In its largest patch push so far this year, Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it. Separately, Apple has shipped another version of Safari for both Mac and Windows PCs that plugs some four dozen security holes in the Web browser.
Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.
According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.
Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.
The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.
Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.
Thanks for the warning, Bryan.
My desktop (XP) had the fixes downloaded already, but my Vista laptop did not indicate anything
To those who have problems bringing up your page : I have no problems reading your website even though NoScript is set to block everything.
Now for my installation of the fixes.
Desktop Dell Dimension 4700 Windows XP.
No problems downloading and installing the fixes.
Laptop : Toshiba Satellite L305-S5933
Pentium T3400 3G 250G HD
Vista Home Premuim
Download of one of 12 fixes fails. Error 80070643
Microsoft website says Problem with .NET Framework.
Offers fix for this problem.
Trying to download this fix, takes a while, then says Error … (LONG reference number).
Succeeds on retry.
Microsoft Fix It shows up and does its job.
Try to dowload the “1 out of 12” missing fix, but the system insists on restart.
Restart system.
Last fix downloads and installs.
Brian, do you recommend that Vista x64 users immediately install the Microsoft patches, or should we wait (a week?) to make sure that there are no patch bugs?
Given that there aren’t any signs that hackers are actively exploiting these bugs, I’d say it’s probably safe to wait a few days before installing these updates, just to make sure none of them are causing any stability or usability problems.
Safari 5 (Mac) is causing usability problems. We were sent the following screen dump last night.
http://bit.ly/a3UhLa
There are other issues with flash compatibility, pages rendering really funky, etc. The MacRumors threads can be of help.
Wait on Safari 5 (Mac) for an update – you can’t reasonably revert to 4.0.5 what we understand.
And now Apple and Microsoft have fixed those ones there are more awaiting their attention:
http://www.infoworld.com/d/security-central/windows-7-and-mac-os-x-both-hit-fundamental-flaws-679
And we are waiting, as always, for Adobe to catch up with the latest Flash and Reader bugs across Windows, OS X and Linux:
http://blogs.adobe.com/psirt/2010/06/update_to_security_advisory_fo.html
It’s never ending. Keep patching, don’t run as admin if it can be avoided, use ASLR and DEP, be aware of social engineering attacks, configure key apps like browser, PDF reader, etc. to be more secure.
The DMA attack is like a flashback to the warnings of David Maynor several years ago – you know, the ones that the industry (primarily Apple) wanted to keep out of the public eye.
Too bad for Windows users but we’d recommend people hold off on downloading a Safari 5 update. All the data we’ve been sent so far indicates it’s a royal mess.
Google also plugged 11 security holes in Chrome today.
http://www.net-security.org/secworld.php?id=9389
Here at our gov site, we’ve noticed that the Microsoft patches ‘broke’ the ability to do network drive mapping. Had to have clients uninstall Microsoft Client Network module, reboot, install it, reboot again, and then users could map to their network drives. Anyone else experiencing this??
Paul, thanks for the info. Do you happen to know which patch broke that?
@Brian – Not sure. I checked the ‘Add/Remove Software’ area, but nothing stands out. Is there any
place else I should check?? Sorry–I’m a Linux guy who
only uses the XP box for Windows-based clients and for
my mandated email client.
I’m not sure. You might try checking the Windows Event Viewer for networking related events.
http://support.microsoft.com/kb/308427
Microsoft updates downloaded completely to old computer with XP, but installation needed to be done in two parts – computer froze up while installing. No problems after installation finally completed.
i have windows xp professional, sp3. i had no problem installing these updates. but i did have to go get them this evening. i have my computer set for automatic updates. does it take a few days for microsoft to do the auto update?
I have seen comments about the patches needing to be done in two parts in a few places now. Does anyone have any suggestions as to which patches need to be kept apart?
The patch that froze my computer was KB982168. On my computer it was download 12 of 16. Don’t know if it was something in this patch or just that the computer was overworked. When I rebooted, the patch was installed, even though the installation screen bar was still running it when I shut down.
Peter — As I wrote above, if you use Office XP, you may need to use Microsoft’s “FixIt” tool, which is separate and apart from the normal patch download and install process.
—
“Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.”
I’ve lost gadgets functionality since the MS patch install last night. Running Win 7 . .
I got this “Important-rated” ‘security update’ foisted onto my FireFox:
http://arstechnica.com/microsoft/news/2010/06/microsoft-slips-ie-firefox-add-on-into-toolbar-update.ars
The update to NET Framework 3.x continually has failed to install. Any suggestions, anyone?
Am in the midst of dealing with a similar problem so here’s what I know to do so far:
1. First retrieve the error code associated with the installation failure: go to Update_History and click on the failed-download Status icon (red circle with X) and an error page will open. You might want to try the Find_Solutions link on the error page first and see if your error code is listed and has a solution (mine wasn’t).
2. If the above fails, call Microsoft at 1-866-PCSAFETY (free help for security issues). What they told me to do was download/run uninstall and cleanup tools to remove .NET Framework altogether, reinstall it using a standalone exe, and then re-do Windows_Update but emailed a broken link and confusing instructions. I’ve just emailed them back. YMMV.
The good news is I’ll be drinking beer shortly. Best of luck to you.
Win Vista x64 working fine so far; couldn’t help notice, they still haven’t done anything with cross scripting for IE? Or that was a new one – cross site direction?
Maybe they think it is minor, but I think it is scurrilous.
I downloaded the patches for ‘patch Tuesday’ on Thursday morning, at least I think I did. I have my system [Win XP, SP2, home ed.] on automatic download, except that I get to see the patches first before I allow the downloads; so I allowed all 12 patches. The system did not download the patches. I waited one day and then this morning I downloaded all the patches manually from the MS download website. When I checked the control panel to see if the installations took effect, I noticed a file I did not download: KB976769v2, under the Microsoft .NET Framework 3.0, SP@ banner.
I searched under the MS downloads page to see what it was, but I could not find it.
Did anybody else get this patch too? Does anyone know what it does? and should I keep it or remove it?
Any advice appreciated. thanks . . .
All updates marked as important or critical should be considered as such. If you are manually updating, the only non-critical patches, that I feel are necessary, are root certificate udpates; and those can help you keep out of browser troubles with nefarious sites.
Microsoft’s baseline security analyzer may help you determine this, and how to correct it; BelArc Adviser could help, but it is usually more beneficial for XP Pro users.
I’ve never had any problem getting free update support from Microsoft, even if your operating system is not a paid support version. Just call them and say it is an update issue, and they should be able to help you free of charge.
Only main stream support has ended:
http://arstechnica.com/microsoft/news/2009/04/windows-xp-mainstream-support-retired-but-no-need-to-worry.ars
Re: “As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.”
Waited three days, followed the thread above, held my breath and downloaded/installed from the update icon (I disabled automatic update-install years ago). Running XP home/SP3. Just restarted. Everything A-OK. Looking forward to the the day–if it ever arrives–when MS updates can be downloaded and installed without angst or drama.
XP 32-bit here. Windows updates keep asking for my Office 2003 .msi file, which I cannot find. (I simply do not recall how/when I installed Office.) After reboot, I can no longer open Excel files! It goes directly to Windows Installer, from which I Cancel. Any help (short of purchasing fresh media for MS Office) is appreciated.
I took the “short of…” route: installed Office 2007 trial. Three update / reboot cycles later, Windows Update finally seems happy. For that, I get to pay Microsoft in August.
Have you tried OpenOffice from Oracle? It’s free, just google it.