|
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
MS-DEFCON 2: Eight Security Bulletins are out
Posted on April 15th, 2009 at 07:16 10 commentsApril’s Black Tuesday has come and gone, and we have eight new Security Bulletins to watch.
MS09-009 / KB 968557 is the promised patch for the 0day hole in Excel that I first wrote about on February 25. The hole is considered “critical” for Excel 2000, but only “important” for other versions of Excel because in order to get zapped you have to click through a warning dialog. There’s no big rush for home users to apply the patch because attacks, to date, have been focused on a small number of companies. Besides, you’re using Office XP, 2003 or 2007, aren’t you? I’ll be watching this one closely, though, because it could spread.
MS09-010 / KB 960477 is a strange one because it covers the Office text converters (and, of all things, Wordpad). There’s a detailed explanation on the MS Security Research & Defense blog, but it all boils down to a bug in the converter that allows you to open old document formats in Word. If you get a file that was saved in Word 6 or Word 97 doc format, it could be infected. (And, no, there’s no way to tell by looking at the file name if it’s an oldie.) You could also get infected by opening a Word Perfect, RTF, HTML or Works file in Word. Note that the hole exists in the converter itself – it doesn’t matter if you have Word rigged to block macros. The fact that you can get infected by using Wordpad speaks volumes. This is an old, old known hole that Microsoft acknowledged four months ago.
MS09-011 / KB 961373 is an obscure DirectX bug that can kick in when you play a bad AVI file. No known exploits as yet.
MS09-012 / KB 959454 resolves the “Token Kidnapping” hole in Windows that Microsoft acknowledged in KB 951306 more than a year ago.
MS09-013 / KB 960803 fixes three separate bugs that are not common in a home environment. Microsoft says the problem appears when “a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution.”
MS09-014 / KB 963027 another monster Internet Explorer patch, covering at least a half dozen different security holes. You will need it eventually if you have Internet Explorer 6 or 7 installed. If you’ve already upgrade to IE 8, you’re covered.
MS09-015 / KB 959426 fixes a hole (and adds a new low-level function to Windows) that involves the sequence in which Windows searches for files. Ho-hum.
MS09-016 /KB 961759 is yet another fix for ISA, the Internet server package. If you run ISA, you already know it. Chances are good you don’t, and you can ignore this patch.
I’ll keep you posted. In the interim, we remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.
Uncategorized, Windows Patches/Security April 2009 Black Tuesday, KB 951306, KB 959426, KB 959454, KB 960477, KB 960803, KB 960906, KB 961373, KB 961759, KB 963027, KB 968272, KB 968557, MS09-009, MS09-010, MS09-011, MS09-012, MS09-013, MS09-014, MS09-015, MS09-01610 responses to “MS-DEFCON 2: Eight Security Bulletins are out”
-
Hi I also got 3 other updates which are kb952004,kb956572,and kb905866 which are not listed could u tell me what these do i have a 64-bit vista system . Thanks 4 any help. Your site is very helpful
-
Todd -
The first two are alternate KB numbers for MS09-012. I suggest you hold off on them.
The last one is an update for Windows Mail. (!) I have no idea why it was offered to you, unless you suddenly started using Windows Mail. If you did, you should switch over to Windows Live Mail, http://download.live.com/wlmail , which is supported. Windows Mail has been orphaned, pretty much.
-
Hi – I too show three KB’s not mentioned. Also, you mention four KB’s I do not have in my patch list for downloading:
My patch items you did not mention:
KB923561,952004,956572.
Your mentioned items I do not have in my patch group:
KB959454,960477,961759,968557.I realize I may not need some/any of those in this last group due to what MS programs I have on my PC (Dell using WinXP SP3), I may need your comments on those I have that you did not mention. (I also have two others that you have mentioned in previous items, so I discount those.)
-
If the updates aren’t offered to you, and you’re running a “Genuine” copy of Windows XP, you don’t need to worry about them. There are many, many reasons why you may not need specific patches.
-
Why am I always misunderstood. I hoped to get a comment or two about the three patches I can d/l, but were not mentioned in Woody’s item. (I thought I conveyed that I understood I might not have to concern myself about items Woody mentions and items not in the d/l list.)
-
RK -
The KB articles you see are secondary articles for the patches.
KB 923561 is for MS09-010
KB 952004 is for MS09-012
KB 956572 is another Knowledge Base article for MS09-012.
I could try to list all of the KB articles for all of the patches, but you’d see hundreds of numbers. Instead, I’ve listed the KB articles that most people see.
If you’re ever curious about a Knowledge Base article, start Firefox and in the address bar type KB followed by the number, then press Enter. You don’t need to type in an URL. Simply typing, say,
KB 956572
will list the KB article as the first result.
As a side-note… there are already LOTS of identified problems with this month’s patches.
-
Please excuse me, I am not a techie, I barely know that there is a relationship between KB’s and the MSnn-nnn’s. You have to understand that all I see on the MS update screen are KB’s, so you are my go-to guy to let me know if I can paste them up or not.
I want to thank you for your site and what you do for guys like me. -
RK -
No problem at all. It’s a jungle out there.
Most people don’t realize that typing KB followed by the number will take you straight to the Knowledge Base article.
‘Course, you may have a bit of trouble understanding the article. I frequently do…
-
I noticed that Susan Bradley in Window’s Secrets suggest that KB 963027 and KB 959426 should be installed immediately, even if you use Firefox.
I presume that you disagree.
Thanks
-
Yep, I disagree. Susan and I often do.
We address different audiences. Susan is more oriented toward businesses, I’m more concerned about home and home office users.
At some point you’ll need to update Internet Explorer. But for now, as long as you’re using Firefox, I don’t see much exposure at all. SANS Internet Storm Center reports that exploit code is publicly available, but I haven’t heard of any working exploits if you’re using Firefox. MS09-014 says, “The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker’s server by way of the HTTP protocol.”
The other patch, KB 959246, is for a hole that’s been around a long time – the Safari carpet bomb attack. CVE says, “Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X”
While business users may still be running Internet Explorer – and some brave souls run older versions of Safari – I would be very surprised if any of the readers here fell into either group.
Leave a reply
-
Support AskWoody.com
Click on this list to get
Woody ’s books at Amazon.com
- Windows 7 All-In-One For Dummies
- Green Home Computing For Dummies
- Windows Vista All-In-One Desk Reference For Dummies
- Windows Vista Timesaving Techniques For Dummies
- Windows XP All-In-One Desk Reference For Dummies
- Windows XP Timesaving Techniques For Dummies
- Windows XP Hacks & Mods For Dummies
- Windows Home Server For Dummies
- Special Edition Using MS Office 2007
- Special Edition Using MS Office Home & Student 2007
- Special Edition Using MS Office 2003
- Office 2003 Timesaving Techniques For Dummies
- Special Edition Using MS Office 2003, Student-Teacher Edition)