There are a couple of things you should know before installing this update. If you took advantage of the “FixIt” tool that Microsoft shipped last month to blunt the threat from this flaw, you should take a moment now to undo that fix. To do that, visit this link, then click the image below the “Disable Workaround” heading, and follow the prompts. You will need to reboot the system before installing the official fix released today, which is available from Windows Update.

The patch issued today carries the Microsoft Knowledge Base (KB) number KB2286198, in case you’ve just run Windows Update and are checking to see whether this update is available to you yet.

You will need to reboot after installing the patch. After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive. After a forced restart (powering the system off and then on again), my 64-bit Windows 7 system booted into Windows normally.

When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed, this vulnerability is now showing up in more mainstream attacks. Please take a moment to apply this update today if you can, particularly if your Windows system is not already protected with the FixIt tool mentioned above.

More information on this update is available from the Microsoft bulletin. And as always, please leave a comment below if you experience any problems installing this update.

Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.

According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.

Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.

The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.

Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses

Microsoft Corp.

One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.

The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.

“Like the ATL issue last July, we could see many vendors supplying their own patches to address this vulnerability,” said Jason Miller, data and security team manager for Shavlik Technologies. “This is just another important reminder that patching is not just a Microsoft issue when it comes to software vulnerabilities.”

As always, the Microsoft patches are available through Windows Update or by enabling Automatic Update.

Adobe issued patches to fix security problems in its Cold Fusion and Shockwave Player software packages. Most end users will only have to worry about the Shockwave update, if that. The Shockwave patch fixes at least 18 security vulnerabilities in the commonly-installed media player application, on both Windows and Mac systems. Adobe has assigned the bugs an aggregate “critical” rating, meaning that an attacker who successfully exploited the flaws could seize control over an affected system.

Here’s a way to test whether you even have Shockwave Player on your system: Visit this page. If it says you need to install a missing plugin, then you don’t have Shockwave Player installed, and you probably don’t need it. I haven’t had it on my main PC since I bought the thing more than a year ago, and apparently I haven’t missed it.

If that link above shows that you do have Shockwave Player installed, it’s time to update it. The flaws are in Shockwave Player version 11.5.6.606 and earlier. Adobe recommends that Shockwave users actually uninstall the program (Windows users can do this via the Add/Remove Programs menu), and then reboot before attempting to install the latest, patched version, v.  11.5.7.609, available here.

Microsoft released 11 security updates that collectively fix at least 25 vulnerabilities in versions of Windows, Office, Exchange, and other Microsoft products.

Redmond said customers should install all of the relevant updates, but it called attention to a few as particularly urgent. Among those is a patch for all versions of Windows that fixes a bug which could allow attackers to fool Windows into thinking that a malicious program was created by a legitimate software vendor, said Joshua Talbot, security intelligence manager, Symantec Security Response.

“This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate,” Talbot said.

Another patch fixes a flaw that is critical on Windows 2000, XP, Server 2003 and Server 2008, and could be triggered just by visiting a Web page hosting a specially-crafted .avi video file. A separate critical bug patched today for Windows 2000 and XP users is another browse-a-bad-site-and-get-owned type of flaw.

Adobe issued an update to its PDF Reader and Acrobat software that fixes at least 15 security flaws in those programs. Adobe labels this update “critical,” meaning the attackers could use the security holes to crash the programs and seize control over a vulnerable system.

As promised, Adobe also is including a new updater technology with the latest version of both Reader and Acrobat (version 9.3.2) on both Windows and Mac systems. Adobe said the new updater includes an option to let Adobe “automatically install updates,” although the company said it will respect whatever update settings users currently have selected (the default is “download all updates automatically and notify me when they are ready to be installed”). Adobe’s Brad Arkin has more on this new updater in a post on Adobe’s ASSET blog.

The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)

According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.

If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:

1. Boot from your Windows XP CD or DVD and start the recovery console (see this link on how to use recovery console)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. When complete, type this command: exit

Unfortunately, there is an entire subset of users who might be in for a whole mess more work to fix this kind of problem: Netbook users. One of the things that makes netbooks so light and small is that they do not have optical (CD/DVD-ROM) drives. If you’re a netbook user who has this problem AND a copy of a Windows XP install CD handy and a computer with a CD drive, you may still be able to rescue your system by building a custom XP install/bootup disc on a USB drive.

If all of that sounds like too much work, home users are eligible for no-charge support by calling 1-866-PCSAFETY (and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in Canada. Microsoft says there is no-charge for support calls that are associated with security updates.

Update, 8:34 a.m. ET: Based on a review of various help forums discussing this problem, it appears that the problematic update is KB977165 (MS010–15:Vulnerabilities in Windows kernel could allow elevation of privilege”). Note that systems experiencing a BSoD may do so or hang in Safe Mode when loading the system driver “mups.sys”.

The help instructions above have been modified to specify the removal of just this one patch. A previous version of this blog post included instructions for removing all of the patches Microsoft shipped for XP systems on Tuesday.

Update, Feb. 12, 10:09 a.m. ET: Microsoft has a blog post up acknowledging this problem, saying that it stopped shipping the problematic update via Windows Update as soon as it recognized the issue. Redmond says it is still investigating the cause of the conflict. Microsoft notes that in lieu of applying the patch, XP users can use Microsoft’s click+install “Fix it” tool, which disables the vulnerable Windows component. That workaround is available here.

Microsoft

Five of the 13 update bundles Redmond issued today earned a rating of “critical,” meaning Microsoft considers these flaws so serious that attackers could exploit them to seize control over vulnerable systems just by getting users to visit a hacked or malicious Web site.

Seven of the most serious bugs are addressed by two patches for Microsoft Office software. Critical flaws in Microsoft Paint, Microsoft Directshow, and a critical ActiveX (Internet Explorer) vulnerability round out the most recognizable of the serious flaws.

According to Microsoft, the most dangerous of the flaws — that is, those that computer crooks are most likely to try and succeed at exploiting soon, include:

-A critical vulnerability in the “server message block” or SMB service — which handles Windows networking (curiously, this is rated critical on all supported Windows versions except Windows Vista and Server 2008);

-A nasty bug in the Windows Shell Hander, the component that allows preview thumbnails to Windows Explorer (affects only Windows 2000, XP and Server 2003);

-The ActiveX/IE and Directshow flaws I mentioned above.

If you encounter any issues or serious problems after installing any or all of these updates, please drop a line in the comments below. Generally, serious problems with Windows patches are rare, and occur mainly in business systems with custom software. Usually, it becomes clear very soon after Patch Tuesday if there are any problems with consumer systems. Just try not to let too much time pass by before applying all of the relevant updates to your machine.

Windows Vista and Windows 7 users can check for updates by clicking “Start,” typing “Windows Update” and selecting the resulting option. Windows XP and W2k users will need to visit the Windows Update Web site with Internet Explorer. Alternatively, Windows users with Automatic Update enabled will likely receive a prompt within the next 12-24 hours to install this month’s round of patches.

According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.

Click the individual images below for an enlarged version.