ActiveX patch KB 969898 – same old, same old

Reader SH writes:

I am showing an update Active X Killbits for Windows XP KB969898. Is that one OK?

Unfortunately, KB 969898 includes all of the old ActiveX killbits in KB 960715, plus three additional killbits that knock out ActiveX controls made by HP, eBay and Microgaming. I say avoid it, for the same reason that I advise avoiding KB 960715.

Use Firefox. That’ll keep you safe.

MS-DEFCON 4: Apply most patches now, but watch out

With six security bulletins on the way next week, now is time to get your system brought up to speed. I’m moving us down to MS-DEFCON 4.

I’m begrudgingly giving the green light to Windows Vista Service Pack 2/KB 948645. If you’re going to install Windows 7 on a Vista machine, you might want to skip SP2, but it looks like Microsoft has most of the SP2 problems ironed out. Remember to download the Service Pack, perform a full backup, unplug your PC from the Internet, re-boot, then disable your antivirus software, to make sure nothing else is running, prior to installing the patch. If SP2 is not offered on your Vista machine, check out KB 948343 for a list of potential problems.

I’m also recommending that you bite the bullet and install the mess of a mess of a .NET Framework patch, KB 951847. Microsoft has finally given up on surreptitiously installing a Firefox add-on as part and parcel of the patch – good  news. It’s still horribly messed up, but that pretty much defines .NET Framework anyway.

I’m still uncomfortable with Office 2007 Service Pack 2 / KB 953195 but I’m going to recommend that you install it anyway. The biggest problem I’ve seen involves deactivated Offic components: if you have SharePoint Server 2007, Project Server 2007, Search Server 2008, or Forms Server 2007 installed, check KB 971620 to get your licenses back.

I’m also recommending that you install Internet Explorer 8. Microsoft seems to have ironed out the problems with IE8, and IE security holes are legion, including that new 0day with Video ActiveX. Remember – install IE 8 and patch it, but use Firefox or Chrome.

Those are the ones I think you should patch. Two biggies are still on my “don’t patch” list:

Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, there’s no pressing reason to install it. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

So there you have it. Install all Microsoft patches except the ActiveX killbit update and Windows XP Service Pack 3. Step lively. Six more bulletins are coming shortly.

We’re at MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.