Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.
The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user. Redmond patched vulnerabilities in Windows, Internet Explorer, Dynamics AX, Microsoft Lync (Microsoft’s enterprise instant message software), and the Microsoft .NET Framework.
Microsoft called out two patches as particularly important: the Internet Explorer bundle (MS12-037), which addresses 13 issues; and a critical flaw in the Windows remote desktop protocol (RDP). Updates are available for all supported versions of Windows, via Windows Update or Automatic Update.
In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.
A summary of the patches released today — with links to the individual patch advisories — is available here. As always, if you experience any issues applying these patches, please sound off in the comments below.
Brian, first of all a big thanks for these notifications.
I do not know if this qualifies as an issue applying the patches, but here it is :
W7 Home Premium, 64 bit, Service Pack 1.
Update history shows last update was this morning : one patch for Windows Defender.
Last patch for Windows was June 5.
When I check for updates MS tells me only optional updates are available.
However, if I use the URL provided in your last paragraph I find critical (as well as important) updates listed for W7 x64 in the MS Security Bulletin.
The above is a desktop.
Similar story for my small netbook with W7 Starter Edition.
Should I be concerned ?
My other machines, one with XP and the other with Vista, downloaded and installed 10 and 9 patches (respectively) without any problems.
I have the same problem, but with Windows Vista. Even tho I have set the program to download and install updates automatically, the update page shows only optional updates and does not reveal critical and important updates until I run “check for updates.”
Any suggestions?
George, John, I wouldn’t be too concerned. Sometimes the Windows Update client on the computer (via the control panel) takes a little longer than one would like.
Which setting do you guys have set for Windows Update? To just alert when new updates are available, download but don’t install, or download and install?
I didn’t have any problems seeing 9 security updates available today via Windows Update on the Win 7 Ultimate PC.
Brian, thanks for the quick response.
Here are the update settings for my W7 Home Premium 64bit SP1 machine :
Automatic installation of updates every day at 3am.
The following are checked :
Give me recommended updates the same way I receive important updates.
Give me updates for MS products and check for new optional MS software when I update windows
Unchecked :
Show me detailed notifications when new MS software is available.
John, I am not getting any indications of critical updates even when I run “check for updates”, even though there are some,
George,
You may have no critical updates available (I don’t: all 9 security updates I have available are rated “important” Microsoft says).
A patch can carry an overall “Critical” rating and still only be rated “moderate” or “important” on some OS’es with different service packs (and whether it’s a 32-bit or 64-bit OS). It’s important to note that often the distinction between critical and important is a fine one, and that important vulnerabilities can still be quite dangerous.
Thanks again, Brian.
Today’s MS Security Bulletin indicates (KB2685939) as Critical for W7 64bit SP1.
“Security Update for Windows 7 for x64-based Systems”
I had no issues with the notifications, downloads or installations on any of my computers (Win7x64 Pro, Vista32 Home, Vista32 Ultimate, XP Pro SP3). I prefer to manually run Windows Update, but that should have made no difference other than a quirk of timing — if the autocheck process was performed earlier than the updates actually posted and became live in Redmond, I suppose a user might see an artifact with the incomplete list for awhile until his or her system performed a scheduled recheck and the list was updated.
Guess I spoke a bit prematurely, as the Fixit patch Brian referenced seems to have an odd issue on the Vista32 Ultimate machine and fails when it attempts to create a restore point. On all the other XP Pro, Vista32 HP and Win7x64 Pro machines, the Fixit patch processes successfully to completion, but will not do so on the Vista32 Ultimate one even after a clean download of the MSI file to a different location and rebooting.
Not sure if Brian or someone else might offer advice, but here’s a description of the consistent failure in the process. After the patch launches and I toggle the “accept” box then click the “next” button, the patch opens a “creating restore point” box with a progress bar area in which nothing ever appears — no colored bar in the least, and after 10-15 seconds a new box pops up over that one with this statement:
“The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2738.”
When I click on “OK”, it’s replaced by a box very similar to the one seen upon completion with three option buttons. The top and bottom buttons are identical (“tell us what you think”, “click to read more about Fixit”), but the middle one is slightly different (“click to get online help”) and links to a generic page on the MS website where you’re invited to select the OS version or application involved in the problem — a marginal self-help form of directed guidance, given the arcane specificity of that error message.
FWIW, I run MSE as the resident AV and ZoneAlarm Pro as the resident firewall, with regular weekend manual scans using several others (MBAM, SuperAntiSpyware, Kaspersky TDSS rootkiller, and Panda Cloud) and no malware has been detected by any. I generally don’t use IE for anything other than Windows Updates and rely on Firefox instead, so maybe it isn’t a big risk.
I’ve now tried to run this Fixit50897 patch multiple times with different downloaded executable files, including one on a thumb drive that successfully applied the patch on the other computers — each time I have the same result on the problem computer so it seems to be something with this Vista Ultimate OS. It occurred to me that perhaps some garbling was introduced with he attempts that needed to be undone, so I also tried to run the companion 50898 patch before trying the 50897 one again, but got the exact same result with the restore point box and error message.
Since the error seems to have an association with the failure to create a restore point, I launched that applet directly from Start | System Tools and it shows a restore point was created at the appropriate time by the Fixit patch, though I can’t read the full description. So, I’m truly stumped for the evening and will post this with hopes of more enlightenment or suggestions from smarter wizards or anyone else interested in helping me solve the mystery tomorrow.
Just a follow-up to note that I’ve never been able to get the Fixit patch to install, nor have my posts to various MS blogs or help/answer sites yielded anything effective at overcoming the arcane error on that one Vista Ultimate machine. Since July’s Patch Tuesday is about to arrive next week, I decided to simply wait and see what the advance notification posting says about whether this zero-day flaw is addressed — if so, I’ll see whether the official fix will install correctly. If it does, problem resolved — if not, then I get to elevate the issue and gain official assistance in resolving whatever may be the cause.
Brian, thanks again for taking the time to respond.
I just installed the critical update via the Security Bulletin itself.
One can go to the table of updates and there click on the name of the update (in blue) and that will take one to a page from which the download can be initiated.
On to rebooting the machine …
downloaded all of the update released by Microsoft..thanks for available those.. installed all of them in window 7 ultimate 32bit without any problem,also have a optional update for window media player…ms thnx
After installing today’s MS patches, I ran a Secunia scan. It disclosed that my ax Flash player (11.2x), was insecure, and that 11.3x was available. I downloaded and installed the latter.
Just mentioning this here because I don’t recall any advisory in re yet from Brian.
I wrote about it last Friday, Jay.
http://krebsonsecurity.com/2012/06/critical-security-fixes-for-adobe-flash-player/
I’ve been blogging a lot since then, so it got pushed down the page a bit.
So you did, indeed. My ignorance of the Flash update is due solely to Adobe’s obviously defective notification system. Awhile back, I set up for automatic Flash update advisories from Adobe, with opt-in-only downloading and installation. These notifications theoretically occur–I believe–only upon a reboot. I have rebooted 2-3 times since the Flash 11.3ax was released. Not once have I seen an update notification on my screen.
Congrats, Adobe, for consistently maintaining a most annoyingly deficient legacy of buggy software development and updating.
Jay, my Flash hasn’t told me about an update either. I’ve checked my settings (notify) and rebooted plenty, but it’s still out of date. Win 7 Home Premium SP1, 64-bit
it seems like the flash notification may require you to log in to trigger it….
i just got the notice when i logged into one of my computers after doing this ms update….
Sadly, while there used to be 4 flash installers (32bit, 64bit x NPAPI, Ax), there are now 2 programs (NPAPI, Ax) which manage both 32bit/64bit, but the updater for one isn’t responsible for updating both. So even if you do get the “update available may i install” prompt, it may not update everything, so check add-remove, or use [mozilla] plugin-check, or something.
Mozilla Plugin Check: http://www.mozilla.com/en-US/plugincheck/
— works w/ most browsers on major platforms, and is fairly handy.
My Flash finally prompted me to update today and passes the test this link (which I’ve bookmarked, thanks) runs.
Yesterday I checked the notify box here* and shut down. Today I received the update notice. May be a coincidence, but maybe not! I thought with the newer Flash your settings were stored on your computer rather than in your browser, so I was surprised these settings pages still existed.
*here = http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html
Updates appear stable on SBS 2011 & 2008 R2 SP1
Thanks for the info Brian – much appreciated. I have auto updates selected, but checked manually which confirmed these updates had not been done. Would that be a schedule thing for us in the UK? All installed now, so advise anyone to double check.
Thanks, Brian. I like this article.
Brian – thanks for the update.
Looks like there is also a freshly released version upgrade from Sun for Java 6.x to version 7.
I know this is one of your “don’t install it unless you have to use it” programs, unfortunately, I have to use it.
It looks like it also installed with a separate, new (or maybe I haven’t noticed it before) cr@pware multimedia component, Java FX. Have not read up on it yet, but it just makes me cringe that I have to have Sun’s Java Junk on my PC.
Yep. Not only that, but Apple is now finally releasing Java security updates in step with Oracle. I said in my story that it must have been some strange planetary alignment. A reader on Twitter wrote: “must be the effects from the transit of Venus in front of the sun, won’t happen again until December 2117 lol”
http://krebsonsecurity.com/2012/06/apple-oracle-ship-java-security-updates/
Did anyone else read about their plan to force retire RSA keys under 1024 bit length? They talked about it on their PKI blog. Sounds like there’s going to be a lot of headaches come August when certificates that have been annually renewed come due. They did pointedly say that anything older than 2010 will be grandfathered in, so here’s hoping that legacy programs won’t have another issue to deal with.
I’m hoping that 1024bit certs will be killed on the fast side. Legacy or not, if you’re near the point where people can start using a botnet and a chosen-prefix attack to forge a cert, then your cert has no value except for misleading users into trusting it. At that point, we need to drop support for your cert class.
This is the attack that the MSTS cert suffered (although it was 512 bit iirc, but the attack against it was probably 5 years ago, so the math should scale…).
Oh look, another RDP flaw that might lead to RCE? I wonder when there will be a channel on Freenode dedicated to exploiting it, or rather, trying?
As for the 0day, the fact they have a fix tool released, surely they should just bundle this in with the patches as a temp workaround until they release a proper patch? IMHO if a vuln is being exploited, they should release some kind of migitation immediately, be in in band or out of band.
The reason they don’t is that some people may have “mission critical applications” which use the component.
If auto-update periodically (and randomly) broke mission critical applications that people used, they’d stop using windows update, which would make the situation even worse.
It’s unfortunate that there isn’t some better way to balance this. I’m sure Microsoft is looking into better ways, but….
Personally, I tend to manually disable all available IE components unless they’re things I know I want.
“The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user. ”
And how many years were these holes open?
I treasure each new MS update, almost always you’ll find *PATCHES* (ha!) to REMOTE EXPLOITS (lol!).