Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.
Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.
Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.
Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.
Original story:
Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.
Web site administrators publishing with WordPress should be aware that WordPress issued an update — version 3.0.5 that plugs a handful of security holes. This is a relatively minor update — there don’t appear to be any gaping holes — but please remember to back up your installation and database before proceeding with the update, just to be on the safe side.
Following up on changes to its stated disclosure policy, Tipping Point began releasing details of a number of flaws in third-party applications. All of the vulnerabilities Tipping Point detailed in this month’s release involve applications commonly found in corporate IT environments. Toward the end of 2010, the company announced it was changing its disclosure policy to light a fire under vendors that might otherwise drag their feet in fixing important security flaws.
From the company’s August 2010 post: “In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10,” the company wrote. “This applies to all future vulnerabilities submitted through our program as well as all currently outstanding reports. This means that the first vulnerability report, if needed, will be disclosed on 02/04/11. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.”
As always, please post a note in the comments section if you experience any weirdness in applying any of these updates.
Thanks for the heads up on the Reader update!
I updated Windows yesterday.
If anyone has problems with the first of the microsoft security patches it might be due to them having applied a fixit in january that changes the permissions of shimgvw.dll.
As an alternative to changing these from explorer one forum gave the following solutions (use at own risk of course):
How to undo the workaround:
Run the following commands from a command prompt as an administrator:
For 32-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
For 64-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone
For 32-bit editions of Windows Vista and Windows Server 2008:
icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT
For 64-bit editions of Windows Vista and Windows Server 2008:
icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT
The 32-bit XP one worked fine for me so I suspect the others are OK too.
As usual, no nag from Adobe to update. I used Reader X extensively yesterday and this morning with no hint of needing an update.
Brian brings on the alerts as in the past.
i just got an update notice in my notification area for acrobat reader x, it updated me from 10.0.0 to 10.0.1.
not bad actually. yesterday i had just manually installed 10.0.1 on a couple of laptops.
“Microsoft released this same update in February 2009, but it offered it as an optional patch. ”
“Tipping Point said late year.”
Slight typos nothing major, just thought I would point it out to get corrected :). I see it was posted at 6:23 AM so no worries.
-Scott
An update to Adobe Flash Player just appeared.
Thanks for the heads up on the Adobe Flash update. For those who want to avoid the irksome Adobe Download Manager, you can download standalone installers for both MS IE and non-MS IE browsers at
http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller
FWIW, there’s also an updated (minor, apparently) build version for Shockwave Player …
So much for the autorun patch. Every thumb I used after the XP patches autoran as usual, even though I reset to “Take no action” every time I use them.
FWIW, the patch seems to work for me. I run WinXP SP3 and after patching, autorun is disabled for thumbdrives and my iPhone.
Brian was wrong, the autorun patch was NOT installed automatically. So, unless you manually installed it, you don’t have it. See
http://www.windowsitpro.com/article/paul-thurrotts-wininfo/Patch-Tuesday-Comes-with-IE-Auto-Run-Fixes.aspx
and
http://blogs.computerworld.com/17808/windows_autorun_microsoft_is_wrong_computerworld_is_right
My concern is the other way. When it became available, I downloaded Microsoft’s exe and turned off all AutoRun capabilities via running that program manually and making all of the requisite Registry entry changes on the machines I had. I did the same with the new machines I currently have that are less than nine months old. I took the default on the February 2001 update – everything. If they turned any AutoRun back on I am going to have to go and put the AutoRun back to where I had it – nothing. The visual silence when I put in what I normally am using – my own data CDs and USB data stick is blissful. In addition to enhanced security it is visually quiet with all AutoRun turned off.
http://SecureMecca.com/public/NoAutoRun.7z
http://SecureMecca.com/public/NoAutoRunXP.7z
(don’t trust my binary – download Microsoft’s)
Microsoft’s unwillingness to handle this issue promptly when Conficker showed up proves just how little they care about security. People were handling installs for years before AutoRun existed.
Kudos to a more enlightened bug discovery / failure to fix bug policy. Six months is reasonable.
The WordPress update may seem relatively minor but I have noticed some recent security probing on a test site I have set up (which is a fairly rare occurrence) that I decided to apply the update much quicker then I normally would.
I wonder how many of the Adobe Reader exploits could have found their way outside the Adobe Reader X sandbox?
My computer has Adobe Reader 9.4.2, which Secunia says is up to date. What is Reader X, and why and how should I install it?
For details, you can check out Brian’s blog post from last November at
http://krebsonsecurity.com/2010/11/adobe-reader-x-seeking-safety-in-the-sandbox/
Now if MS would/could just identify some way for users to kill/disable the “autosync” feature of Windows Media Player at the source, rather than by an ineffective/inefficient method of inserting a header file onto each and every possible bit of removable media that might be inserted into a USB port when WMP is active, another important malware vector (comparable to the “autorun” default feature of its many OS versions) would be shut down.
Hello, Brian,
I went by your suggestion in the January 28 blog and applied MS’s “FixIt”.
You wrote, “Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can use a supplied “FixIt” tool to help shore up the way Windows handles MHTML documents. To enable that fix, visit this link and click the FixIt icon.”
Now, when trying to install MS’s KB2483185 critical update that was issued by MS yesterday, I’m able to download the update, but it will not install. How can I undo MS’s workaround that might keep me from installing the critical update? I’m running Windows XP with all other critical updates and service packs installed. Your help is much appreciated!
The “Disable Fixit” links are always on the same page as the “Enable Fixit” links.
Sorry, CloudLiam! When I checked for “Disable FixIt” on that given website, that option was not displayed anymore!
Thanks for trying to help though!
Regards, Dirgster
In the future you should always download and save the Disable Fixit installer package when you apply the Fixit, but fear not; you can find it here.
http://windowslive.com/Connect/Post/135ab36e-520e-43c7-b3d2-2c4bd3af80ca
As CloudLiam noted, the “disable” version of the Fixit tool is on the webpage for that KB article, but if you’re experiencing a failure in the installation of that specific update (and perhaps some others as well) you MUST first run/apply that “disable Fixit” (#50593) for the Windows Update installations to succeed.
After an unsuccessful install of KB2483185 because I had used “FixIt” before, I finally called Microsoft for help. One of their agents also tried unsuccessfully to install the mentioned update, then “hid” it in Windows Update, so I wouldn’t always be prompted to download and install. The agent assured me that I don’t really need that particular update since my Windows XP Professional computer is not used in a network. My question: Should I perhaps run the “Disable Microsoft FixIt 50593” and then try to download and install KB2483185 again, or would I just make things worse?
After spending most of 2 days trying to figure out why that particular KB2483185 update and a few others wouldn’t install on three XP Pro SP3 machines in my home office network, digging into the WindowsUpdate.log files identified that the update(s) were being cancelled because the same file versions already existed in each machine’s OS. However, WU would repeatedly tell me there were updates available and already downloaded, but yet again fail to install any of them on any machine.
It was after a lot of digging and searching for answers when I read through this blog entry of Brian’s that I remembered I had applied that Fixit patch months ago following his notice of the exploit and workaround patch, I realized that must have been why the WU installations were being cancelled, as the Fixit patch must have applied the updated file versions in the workaround. So, I got the disabling Fixit patch from the MS webpage, applied it, then tried WU again and everything installed smoothly and correctly.
Here’s the real burn, though — I’d already devoted a lot of time to scouring the MS “Answers” forum for clues to the problem without any success (noting that many others were having similar problems). Many of their so-called “MVPs” were adamantly claiming the problems users were experiencing had to stem from a malware infection of some sort, and then would recommend this-or-that rootkit killer or online malware scanner. Since I had gone through various online scanners (Kaspersky, ESET, Panda) on all of the machines simultaneously, and none of them (or my resident AV scanner Avast) found any problems of that sort, I’d become pretty frustrated by that point. I’d even done the MS Onecare Live online scan on all the machines simultaneously, and it found no malware either (though it did find various things to clean up in the registry which have improved performance on all of the office machines, including two with Win7 Ultimate or Vista Ultimate).
Once I had achieved success by disabling the old Fixit and getting WU to run through properly, I posted the above reply to CloudLiam’s message for Dirgster and then posted a message on the MS Answers forum on Windows Update to explain the circumstance and how this might represent a possible resolution for other users who had applied the workaround patch several months ago. I referenced Brian’s website as the source of what triggered my recollection of having applied the original Fixit workaround patch, with a recommendation for this website and a link embedded in the message.
Quite irritatingly, I checked that forum’s messages later yesterday evening and discovered it had been removed entirely, which has led me to conclude that those forums really are a waste of time because some MVPs apparently want to push user traffic to various other websites of their own or vendors with whom they may possibly have some mutually beneficial relationship.
I’ll still utilize the MS KB and TechNet articles, but when I do any searches on the MS support website from now on, I’ll use the “advanced” option and untoggle the forum from the search function because the listing of results is far too bloated and now decidedly untrustworthy. That may be unfair to some of the MVPs who post there, but I’ve got better things to waste my time on than weeding through “expert” comments from what are basically shills and hucksters.
I’ll ALWAYS trust and rely upon the content here on Brian’s site, though (and perhaps a few others), but not with the MS Answers site! (Brian, I hope this doesn’t cause any trouble for you with the folks at Redmond…)
It would seem we’ve reached the same conclusion. You might just as well bang your head up against a wall, same effect. 😉
This is why I rarely if ever apply FixIt’s and instead rely on a layered defense while I wait for an official patch. No need to gum up your system with a temporary stop gap fix. Instead a solid layered defense should provide protection and time until the official patch is released. Your mileage may vary, but following such a policy hasn’t led to any system compromises or patch installation issues on any of my systems to date. 🙂
DarkReading just had this article yesterday:
SAFECode Issues Best Practices For Writing Secure Code
— Nonprofit members Adobe, EMC, Juniper, Microsoft, Nokia, SAP, and Symantec share secure development methods
Those methods don’t seem to be working for them
–Chez
@Jim:
Krebs site is golden, one of the best security blogs available. Thank you, Krebs.
However, in the previous day’s story’s comments, users warned about the Adobe exploits but were downvoted so you had to click to enable viewing of the comments and warnings.
The warnings pointed to the SecurityFocus dot com website, so bookmark that site, too.
Thank you Krebs for allowing comments and not simply blog trackbacks as so many sites have recently removed user comments. The user comment rating system here, however, needs attention, many useful posts are often buried and this error should stop.
“As usual, no nag from Adobe to update. I used Reader X extensively yesterday and this morning with no hint of needing an update.
Brian brings on the alerts as in the past.”
Well, I realize some people need to vent, but sometimes a portion of the comments are off-topic and down right nasty! If readers don’t agree with comments made by others, they should be allowed to vote those comments down. The more sensible, on-topic people who comment should create a new post, even when responding, if their information could be useful to all readers. I like the way Brian currently employs the user comment rating system. I think it should stay the way it is.
“@Jim:
Krebs site is golden, one of the best security blogs available. Thank you, Krebs.
However, in the previous day’s story’s comments, users warned about the Adobe exploits but were downvoted so you had to click to enable viewing of the comments and warnings.
The warnings pointed to the SecurityFocus dot com website, so bookmark that site, too.
Thank you Krebs for allowing comments and not simply blog trackbacks as so many sites have recently removed user comments. The user comment rating system here, however, needs attention, many useful posts are often buried and this error should stop.
“As usual, no nag from Adobe to update. I used Reader X extensively yesterday and this morning with no hint of needing an update.
Brian brings on the alerts as in the past.””
They’re trying to bury your post again!! Oh, and of course vote up the kissy post to Krebs, by all means!!
So, as a result of the MS KB2483185 update downloading ok, but failing to install
(and causing all other Feb. updates to fail installation, too!),
I finally found the solution in Krebs ‘ site.
First, apply the DISable FixIt #50593,
available at:
http://support.microsoft.com/kb/2483185
(Do this only if you applied the corresponding ENable Fixit #50590 back in Jan 2011, and had forgotten about it).
Then, try to d/l & install again
the failed MS KB2483185 update.
It (and the other Win Updates), should install just fine.
Hope this helps people.
I lost 5 hours with this MS “egg in the face”.
Now, my Question:
————————
Given that MS “forgets” that Users (us!),
have ENabled Fix-it button as MS recommends,
how do we determine which Fix-it buttons
we have applied in the past?
(so we can apply the corresponding DIsable Fix-it, before any failed Windows update).
SFdude
Since I had chided (gently, or so I thought) MS patch code writers in that Answers forum message that was subsequently removed for failing to build in auto-detection of a user previously applying some Fixit patch, maybe that was the reason it was eliminated. But, it’s still a good idea and SFDude’s question is certainly a legitimate complaint for most users. Unless MS takes the high-and-mighty position that the Fixit patches are really ONLY for IT pros and no one else (in which case perhaps they should be placed on the TechNet site and not in the “normal” KB group), I’d suggest keeping a paper log of just what upgrades, updates and patches are applied to your machine(s). The problem there, of course, is if a user allows OS components or apps to automatically update, it won’t be complete — but since the Fixit patches have to be manually applied, at least those would be recorded somewhere for subsequent reference.