August 2, 2010

Microsoft today released an emergency security update to fix a critical flaw present in all supported versions of Windows. The patch comes as virus writers are starting to ramp up attacks that leverage the vulnerability.

There are a couple of things you should know before installing this update. If you took advantage of the “FixIt” tool that Microsoft shipped last month to blunt the threat from this flaw, you should take a moment now to undo that fix. To do that, visit this link, then click the image below the “Disable Workaround” heading, and follow the prompts. You will need to reboot the system before installing the official fix released today, which is available from Windows Update.

The patch issued today carries the Microsoft Knowledge Base (KB) number KB2286198, in case you’ve just run Windows Update and are checking to see whether this update is available to you yet.

You will need to reboot after installing the patch. After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive. After a forced restart (powering the system off and then on again), my 64-bit Windows 7 system booted into Windows normally.

When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed, this vulnerability is now showing up in more mainstream attacks. Please take a moment to apply this update today if you can, particularly if your Windows system is not already protected with the FixIt tool mentioned above.

More information on this update is available from the Microsoft bulletin. And as always, please leave a comment below if you experience any problems installing this update.


33 thoughts on “Patch for Critical Windows Flaw Available

  1. JBV

    Thanks as always, Brian!

    No problems installing update on Windows7, and my computer did not freeze as yours did.

    Chrome users should be aware that the browser does not update automatically, and that the current version is 5.0.375.125.

    Also, Chrome leaves a backup copy of its previous version in your computer, which a Secunia check will find, and which can be updated by using Secunia’s update link.

    1. Maureen

      With respect, may I ask if I am reading your comment about Chrome out of context? I thought Chrome continuously checks for updates and updates automatically. I haven’t manually updated Chrome and I’m at the same version you are.

      1. JBV

        Maureen: On my computer, Chrome shows the version number in the “About Google Chrome” box, and indicates whether updates are available. Have you added a plugin to do automatic updates?

        1. Maureen

          JBV, I suppose I must have, because when I click on the “About” it shows that is is checking for updates. But I thought when I originally loaded Chrome that one of the features was that it updated automatically, that you wouldn’t get an “update available” message like you get with Safari or Firefox.

          Should I not have it automatically update?

          (I know you’re on to more recent posts, but I really am interested in the answer.) Thanks!

          1. JBV

            Maureen, If you get automatic updates and it works for you, don’t change a thing.

  2. Claus

    Did install patch on XP SP3, reboot. Experienced normal behaviour, PoC exploit failed…so it seems to work.

    Best regards
    Claus

  3. Scott

    have installed on 3 different PCs running Windows 7 (32-bit) ; performed restart by command and have been running for about two hours with no problems noted; USB file access is fine, no PoC to test with here

  4. Clive

    As a senior and with Microsoft being a litle slow off the mark , I downloaded the Sophos Protection Tool.
    Could you advise if I have any concerns or am I OK to proceed with the latest MS Patch ?.
    Sincere thanks. cb-Retd.

      1. Brian Krebs

        Clive — This from the Sophos folks

        “They can install it without issue. They may wish to remove our tool, but it is not required.”

        1. Clive

          Hi Brian, Prompt reply by yourself & xAdmin really appreciated and provided peace of mind.
          Just signed up with you recently and certainly glad that I did.
          Keep up the good work & Thankyou again.
          cb – Retd.

  5. Michael

    Have XP Home SP3, think updated OK but update was creepy. Have dialup and the checking-for-latest-update page ran for a *very* long time while 3 blocks of code on the order of high hundreds of kB total separated by 2 periods of perhaps a minute or two each came down the wire (and installed?), only after which the usual menu of available downloads was presented. Had thought the 3 blocks reversed workarounds but after rebooting, desktop icons were still mangled and WebClient service was still off. Checked for installed update and it’s present except install date is shown as 8/3. Positively creepy. Anyone else see this update behavior?

    1. xAdmin

      I’m using XP SP3 Professional, didn’t deploy any workarounds or third party fixes and already had the “WebClient” service disabled. I always choose the “Custom” option on Microsoft Update and did notice the entire process took longer than it has in the past, even on high speed access. Also noticed that after the patch was downloaded, there appeared to be an extra “Verifying download” process before “Initiating installation” began. The process completed normally though, rebooted and have been up and working normally since (on two systems, 7 hours ago). There is now a new “shell32.dll” file, version 6.0.2900.6018. The WebClient service is still disabled. My install date is today, 8/02. Is your system clock show the correct date?

      1. Michael

        Yes, my laptop clock shows 8/2 which was why I mentioned the odd 8/3 update-date. Everything appears to be normal. ClamAV detects nothing.

    2. Bart

      I’m in a rural area with wireless service from a nearby mountain top. Speed is somewhere between dial-up and DSL, and I always have “checking for latest updates” take an unusually long time.

  6. CloudLiam

    I installed the update on 2 XPSP3 computers[1 pro, 1 home edition, both 32 bit] and 1 Windows 7 Home Premium 64 bit machine. All installations were quick and uneventful.

    You must have missed Brian’s link above to the FixIt tool that undoes the workaround Michael, that should restore your icons.

    1. Michael

      Thanks, but did not miss anything. Have previously posted on an earlier krebsonsecurity article that I’m beginning to like the look of my mangled desktop and why I’m keeping it now – I like it! xAdmin has posted previously that WebClient’s been turned off on his machines forever and I’ve noticed nothing amiss with mine with it off so I’m leaving that off as well.

  7. axial

    Is it possible that MS isn’t offering this fix for XP SP2? It doesn’t show up when running Windows update.

    1. axial

      Ah, that was the first of Aug, not the end of Aug, whap-to-forehead! Thx, JBV.

      1. 67GTV

        Actually, support for WinXP SP2 ended 7/13/10, which was the last Patch Tuesday. Can I give you another whap-to-forehead axial?

        Set aside an hour or so, the SP3 update may take that long.

  8. Bart

    KB2286198 – This is the first time I noticed a KB number with more than six digits. Is this because it was an emergency fix?

    1. WWH

      Looking at the history of KB numbers in my patch list, I think they’ve gone to seven digits because they ran out of six digit numbers.

      1. 67GTV

        My WSUS log concurs. The first set of 7-digit KB numbers were released on the 7/13/10 Patch Tuesday. Oddly enough, the numbers seem to start in the 2.2 million range, and I do not recall seeing KB999999.

    2. jxl2

      @Bart
      This is the second time I’ve seen a 7 digit KB number. KB2229593 was released on July 12, 2010. It was a security update for WinXP.

  9. John Ulster

    I’m running XP w/ SP3 and I am extremely irritated that the fix which I installed from an automatic update wiped out my desktop display settings. Since these items are in the “set it & forget” class, it took me almost half an hour to figure out what it was before and get it straightened out. There should have been a warning so I could write them down before the install. Boo Microsoft!

  10. EP

    You’ve said it, 67GTV. axial should have upgraded to WinXP SP3 months ago, instead of waiting til past mid-July 2010 and not being able to install the newly released KB2286198 patch; boy did axial “struck out” this time. AND MS also ended support for Win2000 on 7/13/2010 which means Win2k users won’t receive the KB2286198 fix either.

    well John Ulster, that’s another good reason to disable automatic updates. Sometimes auto updating with WinXP screws things up. I download & install the KB2286198 patch from the MS download center cleanly and it didn’t mess up my XP SP3 computers.

    1. 67GTV

      Regarding the SP3 upgrade, I confess, I finally upgraded my home PCs about a year ago. Without incident, I might add. It was just never high on my priority list.

      Here at work, IT management shied away from SP3 after initial reports of problems with the upgrade. Wasn’t it just mainly some wireless settings and non Intel processor PCs that were affected? (If the latter applies to your PC, see http://support.microsoft.com/kb/953356 first) Now, we’re playing catch-up. We manually upgraded our IT PCs (mine took 2 hours 50 minutes!) but we have yet to roll this out to “production”. Any success or failure stories regarding pushing SP3 out through the WSUS? 😉

      1. Vince

        67GTV,
        We recently upgraded our office to XP SP3 as well, using WSUS. The only issue we had was with our Imprivata OneSign application, however we were running an older version of the client. After SP3 was installed, OneSign would not connect to the server and had to be reinstalled. Other than that, no issues with the update other than the fact that it takes anywhere from 30 minutes to an hour for the update to install. We got about 1200 client machines updated in about 6 weeks.

  11. Heron

    I have a Secunia/Microsoft question. I run Secunia PSI on a Windows XP Home machine.

    Secunia is telling me I need to update the Microsoft C++ 2008 Redistributable Package. When I visit the Microsoft Updates page, though, it brings up three different files, and says simply, “Download the files most appropriate for you.” I’m not sure which to choose.

    Here’s the page that Secunia is pointing me to:

    http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en

    I know very little about C++. Is this something I need to update? If so, how do I choose the proper file? If not, is this redistributable package something I shouldn’t be running at all?

    Thanks in advance for your help.

    1. xAdmin

      That’s part of Microsoft Visual Studio. For more see the bulletin:

      http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx

      The three downloads on the page you linked to correspond to the type of processor you are running:

      IA64 is for Intel Itanium 64 bit processors
      x64 is for all other 64 bit processors
      x86 is for 32 bit processors

      Or of course, you could just use Microsoft Update and it should provide the correct one for your system. 🙂

      http://update.microsoft.com/microsoftupdate

Comments are closed.