10
Feb 15

Microsoft Pushes Patches for Dozens of Flaws

Microsoft today released nine update bundles to plug at least 55 distinct security vulnerabilities in its Windows operating system and other software. Three of the patches fix bugs in Windows that Microsoft considers “critical,” meaning they can be exploited remotely to compromise vulnerable systems with little or no help from users, save for perhaps clicking a link or visiting a hostile Web site.

brokenwindowsThe bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here.

Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks.  The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device –  that means 10s of millions of PCS, kiosks and other devices, if left untreated.

Several readers who’ve already applied these updates report that doing so may require multiple restarts of Windows. Patches are available via Windows Update, the patching mechanism built into all recent and supported versions of Windows. For more granular information about these patches, check out this blog post by Qualys as well as the always-useful roundup at the SANS Internet Storm Center.

As always, if you experience any issues applying these patches or after applying them, please leave a note in the comments section below describing your experience.

Tags: , , ,

60 comments

    • I ran into that one on my Office-equipped systems at work. The patch works if it’s downloaded and manually executed.

      MSRT has been a habitual offender on my fleet, simply stopping in its tracks when executed by Microsoft Update. Viable options: killing its process using Sysinternals Process Explorer, forcibly turning the computer off, or standing in a vat of eels at midnight (kidding! sorry eel-lovers!). The MSRT is redundant on my systems anyway, since they already scan daily with Microsoft’s full AV, but sometimes I forget to uncheck its checkbox.

      Looking at the big picture, the trend seems to be a lot of elevation-of-privilege vulnerabilities lately, plus some security-feature bypasses like ASLR goof-ups. In the MS Office bulletins, they do give Microsoft EMET an honorable mention for forcing ASLR on Office’s guts arbitrarily. If you use MS Office, make sure it’s updated and also give EMET a try.

    • I have discovered that every time my computer updates with Microsoft updates and security fixes, it wipes out the registry keys for the apps that came installed by microsoft on my computer. Microsoft tried to tell me that it was a virus that was doing it and they wanted $150 for a tech to get rid of the virus, but my research into the matter found that it is Microsoft that is causing it. I found Tweeking Computer and I have to run the program after every update by Microsoft so I can access my app store account. The clue that it is not a virus? After my updates I would go to the app store and it would give me an error message when I tried to go on my account that my program was not registered and when I tried to register I would get error messages that the registry keys were missing! Microsoft is refusing to remedy this. It started after I first got my computer a year ago.

  1. Yes I had those exact problems.

    That problematic update (KB3001652) was pulled from the MS update site about an hour ago.

    • It seems, more often than not, Microsoft either pulls or re-releases at least one patch per month — their QA department really needs help!

      I always wait a few days for things to settle down (and for the rest of the world to finish doing the beta testing) before I update any of my systems with either Microsoft or Adobe patches.

      Thanks again to Brian Krebs for the timely notifications…

      • The second Tuesday of every month is Microsoft’s monthly patch day. Feb. 10 is the second Tuesday of February; hence, Patch Tuesday. Brian’s contribution isn’t the timing; it’s explaining what is being patched this month.

    • This patch does work, but only if you apply it separate from all other patches.

      In my case I applied it last, after every other patch that Windows Update wanted to load at the same time.

      That is how I corrected the problem with this patch.

    • I don’t have Win 7 or 8, but my computer froze and hosed my normal mode restore points!! A recovery disc restored back to a really old date and started over again installing one at a time until I realized it was the C++ redistributable that was the problem. It tried to install on 2nd attempt, but but froze, so a forced reboot started the installer over again. The update history won’t even acknowledge it was successful, but the Microsoft Baseline Security Analyzer says it took. If you can believe that – I probably got swamp ground in Arizona I’d like to sell! 😉

      Getting to be the typical patch Tuesday anymore! :/

  2. After the initial required reboot, best always check for additional updates because like today, there will likely be one or more identified at that point for follow-on installation.

    • +1
      RE: “Several readers who’ve already applied these updates report that doing so may require multiple restarts of Windows.”
      OS: W7. I did four runs of Live Update and four system restarts to complete this month’s fix cycle. One of the restarts was not required by Live Update but I always restart after any update activity, required or not, just to be safe.

  3. ya I got another update for IE.

    I never install the application experience optional update. The only other optional update I’m wondering if I should install the root ca one? would it improve my security?

    • Root CA refers to Certificate Authority and is important in verifying that software/websites are genuine/secure – several times bad guys have compromised Certificates (so they can install malware or worse without generating a warning to the user about the certificate not being valid).

      It’s a good thing to keep those as up to date as possible (means we have to trust Microsoft etc., but that is the lesser of the evils in this instance).

      http://en.wikipedia.org/wiki/Certificate_authority

  4. My system hung trying to restart. Other updates appeared after the initial updates were installed.

    • Solidly hung my computer. (Let it run for hours.) Ran System Repair. Got “The instruction at Oxfc20a53 [or similar] referenced memory at OxO5173486. The memory could not be read. Click Ok to terminate the program.” System Restore worked. Shades of computer in the last millennium.

  5. Some systems will “appear” to hang while doing internal work and configurations, but the system will recover at some point. The slower CPU and less Memory and such will cause some systems to “hang” for a longer period of time. Same situation on the ‘re-start’ as the system is configuring any number of new settings for security purposes.

    Yes most will have a second series of downloads/updates after the initial series.

    • I tried downloading and installing MS’s just-in critical updates, among them KB3001652, but the process never finished and was frozen in its tracks. I finally had to force a shutdown and when booting up again, trying to run Windows Update, I unchecked KB3001652 to let the other updates download and install. With much patience, I have tried again and again to download KB3001652, but it will constantly hang up. I finally called Microsoft about the problem. They told me that the trouble has to be with my Windows 7 computers. No way! I run two Windows 7, 64-bit, computers, and the problem shows on both machines.

      • As was mentioned much earlier, KB3001652 was pulled. I do not know why you are still seeing it as an option for download, unless you are encountering a cache of the previous available update, rather than the actual update from the MS servers.

        “Earlier today an update to Visual Studios began rolling out, KB3001652 (Update for Microsoft Visual Studio 2010 Tools for Office Runtime). The update was intended to install the 2010 tools for Office Runtime while updating the premature shut down thread in the WPF user interface, fix the lag occurring on touch enabled when shutting down Visual Studios that use the WPF, and address the incorrectly displaying installation Trust Prompt “Unknown Publisher” even when the publisher is fully trusted.

        Well none of that was addressed as reports began to roll in about the problematic installation of this update. The patch begins to install, but never finishes, leaving the update system running indefinitely. The endless loop also continues for some users even after a reboot of the system. The reports of this problem is occurring on servers, workstations, and even Surface Pro 3 devices.

        Visual Studio users are being encouraged to avoid this update until further news is gathered. We will update accordingly as new information comes in.”

        • KB3001652 showed up for me only this morning, after I’d already installed all of the other updates over the last couple of days. It says it was published yesterday (2/11). So, is this a re-issue of ‘652?

          Also, I’m reading widespread complaints about how long it took to download and install this particular set of updates for both Win7 and Win8. On Win7 machines, it’s been anywhere between 15-35 updates, depending on other software such as MS Office.

          It’s also been multiple reboots for most people, which is ridiculous.

    • ” The slower CPU …”

      The 4.77 MHz 8088 is not slow … circa 1981

      “… and less memory …”

      “640 KB ought to be enough for anyone”

    • I let mine run all night, and it never did finish. I have a quad core 2.66Mhz processor and 6 Gbs of RAM. Is my system sufficient?

  6. Brian,
    The MS15-011 technet article isn’t quite clear on whether Domain attached computers will automatically get the necessary configurations to take advantage of the new hardened UNC security which MS15-011 adds to Windows.
    Can you comment please on whether we need to do anything more than just installing all of the patches in order for Domain joined computers to defend themselves against the MITM attacks which MS15-011 and MS15-014 are intended to enable us to defend against?
    thanks,

    • You also need to set the new group policies that the patch enables. Specifically, I’ve setup our policy according to the minimum recommendation in KB3000843 by setting \\*\SYSVOL and \\*\NETLOGON so that your logon script UNC paths are authenticated and integrity checked. Even if you don’t use login scripts, you need to do this, because your PCs will execute forged ones anyway.

      • +1 If you have the scripts in the first place anyway. I assume you are talking about a network under Active Directory?

    • The client computers should receive the updated policy upon logging in, could be an issue with traveling laptops.

  7. I had a problem with a Office update on my Windows 8.1 machine this month, need to invesigate further

  8. Once the UNC policy is configured, it will be pulled down by the machines. A reboot is required to implement the policy, since it is a machine policy. My issue is that the GPO path to configure it doesn’t exist. I don’t know if I need to apply the patch to the DC first or what. MS15-011 isn’t clear.

    • |My issue is that the GPO path to configure it doesn’t exist.

      Same here. GPO path doesn’t exist for me either, but I’m holding out on sending those updates to my DC until the weekend. Maybe that will be the solution.

      Fully agree that 15-011 is unclear in direction.

      • Okay, so I patched my workstation and was able to get the NetworkProvider.admx file from %systemroot%\policyDefinitions. I then put that in my ADMX central store and was good to go. Hope this helps someone.

        • And don’t forget the ADML file in the en-US subfolder. I wasn’t paying attention and missed that.

          Deployed to our alpha testers today. No issues yet.

          • John,

            Thanks so much for following up on the procedure(s) regarding admx and adml for the GPO!

            Implemented this morning in our live environment…crossing fingers.

            Sean

            • Yeah, be careful with that. You definitely want a test group. I’m getting some errors that say I can’t get group policy on those machines anymore. They are getting it, but the errors are concerning. I’ve got a case open with MSFT support and we’re working though it. It may be something else in our environment interfering but I’m not sure yet.

              • We’re a relatively small shop, and I forced a restart for everyone at lunchtime. None of my machines had any group policy issues, all Win7/64s.

                Good luck with the PS case.

                Will be interested to see the resolution.

                Sean

  9. I had no problem with the updates. Had to restart my computer twice to get them all in, but no problems.

  10. This patch should obviously be a priority for any organizations that rely on IE.

    Lulz…

  11. Just as an FYI, Windows Server 2003, while still officially supported for security fixes will not be getting the active directory fix and will remain vulnerable to the exploit – so should be listed as “plan on it being supported for security updates, but not really” (Windows XP, which can still be supported at the corporate level for $$$ will also not get fixed).

    Alot of shops still have a 2003 Server or two around for applications that couldn’t move to newer kit…time to get these guys replaced ASAP or air gapped.

  12. Confirmed issue with a Microsoft patch which caused my Windows 8.1. to lock up

    http://www.neowin.net/news/microsofts-patch-kb3001652-is-causing-pcs-to-lockup

  13. Don’t install patch kb3001652 on your Windows 7 or 8 machine, it will lock up Windows or halt updates , during the install process. The only solution is to do a hard reboot to complete the installation of the other security updates before the lock up or halting occurs.

  14. FYI, the updated patch for KB3001652 became available this afternoon and installed with no problem on my Win7 Ultimate x64 desktop, including the required reboot following the initial part of the installation in which there were no hangs. Whatever the earlier issue may have been, it seems to have been resolved now.

  15. My work desktop got stuck on update 6/13 yesterday for 2 hours before IT told me to manually shut it down.
    My home laptop is still stuck on update 4/19.
    What gives?

  16. This update TRULY stinks. It messed up all fonts on my computer. How do I fix this?

  17. Patch KB3013455 is known to screw up fonts on Vista sp2 and Win Server 2003 machines. Most people probably won’t notice the bulk of the misformatted fonts, but one that gets badly corrupted is Courier New !

    I gave up trying to work around it, or using other fonts as the default for my email, and finally uninstalled 3013455 rather than wait for a patch to the patch. I’m told one is coming, but who knows when that will be…

    • Rich (and other with update patch / font problems):

      FYI — I have no idea if this is the solution you need, but I got this in my email tonight, 8 days after the original patch was released:

      ———- Forwarded message ———-
      From: Microsoft
      Date: Wed, Feb 18, 2015 at 8:10 PM
      Subject: Microsoft Security Bulletin Minor Revisions
      ************************************************Title: Microsoft Security Bulletin Minor Revisions
      Issued: February 18, 2015
      ************************************************Summary
      =======
      The following bulletins have undergone a minor revision increment.
      Please see the appropriate bulletin for more details.
      * MS15-010 – Critical
      Bulletin Information:
      =====================
      MS15-010 – Critical
      – Title: Vulnerabilities in Windows Kernel-Mode Driver Could
      Allow Remote Code Execution
      https://technet.microsoft.com/library/security/ms15-010
      – Reason for Revision: V1.1 (February 18, 2015): Bulletin revised
      to add an Update FAQ that explains why there are two packages
      on the Microsoft Download Center pages for affected editions of
      Windows Server 2003, Windows Server 2008, and Windows Vista.
      The additional package (3037639) is not needed to be protected
      from the vulnerabilities addressed by the 3013455 update; it
      simply corrects a text quality problem that some customers
      experienced after installing the 3013455 update on the
      indicated systems.
      – Originally posted: February 10, 2015
      – Updated: February 18, 2015
      – Bulletin Severity Rating: Critical

  18. As usual, my system slowed to a crawl as Microsoft did it’s typical pre-download checks on my system. And then the download, which is mostly for IE which I do not use – is monstrous. Windows 7 issue or a 5 year old laptop issue? I can not do hardly anything while this bloatware bloats more!

  19. I’ve always said that if you don’t need to run Windows you should uninstall it and migrate to OSX, Linux or ChromeOS. Windows is the most virus, malware and ransomware infested OS in the world. It’s no wonder there are more viruses, malware and ransomware than actual apps.

  20. I downloaded the last set of updates Tuesday and then got the message there were more to download. Now I can’t open my excel and my computer is extremely slow. I have windows seven and had no issues beforehand with over half my memory available. How do I fix it?? I’m using my phone trying to find an answer. Microsoft was no help.

  21. @Brian: Re: Your comment on this page:
    http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/
    “Anti-malware is generally not going to detect stuff written by a gang like this, at least not in the first 24 hours or so.”
    — I’ve never understood why high-security institutions like banks feel under pressure to read / answer emails within 24 hours. In any case it’s typical for them to answer within 28 days; not 24 hours! Why don’t they implement, as a matter of standard security policy; a 24 hour quarantine on all incoming email, with an extra 24 hours (to make 48 hours quarantine) around the time in the month when MS security updates are released? Is this not an obvious security precaution?
    As for email attachments, hyperlinks etc. Can’t they be filtered out? Can’t a perimeter firewall effectively reprint (via a very locked-down, sandboxed PDF file printer driver) a copy of all incoming PDF documents, MS Word documents, linked Web pages etc.?

  22. Not a security issue (unless a 3-letter agency has pushed someting on MS), but File Explorer seems to hang, somewhat at random, after 10Feb2015. This occurs under Win8.1 running ClasshcShell(.net). Sometimes an instance of FE hangs from rt-clk, Properties, at other times while trying to Create a shortcut. When the latter, using a mklink in a cmd-shell (I use TC 15 by JPSoft) may break whatever event logjam FE is experiencing. The hang of one instance seems to have no effect on other instances of FE.

  23. I’m seeing issues installing these patches on Win7. My initial install of all the patches, hung after the reboot. I am now installing the updates one by one. So far, I’m seeing issues with 3000483, 3021952 & 3021952.

    • Here’s the updated patches that cause boot failures for me..

      3000483
      3021952
      3004375
      3023562
      3031432

      I will submit this to MS tomorrow.

      • I have exactly the same issues with exactly the same list as yours. Running any of these updates, either individually, or collectively, results in a black screen of death (apart from a mouse cursor) following the reboot. The system never recovers and requires re-imaging after this bug occurs.

        I have managed to get all of the other February updates successfully installed.

        HP Probook 6470b laptop running Windows 7 x64 Enterprise.

  24. Since this Feb batch of updates, I’ve had multiple crashes, blue screens, startup repairs (one saying it couldn’t make a repair but W7 went on to start up anyway), multiple errors – all different. I’ve run everything I can think of to check my own system (memory, disk, virus etc scan), none of which comes back with a fault. The machine works fine in between crashes then either freezes or blue screens. Safe mode often doesn’t work because it freezes before all the files are loaded. I’m moderately but not deeply technical but any ideas welcome.

    • Hi Suzanne, I had the same issues… crashes, etc. since the updates. I used safe mode to restore to an earlier time b4 these recent updates. After that completed and restarted I could then operate normally until I had time to fool with it. I also disabled automatic updates for a couple of days. Tonight I researched it and found a helpful article. I started with Measure #3 Check Firewalls (I enabled the Windows Firewall and disabled my McAfee firewall and ran the 15 updates). It worked!! When it restarted it almost seemed like it was going to be stuck on a black screen again but after a few minutes the windows icon appeared and all became normal again. Here’s the link for the article for step by step. Again, I only did #3. Hope it helps!!
      http://www.ghacks.net/2010/12/20/microsoft-windows-update-overview-all-you-need-to-know/

      • Hi Lynn – I wish! Unfortunately, Safe mode often didn’t load, when it did, it often crashed. The system would stay up for hours then suddenly fall over and I’ve done roll-backs, system restores, startup repairs (some failed but W7 launched anyway!). Error messages on blue screens have been different every time, black screens asked me to do impossible things (no keyboard found, press XXX to continue is my favourite!). I thought I’d found a simple solution when vacuuming the innards kept it going for a whole day but it didn’t last to the next morning. Then it became so unstable I migrated non-server stuff like outlook psts and deposited it at the local computer shop for a full medical! Maybe they’ll find the solution and maybe it was the updates but it was starting to look more like hardware :(

  25. Hey, Brian, you’re the man! I spent the last two days trying to find answers via update links at MS. (Precious time wasted and gone.) If I’d have come here first the cows wouldn’t have had to wait to be milked.

    Ditto to the MS complaints voiced above. Win 7 here, multiple restarts while trying to install latest updates, update triggering a blackscreen ‘ chkdsk for consistencies’ which really had me worried.
    These endless vulnerabilities and patches are unbelievable. I spend more time and money (it’s costly out here in the woods) updating MS than I do actually using the web.
    Who can stop the madness?

  26. It appears as though my laptop had multiple updates installed last night and early this morning, even though I have my settings set to never check for updates. Is it possible Microsoft is pushing these through without my knowledge/consent? I am running Windows 7, 64 bit

  27. My pc had the auto updates installed earlier this week, now several web pages do not work. Can you tell me as I am not that computer literate to get them to work? Is it possible to uninstall the update? Can I just get a patch for IE to work? Any tips are appreciated.

  28. A patch installed on the 22nd ‘broke’ the security certs in my laptop. I’m running Win 8.1 on a Lenovo. After the patch was installed any https site, stopped working, regardless of what browser I was using. It was terrible, I wasted a couple of hours trying to figure out the problem. Finally I just decided to rollback the patch. After rolling back the system state an earlier date, I was able to browse/work as usual.