July 10, 2012

Microsoft today issued a security patch to fix a zero-day vulnerability in Windows that hackers have been exploiting to break into vulnerable systems. The company also addressed at least 15 other flaws in its software, and urged customers to quit using the desktop Sidebar and Gadget capabilities offered in Windows 7 and Windows Vista.

By far the most urgent of the updates is MS12-043, which fixes a critical vulnerability in Microsoft XML Core Services that miscreants and malware alike have been using to break into vulnerable systems. Microsoft had already warned about limited, targeted attacks using this flaw, but late last month an exploit built to attack the XML bug was added to the BlackHole Exploit Kit, an automated browser exploit tool that is very popular in the criminal underground right now.

Other critical patch bundles include a fix for a dangerous flaw in the Microsoft Data Access Components (MDAC) of Windows, and an update to address a pair of vulnerabilities in Internet Explorer.

Microsoft also released a FixIt tool to help network administrators block the use of Gadgets and the Sidebar on Windows 7 and Windows Vista systems. “We’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run,” Microsoft said in a blog posting, without offering much more detail about any specific findings.

Patches are available through Windows Update or via Automatic Updates. As ever, if you experience any issues in applying these patches, please drop a note in the comments below. A summary of and links to all of the patches released today is here.


19 thoughts on “Microsoft Patches Zero-Day Bug & 15 Other Flaws

  1. Andrew Zizzo

    Thanks for being on top of the ball, Brian. Checked updates earlier at 1pm Eastern as a routine and these weren’t offered by the update server. Checking now on x64 7 I see 11 new updates

  2. Greg

    Brian,

    Being in IT, I really appreciate the work you’re doing. There is so much chaos out there it’s almost impossible to keep up, so the 0-day alerts are valuable.

    Thanks.

  3. chesscanoe

    Manually installing this P.M. using Windows Update on my laptop Win7 x64 Home brought up 7 fixes (plus 1 optional for Microsoft Security Essentials). I clicked to install the 7 fixes and the first (KB2698365) installed OK. The second (KB2719177 for IE9 HUNG 1/3 finished FOR 25 MINUTES WITH NO DISK OR UNUSUAL CPU ACTIVITY. It would not cancel, and task manager could not be invoked so I shutdown. Got message KB2698385 failed with code 8024200D, so I safe started and did a good system restore. Then I installed System Tool KBB947821 (341 meg) which uninstalled and reinstalled both fixes, after a couple of shutdowns. All fixes correctly installed now, but it took some time and searching to fix. FYI .

  4. Larry

    For the last several patch cycles update has installed KB972270 and KB982132, over and over, cant stop it except to click dont show again. With the new controls today I thought MS had finally resolved the problem but they did not.

    This occurs on all four of our XP Pro SP3 pcs. It does not happen on our XP Home SP3 pc or our Win7-64 Pro.

    Anyone else having this problem?

    1. JCitizen

      Well, at least you don’t have any sidebar concerns for your XP machines. Small comfort I know. I try it on mine and see how it goes.

    2. Stratocaster

      With previous updates I have had the problem with same update showing up over and over again on one XP SP3 notebook, but not on another or on Vista, even though an equivalent Vista fix was available. So there may be some idiosyncrasy about the particular machine, like a corrupted registry key.

    3. PJ

      Larry, you can use CCleaner and clean out any windows components that haven’t loaded properly. That has worked for me in the past. Just make sure to reboot before trying to reinstall.

    4. EJ

      I’ve always had great luck resolving these issues using Microsoft’s support, which is free for Windows Update issues. It takes some simple back and forth via email, but it is well worth it.

      http://support.microsoft.com/ph/6527

    5. Northfield Tom

      Happens with me, too. I just live with the “you have updates to install” msg and manually check periodically. Sort of like dealing with the pertual “Flash” bugs.
      Peace,
      Tom

  5. Stratocaster

    Give up our gadgets? Say it ain’t so, Brian!

  6. JCitizen

    I’m not giving up my weather gadget no matter what! I’ll just have to deal with the consequences. That thing is critical to my operation. At least both of them were open source developed; but that is only a slim comfort.

    I hope Brian revisits this subject if anything changes at Redmond.

    1. CW

      I don’t think Microsoft is going to change their stance. They are discouraging it’s use in Vista and Win7, and have already removed the functionality from Windows 8:

      http://threatpost.com/en_us/blogs/microsoft-issues-kill-fix-windows-gadgets-071112

      It sort of reminds me of the Google Apps that are currently being found with malware in them; it’s great to have free, open source stuff available to the public, but people are using these free apps as a conduit for malware. Shame.

      1. JCitizen

        Thanks CW;

        I’ll be glad when they fire that chair throwing monkey boy(CEO); I realize he helped start the company, but he will end it, if the chairman of the board isn’t careful!! X-(

  7. Tom H.

    Installed 8 of 8 and 11 of 11 on two Windows 7 x64 machines. Went quickly with no problems.

  8. Bufford

    “We’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run,”

    IE: We didn’t implement validation checks in the OS and trusted unknown developers to do our work for us.

    1. Dave

      Gadgets have been an accident (or at least malware attack) waiting to happen from the day they were released. Although there is in theory a security model present for them, the only access capability that’s supported is “everything all the time”. I talked to a MS security manager about this in 2007 when they appeared in Vista and his comment was “yeah, it’s bad, but we [the security people] can’t do anything about it”. What’s surprising about this one isn’t that it happened, but that it took a full five years before anyone exploited them.

  9. Ivan Lowe

    Installed as a batch, avoiding KB2655992 as advised in patch watch in Windows Secrets (paid version). Result was only basic MS programs functioning: no firewall, Avira loaded and could not load firefox etc. Rebooted, same problem. System restore showed only two recent points I managed a full system restore and got back full functionality including ALL past restore points though Online Armor asked if I wanted to allow wbengine (I agreed). So I started installing one by one, with a reboot each time. Narrowed it to KB2691442. Googled this and found it has something to do with Online Armor which they are working on/have fixed. Online Armor users should make sure they have the latest version before applying this patch.

    1. JCitizen

      I can’t get On Line Armor Premium to work on any modern Windows platform. Maybe the free one is better. I think I’ll stick to Comodo(free).

Comments are closed.