installing. No problems after installation finally completed.

  7. muffin

    i have windows xp professional, sp3. i had no problem installing these updates. but i did have to go get them this evening. i have my computer set for automatic updates. does it take a few days for microsoft to do the auto update?

  8. Peter

    I have seen comments about the patches needing to be done in two parts in a few places now. Does anyone have any suggestions as to which patches need to be kept apart?

    1. JBV

      The patch that froze my computer was KB982168. On my computer it was download 12 of 16. Don’t know if it was something in this patch or just that the computer was overworked. When I rebooted, the patch was installed, even though the installation screen bar was still running it when I shut down.

    2. BrianKrebs Post author

      Peter — As I wrote above, if you use Office XP, you may need to use Microsoft’s “FixIt” tool, which is separate and apart from the normal patch download and install process.

      “Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.”

  9. Steve

    I’ve lost gadgets functionality since the MS patch install last night. Running Win 7 . .

  10. David Chasey

    The update to NET Framework 3.x continually has failed to install. Any suggestions, anyone?

    1. Michael

      Am in the midst of dealing with a similar problem so here’s what I know to do so far:
      1. First retrieve the error code associated with the installation failure: go to Update_History and click on the failed-download Status icon (red circle with X) and an error page will open. You might want to try the Find_Solutions link on the error page first and see if your error code is listed and has a solution (mine wasn’t).
      2. If the above fails, call Microsoft at 1-866-PCSAFETY (free help for security issues). What they told me to do was download/run uninstall and cleanup tools to remove .NET Framework altogether, reinstall it using a standalone exe, and then re-do Windows_Update but emailed a broken link and confusing instructions. I’ve just emailed them back. YMMV.
      The good news is I’ll be drinking beer shortly. Best of luck to you.

  11. JCitizen

    Win Vista x64 working fine so far; couldn’t help notice, they still haven’t done anything with cross scripting for IE? Or that was a new one – cross site direction?

    Maybe they think it is minor, but I think it is scurrilous.

  12. jxl2

    I downloaded the patches for ‘patch Tuesday’ on Thursday morning, at least I think I did. I have my system [Win XP, SP2, home ed.] on automatic download, except that I get to see the patches first before I allow the downloads; so I allowed all 12 patches. The system did not download the patches. I waited one day and then this morning I downloaded all the patches manually from the MS download website. When I checked the control panel to see if the installations took effect, I noticed a file I did not download: KB976769v2, under the Microsoft .NET Framework 3.0, SP@ banner.

    I searched under the MS downloads page to see what it was, but I could not find it.

    Did anybody else get this patch too? Does anyone know what it does? and should I keep it or remove it?

    Any advice appreciated. thanks . . .

    1. JCitizen

      All updates marked as important or critical should be considered as such. If you are manually updating, the only non-critical patches, that I feel are necessary, are root certificate udpates; and those can help you keep out of browser troubles with nefarious sites.

      Microsoft’s baseline security analyzer may help you determine this, and how to correct it; BelArc Adviser could help, but it is usually more beneficial for XP Pro users.

      I’ve never had any problem getting free update support from Microsoft, even if your operating system is not a paid support version. Just call them and say it is an update issue, and they should be able to help you free of charge.

      Only main stream support has ended:

      http://arstechnica.com/microsoft/news/2009/04/windows-xp-mainstream-support-retired-but-no-need-to-worry.ars

  13. Mark Higdon

    Re: “As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.”

    Waited three days, followed the thread above, held my breath and downloaded/installed from the update icon (I disabled automatic update-install years ago). Running XP home/SP3. Just restarted. Everything A-OK. Looking forward to the the day–if it ever arrives–when MS updates can be downloaded and installed without angst or drama.

  14. Ed Schulz

    XP 32-bit here. Windows updates keep asking for my Office 2003 .msi file, which I cannot find. (I simply do not recall how/when I installed Office.) After reboot, I can no longer open Excel files! It goes directly to Windows Installer, from which I Cancel. Any help (short of purchasing fresh media for MS Office) is appreciated.

    1. Ed Schulz

      I took the “short of…” route: installed Office 2007 trial. Three update / reboot cycles later, Windows Update finally seems happy. For that, I get to pay Microsoft in August.

      1. Michael

        Have you tried OpenOffice from Oracle? It’s free, just google it.

Comments are closed.