Microsoft released a record number of software updates yesterday to fix at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting.
Updates are available for all versions of Windows via Windows Update or Automatic Update. Nine of the patches earned Microsoft’s “critical” rating, which means the vulnerabilities they fix could be exploited to compromise PCs with little or no action on the part of the user, apart from visiting a booby-trapped Web site or opening a tainted file.
Redmond said three of patches should be top priorities. Two of them fix critical vulnerabilities in the “server message block” or SMB service, which handles Windows networking. Attackers could exploit the flaw addressed by MS11-020 by sending a single, specially crafted evil data packet to a targeted system. This is the type of flaw that should concern any network administrator, because it has high potential to be used to power an automated computer worm.
Microsoft also called attention to MS11-018, which is a cumulative security update for Internet Explorer that fixes critical flaws in all versions of the browser except the latest IE9, which is not affected. One of the IE vulnerabilities — the MHTML flaw I wrote about in January — is currently being exploited; another was discovered at the Pwn2Own hacking competition earlier this year.
Most XP users will find that a total of 22 to 30 patches will be installed, and more if Office 2010 is installed. The PC will be very busy after reboot and will need about four to five minutes to catch up and finish finalizing all the patches. Included in this month’s patch batch is a .NET Framework update, which usually takes a while to download and install.
In addition to the security updates, Microsoft released two security related tools. The Rootkit Evasion Prevention Tool “will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit,” wrote Dustin Childs, a senior security program manager at Microsoft. “For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe.”
Microsoft expanded the applicability of its Office File Validation tool, a security feature the company initially released in December 2010 for Office 2010 that has now been extended to work with Office 2003 and 2007. “This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user,” wrote Modesto Estrada, Microsoft’s Office Program Manager. The validation will check the file to make sure it conforms to expected Office specifications. If this process fails the user will be notified of potential issues.”
As always, please leave a comment if you experience any difficulties during or after installing these patches.
Hi Brian,
I had no problem with these updates on either of my two computers, both running Windows XP Home.
But with last month’s Patch Tuesday updates I did have problems. I could install all of the updates except one — KB2483185. I kept getting an error message that my computer had problems which prevented it from being installed.
This is the first time I’ve ever been unable to install one of Microsoft’s updates. I’m totally mystified.
Thanks very much for all your great work.
John
After prowling around on the internet this afternoon I finally found a way to fix this problem. I went to this page at Microsoft:
http://support.microsoft.com/kb/2483185
I downloaded the fix. Then, as per instructions, I disabled it. I was then able to install KB2483185. It was quick and easy. Problem solved.
I really haven’t had problems with MS update before either, except once it stuck the libraries folder back on my desktop.
After recent updates, win7 (x32) computer tries to reinstall MS intellimouse and intellitype on each reboot. Had problems with installing both a few months ago, but cancelled and thought nothing more of it. Now each fails install with a error code 1603 (could not install microsoft application error reporting) on each boot.
Not a big problem, but weird.
A few of us here have had problems that we think is tied to Patch Tuesday. We’re getting corruption warnings when we try to open presentations using PowerPoint 2003. We thought it might be a 2003 vs. 2007 problem, but I think some 2007 users are seeing the problem, too.
I’ve had several problems with Windows 7 (32bit) updates, mainly hanging on items such as the Windows Malicious Software Removal Tool (over 20 minutes before I stopped the process) and the install of IE9 ( which hung on the “logging off” screen). The system also hung again in the shutdown mode when it claimed to be updating a single item. However, in this case, I’m not sure which update it was referring to. I eventually had to power the system off.
That said, I updated several XP virtual machines without incident.
While updating the .Net framework on my XP machine, the PC was activating the floppy drive for some reason. This has happened previously. It takes quite a while for .Net to update, too.
All updates were installed without any issues. I am running XP and have Office 2003.
Brian, no problem with the updates for my Windows 7, 64 bit BUT did you see the new FBI report:
For Immediate Release
April 13, 2011 U.S. Department of Justice
Office of Public Affairs
(202) 514-2007/TDD (202) 514-1888
WASHINGTON—Today, the Department of Justice and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.
The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.
If you are not already subscribed, “http://www.fbi.gov/” is a great site to receive up-to-the-minute reports on this on other important information.
Just to clarify whether a particular OS might benefit from the MS “rootkit evasion prevention tool” Brian mentioned, it’s only applicable for 64-bit systems and all 32-bit versions of any Windows OS will NOT require it regardless of flavor.
Other than taking an inordinately long time to process, I’ve had no problems with this month’s patches on most of my computers save one XP Pro SP3 machine that refuses to process 4 updates (though two other XP Pro SP3 machines installed everything without a hiccup like the Win7 Ultimate and Vista Ultimate machines did, all 32-bit) — 2491683, 2503658, 2507618 and 2509553 all fail with 0x80070005 errors, but I’m still having them presented by WU when automatic updates checks on boot or if I manually re-run afterwards. I’ll go through the log to figure out the problem but haven’t had time yet to do so — will report back on this tomorrow when I can sort it out.
Finally got all 4 of them installed, but it took some effort and time. Looking at the windowsupdate.log file identified a problem of some sort with permissions to move or delete files for each of the updates. The specific error messages for each one was associated with DnldMgr — “Update is not allowed to download due to regulation…”, and the update was “‘priority’ regulated and can NOT download. Sequence 8356 vs AcceptRate 659” followed by “FATAL: Failed to move [or delete] file”. I had two instances where “move” was referenced and two where “delete” was referenced.
MS KB Article 968003 deals with the specific error code that was returned by looking at the WU history – 0x80070005, and provided good descriptions for several methods to resolve the error: 1) login as Administrator or as a user with Administrative rights, and 2) reset the system permissions using the SubInAcl.exe tool.
Since I typically run WU on Patch Tuesdays from the Administrator account, the 1st seemed not relevant so that 2nd option was the obvious choice. The KB article provides a link to download the installer and the script needed to run SubInAcl.exe to reset the permissions, and notes that it might take “several minutes”. In my case, it was closer to 45 minutes but it did run through to completion eventually.
Following reboot, I reran WU and monitored its progress through each of the 4 problem updates (this also took some time), but all completed successfully. So, if you’re having similar problems, use the link in KB968003 to download the installer for SubInAcl and grab the script for the “reset.cmd” batch file, install the executable (you may need to change the target directory or copy the executable later to \Windows\system32), then launch the batch file and find something else to do for awhile until it completes. Hopefully, it will resolve the issue(s) for you as well.
Brian: Thanks for your always helpful update reminders.
On my PC, Win7 + Office 2010 had 21 updates, didn’t take long to download and install, and haven’t caused any problems.
Someone educate me. The Rootkit Evasion Prevention Tool is only for 64 bit systems, correct? Is this a tool that is only necessary because it is a only a problem that has cropped up on 64 bit systems with that architecture? This is not making much sense to me because 32 bit systems have rootkits also. Is this something that 32 bit systems are not getting support for?
I would also like to be educated. Is the anti-rootkit tool supposed to be able to detect, remove, and prevent ALL rootkits in 64-bit systems, or some subset of rootkits that hide by “bypassing driver signing checks”? Is this going to require a 5-line-fix by the rootkit writers, or is it better than a speedbump?
See the Knowledge Base article for more info, in particular the FAQ:
http://www.microsoft.com/technet/security/advisory/2506014.mspx
“Executive Summary
Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection.
The issue affects, and the update is available for, x64-based editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.”
From the MSRC Blog (http://blogs.technet.com/b/msrc/archive/2011/04/12/april-2011-security-bulletin-release.aspx)
“Update for the Windows Operating System Loader to help prevent rootkit evasion-In the words of Dustin Childs, senior security program manager, MSRC:
“For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won’t remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit.”
The confusion arises because 32-bit versions of Windows didn’t enforce driver signing in the first place. This tool plugs a hole that allows unsigned drivers to bypass the test in 64-bit versions.
The tool doesn’t remove the rootkit; it just allows Windows to spot the rootkit before it hides itself.
As usual, I’m waiting until Thursday night before I push the button for WU, after I’ve also seen Susan Bradley’s take on this batch’o’patches and what the IT patch managers push out on the company network.
But Secunia PSI scanned my machine today and it looks like, barring any warnings about patch foulups, I can expect 21 patches on a machine running XP SP3, Office 2007 and .NET 2.x/3.x.
Installed the patches without any issues on two systems: both Windows XP (with Service Pack 3), IE8, and Office 2003 (only Word, Excel, and Outlook installed). I rarely if ever have issues with patches as I limit the amount of software installed to lower the attack surface and minimize patching. I also do general maintenance (clean up temp files, disk defrag) often to keep the systems in peak running condition. 🙂
The patches installed without a problem on two W7 64-bit systems, in less than ten minutes each. The rootkit evasion prevention software was included.
I couldn’t figure out if I was supposed to unapply the January mhtml fix it (9760419) before installing the patch, or whether this was automatic. Everything installed okay with the hotfix still applied. I don’t know what to do about the Network Protocol Lockdown for mhtml: for all security zones though. It hasn’t seemed to affect anything that I normally do on my computer.
I installed the updates on a new computer that we’ve had for a week which is running Win7 64 bit. All appeared to go well, but I noticed afterward that there was no copy of Internet Explorer on the computer.
I hadn’t actually looked for it before (I didn’t install the OS, so I’m not sure how the copy of Firefox got there), but it seems odd that Windows 7 wouldn’t include at least some version of Internet Explorer out of the box. I don’t know if it was never there or if the update removed it.
What’s more, the MS website only has downloads of IE9 for Win7 — the earlier versions are only compatible with Vista or XP (I tried downloading IE8 for Vista anyway, and it refused to install). I only use IE when absolutely forced to, and the sites where I need it aren’t compatible with IE9. I guess they better think about getting compatible pretty quick if it’s impossible for anyone running Win7 to use their websites.
One of the updates modified mfc42.dll, and it is breaking some older legacy apps. Thanks MS.
I had to reconfigure my wireless connection on my xp laptop after the mandatory reboot following the updates. One or more of the updates had wiped out all the settings. Didn’t take long to fix but still annoying.
Regarding KB2506014/anti-rootkit tool: It looks as though this update is breaking peoples USB. See related threads:
http://www.dslreports.com/forum/r25731984-Microsoft-Security-Bulletin-s-for-April-12-2011~start=40#end
AND
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/usb-ports-stop-working-after-windows-7-updates/16ed174e-3866-e011-8dfc-68b599b31bf5
Welcome to the digital Wild West. Defend yourself.
For the first time in several months, this update cycle went flawlessly. Too bad IE9 didn’t fare as well on my Vista x64 system. I received it separately before this cycle, and Microsoft spent a week trying to fix the screw ups it caused. I still can’t get any add-ons to work on it.
I’ll just have to stick with Mozilla for now.