February 14, 2012

If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products. Separately, Adobe released a critical update that addresses nine vulnerabilities in its Shockwave Player software.

Four of the patches earned Microsoft’s most dire “critical” rating, meaning that miscreants and malware can leverage the flaws to hijack vulnerable systems remotely without any help from the user.  At least four of the vulnerabilities were publicly disclosed prior to the release of these patches.

The critical patches repair faulty components that can lead to browse-and-get-owned scenarios; among those is a fix for a vulnerability in Microsoft Silverlight, a browser plugin that is required by a number of popular sites — including Netflix — and can affect multiple browsers and even Mac systems. Microsoft believes that attackers are likely to quickly devise reliable exploits to attack at least a dozen of the 21 flaws it is fixing with this month’s release.

Some Windows users and loyal readers of this blog prefer to wait a day or two before applying these patches, reasoning that the occasional system stability problems introduced by security updates only become widely known after a critical mass of users have applied them. I tend to fall into this camp as well, but given the seriousness of these flaws, I think it’s a mistake to put off patching for long.

Adobe’s Shockwave update is a critical one, but not everyone who has this program needs it, and those who don’t probably don’t need it. It’s easy to tell: Browse to this page. If it says you need to install a plugin, you don’t have it. Otherwise, it’s time to update it (or remove it). The latest, patched version is Shockwave Player v. 11.6.4.634. Updates are available for Windows and Mac systems from this link.

For deeper dives on some of the individual vulnerabilities in this month’s patch batch from Redmond, the SANS Internet Storm Center, McAfee and Qualys  have deeper dives. Summaries of and links to the individual security bulletins from Microsoft are available here.

As ever, please drop a note in the comments to let readers know how your patching went, particularly if you experienced any problems in applying these updates.

Update, 4:10 p.m. ET: Corrected the number of critical updates released by Microsoft.


19 thoughts on “Critical Fixes from Microsoft, Adobe

  1. Phoenix

    The Silverlight update failed on both a Windows 7 64- and 32-bit systems; error number 80070643. Both these machines are pretty clean, very little third party stuff other than Mozilla, Secunia PSI and Ccleaner. I tried the install troubleshooter but it didn’t held. I don’t know that I have ever used Silverlight so I think I will si9mply uninstall it.

  2. confused

    ” It’s easy to tell: Browse to this page. ”

    What page?

  3. Sterling

    Brian,

    Are you seeing a failed install message for KB2668562 — the Silverlight update.

    Lots of people are reporting it on answers.microsoft.com and I’m also seeing the message, but someone pointed out that if the update shows up in the installed updates list in the Control Panel, then it’s just an error that is saying that it didn’t install.

    http://preview.tinyurl.com/7e4922m

  4. Omer bauer

    I had the same problem with the silverlight update not installing. I just separated it from the other updates and reinstalled……….No problems……….It installed without difficulty.

    1. brian krebs

      Omer,

      I just had the same experience as you. I think the best approach is to install whatever patches are available *except* for the Silverlight/.NET one (MS12-016, or KB2651026), and then restart and install it separately.

  5. Ted M.

    I received the same message after updating my Windows 7 Pro machine (I have no other PCs).

    I installed all of the patch Tuesday updates on offer, but after the required re-boot, I found that two more were available: Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008 x86 (KB2600217) and Security Update for Microsoft Silverlight (KB2668562). I am not certain whether they were part of the patch Tuesday set. I instructed Windows Update to download and install them. Upon completion, I received the message that the Silverlight failed to install.

    I downloaded and ran MicrosoftFixit50123.msi, which completed uneventfully. I returned to Windows Update, checked for updates and was informed that none were available. The update history still listed Silverlight (KB2668562) as failed, but it did appear in the installed programs list as Silverlight 4.1.10111.0.

    As an experiment, I downloaded and Silverlight 4.1.10111.0 separately and tried to install it, which resulted in the message that it could not be installed because it had already been installed. As a further experiment, I uninstalled Silverlight 4.1.10111.0 and then attempted to reinstall using the same installation file I had just downloaded, which succeeded.

    My impression is that the original installation probably did succeed and the failure message was erroneous. I do not know whether MicrosoftFixit50123.msi did anything useful, because I did not check whether the Silverlight update appeared in the installed programs list before I ran it.

  6. Cog

    Failed silverlight update, plus there seems to be a bug in a MSE definition. When viewing google.com it pops up a serious warning exploit:js/blacole.bw.

    More details here on a technet forum thread linked via my name.

  7. dirgster

    I downloaded all of MS’s latest updates, but there was no mention of an update for Silverlight. My Silverlight version is 5.0.6111.80, and I wonder whether that is the latest. When I check under the “Update” tab of Microsoft Silverlight configuration, “Check for updates, but let me choose whether to download and install them” is checked, but “Install updates automatically (recommended)” is grayed out, so I am unable to choose the automatic update option. How can I be sure that I have the latest update for Silverlight?

    1. BrianKrebs Post author

      Dirgster — According to Microsoft’s advisory on this flaw, the latest, patched version of Silverlight is Silverlight 5. If you have something lower than that (4) then you haven’t got the latest version.

      If you’re having trouble getting Windows Update to install the new Silverlight version, you may consider uninstalling the old version and manually installing the newer version. This advisory should help on both counts.

      http://support.microsoft.com/kb/2668562

      http://www.microsoft.com/GetSilverlight

      1. Phoenix

        I tried a number of things including uninstall and re-install, none ocf which worked. Perhaps by now they have recompiled it and integrated the patch. In the mean time I’ve yet to find a need for Silverlight.

      2. dirgster

        Thanks for your suggestion, Brian! I uninstalled and installed Silverlight, as you recommended, but that didn’t solve the problem, since the option, “Install updates automatically (recommended”, is still grayed out under the Update tab. I’m now running version 5.0.6111.0, the latest, after updating manually, but I wish I were able to check the option for automatic updates.

  8. Jay Wocky

    After repeated “shield” nags over the past year to install two updates that were already long-ago installed (can’t remember the #s), I finally checked both on the MS update site and chose the option to cease and desist (or whatever) from further nags to install these items.

    However, for the last 6 months or so, when I have received the system tray “shield” patch TU notification and clicked on it, the downloads appear to begin, but about halfway through, the shield disappears, along with any evidence of the downloads. No subsequent screen appears for commencing installation of the downloads. It is as though no notification ever occurred nor download ever began (I disabled auto-download-installation years ago).

    Each time this has happened (today included), I have gone to the MS update site and obtained the needed Patch TU downloads through it, and successfully installed.

    I have no idea why the “shield” download spontaneously aborts each time. Mine is an XP-SP3 system that is secure and in good shape, from all I can tell.

  9. xAdmin

    Silverlight install issue has been fixed according to Microsoft:

    Bulletin Information:
    =====================

    * MS12-016 – Critical

    http://technet.microsoft.com/security/bulletin/MS12-016

    – Reason for Revision: V1.1 (February 14, 2012): Added an entry to the update FAQ to announce a detection change for KB2668562 for Microsoft Silverlight 4 when installed on Windows clients and servers to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.

    – Originally posted: February 14, 2012
    – Updated: February 14, 2012
    – Bulletin Severity Rating: Critical
    – Version: 1.1

  10. Charlie

    Some months ago I installed a new version of (non-Microsoft) software for my Mac which came with Silverlight bundled in. I *think* I remember which software that was, and today I went to the Update feature for that program — it said that everything was up to date, and no mention of any Silverlight upgrade. So I simply went to my Internet plugins folder and removed Silverlight. I don’t remember ever using it, and hopefully this will uninstall it. I’m not sure what it does in the first place!

  11. Von

    This update automatically installed on my computer today and it is reeking havoc with netflix, I can’t watch anything, the image and sound jumps about.

    1. SFdude

      Von:

      Turn OFF automatic updates!
      (to avoid situations like yours in the future).

      Only use ** Manual Updates **,
      after consulting this blog for any “misbehaved” patches….

Comments are closed.