Microsoft today issued security updates to fix at least two vulnerabilities in its software. The fixes are for enterprise components that are not widely installed, meaning that Windows home users will likely get away with not having to patch their operating system this month.
The first patch, MS12-061, applies to Microsoft Visual Studio Team Foundation Server. The other update, MS12-062, fixes a flaw in Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007.
Windows users who run Windows Update or Automatic Update may still find a few updates available, such as KB2736233, which disables certain potentially unsafe ActiveX components in Internet Explorer; or KB2735855, which is a stability hotfix for Windows 7 and Windows Server 2008 systems.
Microsoft is urging system administrators at organizations to test a soon-to-be mandatory patch (KB2661254) that will change the way Windows handles encryption keys. That patch is in apparent response to the weaknesses exploited by the Flame malware, which used it to successfully spoof the encryption algorithm used by Microsoft’s Remote Desktop and to install itself on Windows PCs. The update has been available since August but won’t be pushed out through Windows Update until October.
We hope you are not misleading home users who do not use automatic updates; they still should check for updates and run the malicious software removal tool, which is new for this and every month.
Also, important to note from the SANS ISC post:
“Do not overlook KB2736233 Active-X Kill Bits update for 3 Cisco products. It is a Security update, but as it is ‘third-party’ to Microsoft, they do not rate it as such:”
er…I sort of mention that in the above post;
“Windows users who run Windows Update or Automatic Update may still find a few updates available, such as KB2736233, which disables certain potentially unsafe ActiveX components in Internet Explorer; or KB2735855, which is a stability hotfix for Windows 7 and Windows Server 2008 systems.”
It’s good to see M$ pushing out updates regularly. Better than nothing and better than sending out “quarterly” updates as oracle does.
Since I never saw an update I didn’t like I installed KB2661254 today rather than wait a month. So far no ill effects (running Windows 7-64).
When I try to download the Win7x64 version of the encryption key patch from http://support.microsoft.com/kb/2661254, it makes me download and run GenuineCheck.exe. However GenuineCheck says that it’s an old, unsupported version. Is anyone else having that problem?
Not me, but a lot 0f others have. Try setting IE9 as your default browser.
John, I just had that problem with GenuineCheck.exe saying it was out of date on a Vista SP2 system fully patched. Had to resort to using IE 7 to get the update, and IT wanted to install the ActiveX control for the genuine advantage checking. After the ActiveX control ran, I was able to d/l and install the update.
After the update ran, I got a prompt during the reboot process to shut down the stand alone WinUpdate installer that installs the patch but the prompt disappeared before I could take action to terminate the process. All in all, the update was smooth once I got the file. This makes one less update to install on October 9th.
Very interesting article Brian .shame u didn’t include actual work here ( its freely available online ) , it is fascinating work .cyber criminals will be well happy
i wonder why they gone public about this so soon . flow is still there ? or they manage to get a patch to that
I ran into a download corruption problem with KB2735855.
Several of our computers were experiencing downloads that were missing a few kilobytes here and there.
Once I uninstalled this patch, the problem disappeared.