Microsoft today released 13 software updates to fix at least 22 security flaws in its Windows operating systems and other software. Two of the flaws addressed in the August patch batch earned Microsoft’s most dire “critical” rating, meaning that attackers can exploit them to break into systems without any help from users.
Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 (oddly enough, it earned an overall “important” rating on the insecure IE6).
The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems (consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw). Although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.
Nine other flaws earned Microsoft’s important rating, and six of those ranked high on Microsoft’s exploitability index, meaning the company believes it is likely that attackers will develop code designed to exploit them to break into Windows PC
As always, if you experience any issues during or after applying the updates, please leave a note in the comment section about it. A summary of all patches released today is available at this link.
Some time back you recommended against installing Windows 7 Service Pack 1. It’s still sitting there on my list of updates. Any reason to install it now?
Yes, you’re past due to go ahead and download that service pack. BK meant it’d be a good idea to wait until Microsoft pushed an update for that service pack, to give them a few days to work out the bugs, but not for you to wait until he explicitly told you to download it.
I’ve just experienced some sort of problem during the update. On the usual windows update screen, it informed me of only two possible updates, not the 13 you report (I imagine that, since I have Vista, perhaps that number corresponds to all windows systems?).
So I decided to restart my computer, without allowing the updates to be installed, a mistake as it turned out, as windows then stopped working and failed to initialize.
After a system restore, everything seems to be working fine and I’m currently installing the updates now, but clearly something went wrong there…
Lee, didn’t Rob suggest only installing if you wiped and reinstalled your Win 7 OS?
Oops, I got my former fav Tech WaPo bloggers mixed up. hehe
Thanks for the heads up.
I will do a System Restore Backup Checkpoint before applying this. It went very badly for me last month, I don’t know why.
Do the Standalone offline installer via Safe Mode. Better results when installing Service Packs
No problems installing on two computers, one XP and one W7. In fact, I’ve never encountered any problems with these updates – always installed as soon as published.
Same here Bill.Ive never had an issue with xp or win 7 that i couldnt fix myself.
Also as far as cybercrook is concerned about linux, theres nothing wrong with using linux.The issue is that most users simple are not interested in configuring thier systems like some folks on this blog.
If someone swipes money from my bank account the issue is with the crook not my operating system.I have insurance on my bank accounts in the event someone does steal from me, since IP addresses are recorded and transactions that might be suspicious ,i get a phone call.
When i say IP addresses are recorded im not talking the crooks ip im talking mine.I have no paranoia issues unlike the crook.
I would consider the fault to be in the OS, if it freely gives full access to your data just because it’s poorly constructed.
A batch of Adobe updates are available today as well – Flash and Shockwave among others.
Here are the direct links to the Flash update variants for anyone who dislikes the downloader Adobe tries to force on you…
Non-IE version:
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
IE/ActiveX version:
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
… and for Shockwave, it’s just
http://get.adobe.com/shockwave/
… and Adobe AIR has an update as well:
http://get.adobe.com/air/
I allways wondered if there are similar direct links for linux an mac version of the player.
Anyone has clue about the filenames (Directory Listing is denied)?
This is a windows-lovers club. You’ll be minused as soon as the word linux is detected lol. You really wait for someone to answer? Google can do that in 5 sec, have a look:
http://www.adobe.com/shockwave/download/alternates/
Or when you simply go here – http://get.adobe.com/en/flashplayer/ – the script will detect your OS and offer you a proper version for downloading
well found them:
wget http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe
wget http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
wget http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_osx_intel.dmg
wget http://fpdownload.adobe.com/get/flashplayer/current/flash-plugin-10.3.183.5-release.i386.rpm
wget http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_10_linux.tar.gz
wget http://fpdownload.adobe.com/get/flashplayer/current/flash_player_10_solaris_x86.tar.bz2
wget http://fpdownload.adobe.com/get/flashplayer/current/flash_player_10_solaris_sparc.tar.bz2
I don’t want click trough dozens of javascript dialogs to get the latest versions so I wrote a small script for an cronjob to check if new versions are available and download them (using If-Modified-Since Header), as seen above this wont work with the rpm version because they use the version number in filename.
oh well cut&paste was a mess… ignore the wget stuff
What’s wrong with the repository-version of flash in Linux?
Win Vista, Win 7 and WinXP all patched cleanly for me. Ran Secunia PSI and had to update several Google programs — issues with updating Chrome and Google Earth, but resolvable.
I am from South Africa. Our internet connections are very expensive, especially if you use 3G. The problem is that Microsoft’s updates are becoming very expensive. You have to update the O.S and Office installations and these updates sometimes arrive in a big expensive bundle. This is one of the reasons that a lot of South Africans do not update.
To what extent will running applications sandboxed protect one from the security problems caused by M.S. bugs?
The problem with not updating is leaving yourself vulnerable to Microsoft’s new serious flaws. As Brian described “critical” flaws, “attackers can exploit them to break into systems without any help from users”. Sandboxing applications won’t help you if the entire OS has frequently surfacing security flaws. Do you need Microsoft’s software? You could look into Linux. Most distributions are free and updates will generally be less massive/frequent/required.
Thanks, I use Linux for my personal work, but the job unfortunately requires MS Office and other MS compatible programs.
I have been using Mint 11 for several months and can confirm the critical updates are fairly small. I only update Level 1 (“certified packages”) and Level 2 (“recommended packages”) and ignore the Level 3 (“not tested but believed to be safe”). Level 3 covers pdf reader (evince), media players (VLC and totem), etc where my view is the originals are working so why update them. The Level 3 updates total 122 with a size of 52MB.
I do wonder if I am correct to defer those Level 3 updates.
Brian
Historically, each of evince, vlc and totem have had bugs which were exploitable.
vlc and totem typically act as browser plugins and are thus part of your attack surface while browsing. evince doesn’t, but it is generally your default handler for pdfs, so if you encounter a malicious pdf, you’re likely to pass it to evince, possibly automatically.
In short, I’d update all of them, or uninstall them.
Mate, you dont have enough money in your bank accounts there in Africa, as well as a high-speed internet connection, so you’re secured by default. No one really needs an access to your pc. No need for stupid windows security updates as they’d never helped those people in US/EU actually. All this is bullsh..
I’m sure the people in South Africa are happy to hear that cybercrooks know so little about their bank accounts.
@kwikfulminaat
you might want to look at this: http://wsusoffline.net/
Of the 5 machines in my office, 2 are still having an issue with a few of these updates despite repeated reboot and presentation by Automatic Updates or by manually launching WU.
I discovered the KB2544035 MSE Update required installation through MSE itself to be successful on 2 XP machines that had previously failed installation in WU with error code 0x00000643 — the explanations for that code aren’t very informative, but the KB article itself says to run the update within MSE. One XP machine is still having an issue with this one patch because of a repeating WU cycle every boot that doesn’t allow MSE to initialize. I’m still diagnosing the windowsupdate.log to figure out a way around this one.
The Vista Ultimate machine has issues with 3 updates related to .NET Framework 4 that fail to install (KB 2539636, KB2468817 & KB2533523) with that same error code though it’s presented as “WindowsUpdate_00000643”. A check of the windowsupdate.log verifies the error code but also that WER did report something each time it occurred, so I’m going to wait for a few days before wasting any more time on them and monitor those KB articles.
Hi,
For the 3 KBs: KB 2539636, KB2468817 & KB2533523 getting 643 error you can try few options below:
1. Try installing the patches manually from download center.
2. If above is not successful, then it is possible that .NET 4 product itself is corrupted on your machine so you might have to uninstall/reinstall the same again from download center.
– Before this you can also try a repair of the product from Add/Remove Programs.
If all of above fail then ping me and we can take a look at more detailed logs and recommend a way out.
Btw, there is an article on 643 error posted by Microsoft (but does yet mention the latest .NET 4 product): http://support.microsoft.com/kb/923100
Thanks,
Vivek Mishra
Microsoft
I had a 2003 small business server hang on reboot after the July updates, had to boot to safe mode and chose last known config. Since this server is in a Vmware box it took me over 4 hours to figure out how to get it to safe mode, I’m a Vmware rookie. Vmware would not let me send F8 no matter how hard I hit the keyboard. I finally had to force the virtual server to start in bios setup mode and then I could get to safe mode after that.
The client had a power failure Monday and the server hung on reboot again. I ran this month’s updates and it has rebooted twice without any problems.
installed on 10 servers running server 2008r2, 70 workstations wunning a mix of win7/vista – no issues. (obviously not all needed on all machines, but all upto date and no issues).