June 14, 2016

Microsoft today released updates to address more than three dozen security holes in Windows and related software. Meanwhile, Adobe — which normally releases fixes for its ubiquitous Flash Player alongside Microsoft’s monthly Patch Tuesday cycle — said it’s putting off today’s expected Flash patch until the end of this week so it can address an unpatched Flash vulnerability that already is being exploited in active attacks.

brokenwindowsYes, that’s right it’s once again Patch Tuesday, better known to mere mortals as the second Tuesday of each month. Microsoft isn’t kidding around this particular Tuesday — pushing out 16 patch bundles to address at least 44 security flaws across Windows and related software.

The usual suspects earn “critical” ratings: Internet Explorer (IE), Edge (the new, improved IE), and Microsoft Office. Critical is Microsoft’s term for a flaw that allows the attacker to remotely take control over the victim’s machine without help from the victim, save for perhaps getting him to visit a booby-trapped Web site or load a poisoned ad in IE or Edge.

Windows home users aren’t the only ones who get to have all the fun: There’s plenty enough in today’s Microsoft patch batch to sow dread in any Windows system administrator, including patches that fix serious security holes in Windows SMB Server, Microsoft’s DNS Server, and Exchange Server.

I’ll put up a note later this week whenever Adobe releases the Flash update. For now, Kaspersky has more on the Flash vulnerability and its apparent use in active espionage attacks. As ever, if you experience any issues after applying any of today’s updates, please drop a note about it in the comments below.

Other resources: Takes from the SANS Internet Storm CenterQualys and Shavlik.


49 thoughts on “Microsoft Patches Dozens of Security Holes

  1. Charles

    FYI Update for Windows 7 for x64-based Systems (KB3035583)

    “Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1”

  2. Dr. Tony Newman

    Windows 10 ain’t so bad once you get past the time tunnel.

    1. rayy

      I wish I hadn’t “upgraded”–I have this flashing problem, once a minute it cycles & I have to click on the “active” window to make it active again.

      1. SalSte

        I had that on a few machines I upgraded as well. Check the Event Log and look for any kind of crash of Explorer.exe, and what the faulting module was. I had to do a web search for a few of the ones I’ve seen, but they were all related to software installed along with a driver from the old Windows 7 installs on the machines.

        Remove the offending software, reboot the computer, and you should be good to go. Windows will install the correct driver on its own.

  3. Stratocaster

    Adobe may still be waiting to post a Flash update, but they have already posted an update for Adobe AIR.

    1. JimV

      So where’s the new one? The usual AIR download page is still pushing out v21.0.0.215, which was released last month.

  4. David Thompson

    Went straight to Windows update, on both the in-use machines (pc and a laptop, both fairly new and on Win7) and after 50 minutes am still getting the sliding green thingie on the search for updates page. Too late for me? No, at least on the laptop, I cannot use Win10 -tried it, rued it, spent five hours over two days with some young fellow in the Phillipines undoing it.

  5. Liane

    Uninstalled Adobe several months ago, never looked back, never had an issue.
    Used a registry hack to prevent win 10 nags and delete downloaded bloat crap.
    Uninstalled Java as well, no need. Turned off auto install of updates from Microsoft and have blocked Internet Explorer from being used. And only use iPad for mail, keeping it completely off computer. Seems to work for me. Plus I block every ad I can with Adblock and I pretty much avoid using computer to randomly surf. I use it as a computer to write. Only connect when I need to.

  6. Jim

    Security Update for Windows 7 for x64-based Systems (KB3159398) will not install. Made 3 attempts with no joy.

    Windows 7 Pro

    1. Jim

      (KB3159398) still not installing. Yesterday the troubleshooting module (Windows Modules Installer) uploaded for thirty-minutes with no problems found.

    2. Chris Thomas

      I have read that setting Windows Update to ‘automatic’ is how to pry the necessary downloads from Microsoft. It is said that initiating updates manually causes the slowdown. Of course this method requires patience from the user.

      Mr Nadella seems intent on dragging the company he runs into disrepute. Someone will write a book one day on the serious damage that upsetting customers can do to a business. Once this sort of behaviour seeps into a company’s culture, it is near impossible to drive it out.

      1. Jim

        Had to kill auto. Redmond is hell-bent on installing KB5583 and GWX on my machine without my consent. I disliked 8 and loath 10. Have enough stress with Trusted Installer holding folders/files in the registry hostage.

  7. G.Scott H.

    My Windows 7 computer is still checking for updates. The Windows Update service is using about 50% CPU for hours. I have WU configured to check but notify and not install.

    This seems to have been going on and getting worse since GWX first appeared. I have refused Windows 10 due to compatibility issues.

    1. Eric

      I don’t know how it is that Microsoft managed to bungle Windows Update so badly, but it seems like it is a frequent problem that the whole thing becomes hosed in some way or another, and it can be a real bear to try and figure out why and get it all fixed again.

      As with most things Microsoft, it is way over-engineered, and overly complex. Lots of interrelated pieces, all of which need to function properly for it all to work, and for reasons I have never understood it can be horrendously slow. I set up a new Windows-7 machine in a testing lab recently, and Windows Update had to run overnight to even figure out what updates were required, and then it took nearly all of the next day to actually install all of the updates.

      1. Chris Thomas

        At least it is not down to individual problem Windows 7 systems, judging from the universality of the issue.

    2. Arbee

      Monthly updates for 32- and 64-bit versions of W-7 (SP1): using W-7 suggests I have no expectation of being thoroughly up-to-date. I typically wait one or two days beyond Patch Tuesday before attempting to download / install the updates. The only thing you get by being early is bragging rights. Okay, there’s also one or two additional days with known exposure or vulnerability. Delaying a few days doesn’t make the update process a breeze, but it does significantly reduce the wait before the updates are listed and can be downloaded. Also, some months, one or more of the updates is … quirky. That’s another reason I don’t rush to the front of the line.

    3. Sasparilla

      Ran into this with some newly created Windows 7 VM’s. My personal take is that this is on purpose…but anyways.

      I found the following and it helped me significantly, came from about 2/5 of the way down this page:

      http://superuser.com/questions/890038/why-is-checking-windows-update-so-slow

      This is what I do when I reinstall W7 with SP1 or have issues with Windows update stuck on checking for updates.

      If Service Pack 1 is not installed, install it before following this guide.

      Download KB-3138612 and save it where you can find it later.
      https://support.microsoft.com/en-us/kb/3138612

      Download SUR Tool save it to same place:
      http://windows.microsoft.com/en-us/windows7/what-is-the-system-update-readiness-tool

      Restart the PC and disconnect from internet before Windows loads, this is important because at every boot windows will check for updates in the background and this will start the checking for updates hang all over again and will prevent the install of the downloaded packages until it finishes checking, so disconnecting from the internet before Windows loads prevents this.

      Once booted install KB-3138612, if reboot is required do so and stay disconnected from internet.

      Now install the SUR Tool package, this is a big package and will install many updates along with cleaning up and repairing the Windows update store. It will also cut down on how many more Windows updates will need to be installed later.

      After install of SUR package reboot, connect to internet and do a manual Windows Update, it should work much faster now. Even after these fixes I have seen some W7 PC’s take up to an hour to finish checking for updates if launched from Control Panel manually.

      1. KFritz

        I like the way the description on the SUR Tool download page puts the onus on the owner of the computer, that for example, a ‘damaged system file’ prevents Microsoft’s wondrously designed update from installing. Can’t be that they screwed up–oh no!

      2. KFritz

        Instead of disconnecting from the internet, is turning off “Automatic Updates” good enough to install KB-3138612 safely?

        1. Sasparilla

          Don’t know KFritz, I’d just temporarily unplug the network cable or switch off the WiFi on the machine you’re doing this on just to be sure.

          It’s preventing the machine from trying check back with Microsoft and start the process of cataloging the updates (which it does in a sub-optimal manner) – not sure if it’ll still do that even with automatic updates turned off. This fixed things for me on a Windows 7 x86 and a separate x64 installation. Good luck.

    4. SeymourB

      Periodically Microsoft will screw up the windows update system and quietly push out a kernel update that fixes it, even though the published fix for that update is unrelated to WU. The problem is that as Windows gets patched eventually the old update stops working, at which point Windows Update is broken until they get around to pushing out a new one.

      The latest update that fixes WU is actually part of this month’s updates, KB3161664. Download that separately and install it first and it should be less temperamental about finding the rest of the available updates.

      Woody on Woody has been doing a good job of keeping track of these kernel updates and which one currently needs to be installed in order to fix WU. If you’re not inclined to reading technical journalism you may need to take an extra Adderall before poking around, since the information is typically mixed into the topics being discussed in the current article and not the sole topic being discussed.

      1. KFritz

        The download page identifies KB3161664 as an update for Vista that requires Vista Service Pack 2. Have you installed this on machine running Windows 7?

        1. SeymourB

          https://support.microsoft.com/en-us/kb/3161664

          KB3161664 applies to Vista all the way up to 8.1. Though each OS gets a different executable, they’re all KB3161664, as you can see from the hash list on that page.

          Were you using duckduckgo or another off-the-beaten-path search engine?

          1. KFritz

            Many thanks. Installation of KB3161664 did fix the download process–I can do manuals again!

            I did use DuckDuckGo, but when I did another search using DDG, moments before writing this, AskWoody and the explanation for all working Windows systems appeared at the top of the list. The mistake was probably mine, and not DDG’s .

  8. danger danger

    ‘BadTunnel’ Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years

    Thomas Fox-Brewster, Forbes Staff | Jun 14, 2016 @ 01:00 PM

    “Microsoft is today closing off a vulnerability that one Chinese researcher claims has “probably the widest impact in the history of Windows.” Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

    According to Yang Yu, founder of Tencent;s Xuanwu Lab, the bug can be exploited silently with a “near-perfect success rate”, as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target;s web use, granting the hacker “Big Brother power”, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft;s bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

    “Even security software equipped with active defense mechanisms are not able to detect the attack,” Yu told FORBES. “Of course it is capable of execute malicious code on the target system if required.””

    – Complete Story:

    http://www.forbes.com/sites/thomasbrewster/2016/06/14/microsoft-badtunnel-big-brother-windows-vulnerability/
    (Archived) https://archive.is/6My6c

  9. ethical hacking

    Your work are so good and amazing i really love to see this kind of helpful and positive post thank you for sharing this with us.

    1. x2

      Yup, got ours pushed in last night and came in to this fun today.

  10. Heron

    I divvied up the updates for our Windows 7 Pro machine. The Windows updates (minus KB3159398, and the one checking for Win X compatibility, which I skipped) downloaded and installed quickly, but the Office updates took about an hour, for some reason.

    I always look at the descriptions for updates. The one checking for Win X compatibility is described as “recommended,” even though it’s listed among the important updates. Tricky!

  11. Mike

    As for me, I’m done with Windows. Any future install will be Linux. They can keep their updates. They can keep their OS.

  12. sasha

    Those wishing to avoid the Windows 10 upgrade should check out GRC’s “Never 10”.

    “Never 10 is an easy to use utility which gives users control over
    whether their Windows 7 or 8.1 will upgrade itself to Windows 10.”

    “The elegance of this “Never 10” utility, is that it does not
    install ANY software of its own. It simply and quickly
    performs the required system editing for its user.”

    https://www.grc.com/never10.htm?1

  13. Chris Pugson

    M$ too big to fail? What a terrible thought that such an event would put EVERY business in the entire world in direst danger and precipitate the most colossal economic depression. Would the laissez faire liberal economic system that is the foundation of the business culture of the USA permit a rescue of M$?

    M$ is as vulnerable to the exigencies of cashflow as any other business and, what is more, its products do not perish, just becoming less and less secure but still working.

  14. Chris Pusgon

    I see that Adobe’s Flash download web page ( https://www.adobe.com/products/flashplayer/distribution3.html ) is now due for decommissioning on 30 June 2016. What goes on in the heads of execs at Adobe that drives them to assert their authority and show contempt for their users in this way?

    A problem created by Adobe for users with old hardware: the installation software obtainable from Adobe’s preferred web page will not run on pre-SSE2 equipped processors, yet Flash itself can run on a PC with a pre-SSE2 processor. What a confused mess these corporations are! No wonder security is in a tail-spin.

  15. Chris Pugson

    Adobe is yet again threatening to prevent access to its distribution3 web page (for downloading the full Flash Player installer). Does Adobe care about promoting safe and secure viewing of its customers Flash creations? Apparently not. It seems more important to Adobe execs that they assert their authority over Flash Player users. The Flash Player scheduled update task takes several days to make the latest version available.

  16. Save me

    First of all stop wuaupdates in services, after this is the the install order: manually download kernel update (restart optionally) after also manually download cumulative security update for IE (again restart) and everything patches install autamatically.

  17. Elliott

    One of these updates caused MS Office 2016 to kick up a “Something went wrong” error. I’m still trying to track down which one did it. The only fix so far is using the system restore.

  18. John D.

    For users of older Windows:

    A lot of Windows 7 users have noticed that connecting to Windows Update has become really slow, as noted above. But for users of Windows Vista, it’s really REALLY slow. Like 24 hours slow! (And it doesn’t even have the “Updates to Windows 10” problem.)

    The solution is discussed on this thread:
    http://www.bleepingcomputer.com/forums/t/611898/windows-vista-update-hangs-at-checking-for-updates/

    and a simple solution is on this page:
    http://wu.krelay.de/en/

    In short, turn Updates fully OFF and download the updated on the krelay page manually. Only then turn it back on.

    1. Chris Pugson

      Thank you very much for that information.

      The solution found at http://wu.krelay.de/en/ fixed my Windows 7 update issue. In my case, one update, KB3161664 from Patch Tuesday June 2016 was actually required to be installed ahead of the Patch Tuesday updates so that they would work at all.

  19. Pete

    Windows 10 is as bad or good as the user…. It is a major install, so I would never “upgrade to it” no matter how many times MS says you simply can. That process has never worked for Windows, so stop believing it will magically start now and you not have issues / optimal performance afterwards. I have six clean installs of Win 10 running at home, all without issue. I tried the upgrades with mixed results. In the end clean installs all worked much better performance and stability wise. MS Edge is the only software that seems to suck, but you can still use IE; so, not an issue.

  20. Chris Pugson

    I have a Windows 7 system which uses hardware which is incompatible with Windows 10. On Patch Tuesday 14 June 2016, I found that ‘important’ security updates have been blocked. Strangely, the update mechanism was working on the previous day, Monday 13 June 2016 when an update check was completed though there were no updates reported to be available for Windows Defender or otherwise on that day. I infer that Microsoft has withheld security updates from me. I am now in a security update limbo.

    There are plenty like me who have Windows computers which are 4 years-old or more. Is this a triumph of the will of Mr Nadella?

    We Brits would say that this is a good old-fashioned cock-up. Others might say it was incompetence on the part of Microsoft. For those thus left high and dry by Microsoft, it is a horrid fix to be in.

    Microsoft has a monopoly and proprietary rights over its software which is NOT open source and which comprises 90% of software use worldwide. The well-being of world-wide business is thus in the hands of this monopoly. Is it safe for business to repose such responsibility in Microsoft?

    Security is plainly not in Microsoft’s corporate consciousness if it can sever users from its security updates.

  21. SourPussTechie

    Microsoft/Windows, you’re a mutherfuqin’ piece of sh!te!!! You would have been better off sticking with xp or 7 and patching it to death instead of trying to impress us with 8. Sick to death of working on people’s PCs, even fresh installs……..only to NOT be able to do simple sh!t like Windows Update or MSE updates or anything productive. You waste my time.

    When I sit down at my Mac, I can just get to work, no updating, no workarounds, no searching for solutions, no error codes, no Fixits that don’t work, no combing through forums, no fuqing bulllsh!t. The only reason I have PCs anymore is to play old adventure games I love. I’ve had the same macbook since 09 and I’ve never experienced a blue screen of death (or any other color) and I had no idea new OS’s were free.

    Anguished customers remind me every day why I do my banking, coding, and creating on that old macbook. (Actually, I’ve been telling most people I don’t have time to do this crap anymore, and I send most of them a link to try themselves). To top it off, MS help pages are a joke, with people from India recommending the most basic sh!t we’ve already tried before coming to you. Then you offer ‘real’ help….for a fee! These crappy PCs are toys at best. Games will remain the only reason this girl with tolerate them! pffffffffffffffft! Bite hard into my a$$!

  22. Shirley Nicholson

    Which update of 14th June 2016 is the one which disables Window 7 Explorer preventing it from copying or moving, and sometimes deleting files? Restoring the computer to before that date corrects the problem? I have asked Microsoft but they do not seem to be able to solve it.

  23. Divina staffy

    Hi.Thanks for the information and I have read your blog and i got a very useful and knowledgeable information from your Microsoft online training blog. Its really a very nice article.You have done a great job .You have really helped lots of people who visit blog and provide them useful information. ,you can get latest information about Microsoft related services from here<a href="https://www.gangboard.com/microsoft-training

Comments are closed.