MS-DEFCON 4: Time to get patched @ AskWoody.com

MS-DEFCON 4: Time to get patched

Posted on January 4th, 2010 at 03:13 woody 16 comments

It looks like the December Black Tuesday patches have stabilized.

As usual, there was much wailing and gnashing of teeth with the gigantic Internet Explorer patch update, known as MS09-072 or KB 976325, but you’re used to those by now, right? Besides, you use Firefox (or Chrome of Opera), and you realize that you have to apply the Internet Explorer patches to keep Windows safe, but you wouldn’t actually use IE, right?

There’s one lingering glitch in the patches: installing MS09-073 / KB 973904 can introduce weird bugs in the way Microsoft’s text converters work. (The patch only applies to Windows XP and 2000.) If you install the patch and suddenly get either of these messages while trying to open a file:

Word cannot start the converter mswrd632
Cannot load Word for Windows 6.0 files

you’ve fallen victim to the bug in the MS09-073 patch. See Knowledge Base article KB 973904 for a fix.

I think of that as an example of sloppy patching on Microsoft’s part. There doesn’t seem to be any rush to fix the patch, probably because it’s very uncommon – and, hey, it’s for Windows XP, which isn’t high on anybody’s priority list right now. Except, of course, those of you who run Windows XP.

Anyway, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch. You should use Microsoft Update to get all outstanding MS patches applied.

Oh. I had a question from a reader about applying all of the patches. Yes, you should apply every Microsoft patch that’s offered to you by Windows Update, even if it’s a patch for a program that you don’t think you have installed. For example, if you’re offered a patch for Outlook, and you don’t think you have Outlook, go ahead and install the patch anyway. It probably won’t hurt anything, and it may be futzing with something behind the scenes.

Windows Patches/Security December 2009 Black Tuesday, KB 973904, KB976325, MS09-072, MS09-073
16 responses to “MS-DEFCON 4: Time to get patched”
1. Yuhong Bao January 4th, 2010 at 03:37
  
  On the “bug” you just described in MS09-073, that is NOT a bug, it is a feature! More precisely, it is a deliberate defence-in-depth feature intended against future security vulnerabilities in the converters.
2. woody January 4th, 2010 at 04:29
  
  Yuhong -
  
  Yep, you’re right – but it feels like a bug! The converters should, IMHO, be able to handle anything thrown at them without falling over dead. There has to be a better way to implement it.
3. RC Primak January 5th, 2010 at 04:33
  
  Bug or feature, this is another Keystone Kops MS Update. Fortunately, the Registry Edit outlined in the MS KB Article is fairly straightforward, provided one has any sort of experience with RegEdit at all. I think most of us Windows XP diehards have had plenty of experience with RegEdit, so I feel fairly safe just forging ahead with this one. At least this patch will not cause a Blue Screen crash, or an Endless Reboot.
  
  Perhaps Windows Secrets Newsletter (or The Lounge)could post a Registry batch file to cope with the fix? That would be the most elegant way to handle things, in the absence of an MS “Fixit” button to push on line.
4. EP January 5th, 2010 at 09:48
  
  Win2000 users should download and apply the revised “V2″ (KB951748) MS08-037 security update ASAP as it was released as part of the December 2009 security updates. The “original” KB951748/MS08-037 patch for Win2k, which was released back in July 2008, partially fixed the problem. So download and install V2 of the KB951748 update for Win2000 to provide FULL protection.
  
  BTW, Woody, part of my 2010 New Year’s Resolution: give AVG Free Antivirus another chance on my computers which I am currently doing. the latest build of AVG Free 8.5 (version 8.5.431) seems to run well on my XP computer and my mom’s Vista laptop.
5. Liz January 5th, 2010 at 16:48
  
  Hi Woody,
  I have a question about these Black Tuesday updates.
  I usually download and install when you move up to DEFCON 4 but when I look at my Event Monitor (under Admin Tools in Control panel on my Vista Home Premium 32 bit system, I get the following message for some of the updates: “Windows Servicing identified that package KBxxxxxx(Update) is not applicable for this system” . This happens for at least half of all the updates I download. Why does Windows update say I need an update that I then don’t need after I install it? Talk about Keystone Kops…
  It doesn’t seem to affect my system.. just curious..
6. rc primak January 6th, 2010 at 02:52
  
  I just went through the entire KB article. The final Registry Edit suggestion, to enable conversions again, is said to completely undo all the protections which this Update created. Does this mean that a serious vulnerability is re-introduced by enabling the conversions? Or is this not a real issue, but a complete MS screw-up? Is there a real fix to the problem, which does not mess with conversions? Should conversions be allowed, or not?
7. woody January 6th, 2010 at 04:44
  
  RC -
  
  It means that a minor vulnerability is re-introduced if you change the Registry as indicated. I don’t k now of any real solution to the problem. I think you’re better to turn off automatic conversions, just to let you know that you should convert the files manually. (I wonder if OpenOffice would work?)
8. woody January 6th, 2010 at 04:45
  
  Liz -
  
  Not sure exactly what’s happening, but it doesn’t hurt to download and try to install them.
9. woody January 6th, 2010 at 04:51
  
  EP -
  
  AVG works fine. What bothers me is the inflammatory “buy” screens…
10. Santosh January 6th, 2010 at 14:26
  
  Hello Woody,
  
  How you doing ????
  
  Please help me out with the below mentioned query.
  
  1) Do we have any known post-installation issue on december patch i.e MS09-069, MS09-70, MS09-071, MS09-072, MS09-073, MS09-074?
  
  2) Also about MS09-073, have you tested this patch on your test bed and recieved the error as well as resolution (worked for you) provided on KB973904?
  
  3) And for MS09-070, there is know issues “Wctx parameter change” and “Username logging deprecation” is this a major issue after applying the patch.
11. rc primak January 7th, 2010 at 04:22
  
  What I was hoping for is that if conversions were not going to be done through WordPad, that something else might work without the added time (which is considerable) to open OpenOffice Writer every time a file needs to be converted. I think Ian “Gizmo” Richards of Windows Secrets Newsletter has some reviews of smaller, more nimble free word processors. Maybe one of those will do the trick for me. After all, I am a paid subscriber now, so I can search the archives for both free and paid WS content.
  
  One thing I will definitely do is remove the second Registry change from the KB article, and see what breaks. Then I’ll decide if I need a lightweight, but secure word processor to replace WordPad for conversions. At least the original vulnerability will not be reintroduced.
  
  The first Registry change in the KB article is meant to apply the changes to all applications, so that no application can invoke the insecure converters, as I read the KB article. So that Registry change is a keeper.
12. Santosh January 12th, 2010 at 11:11
  
  Woody Waiting for your Reply to my previous comments…..
13. woody January 12th, 2010 at 23:06
  
  Santosh -
  
  1) I haven’t hit any problems with the December patches, as they now stand.
  
  2) It’s a weird error that doesn’t seem to happen very often – no data loss, just an inconvenience.
  
  3) MS09-070 is a Server patch. I rarely cover problems with patches to Windows Server 2003 and 2008, but the ones you mention seem to be pretty rare.
  
  I do cover patches to Windows Home Server. Susan Bradley handles Small Business Server.
14. Dan January 13th, 2010 at 01:43
  
  Hi Guys,
  Good news for those of us that are worried about applying MS09-073 / KB 973904 and then having to do the MS-suggested registry edit. The KB 973904 link that Woody gives above now also includes a ‘Fix it for Me’ link for those affected by the new bug/feature described above. (I’m certainly relieved, since I have never felt comfortable editing the registry, and I work with MS Word so often that I can’t afford to get a rash of errors each time I open a file, either.) Thanks for the great patch info, Woody. I appreciate your help in keeping us informed of potential (and actual) issues with each batch of patches.
  
  Best,
  
  Dan
15. Travis January 14th, 2010 at 03:40
  
  What’s the best way to implement the registry fix for MS09-073? Do I have to target only those computers with the patch installed or can I safely push this to all my clients? Does it matter whether Office is installed? The article says it will fall back onto the Office converters, but what if I deploy the registry fix to a computer that doesn’t run Office?
  
  This fix confuses the hell out of me. I wish they would just revise it so you don’t need the registry workaround or include it into the patch.
  
  By the way, easiest way to repro on a computer with Office installed is to right click > New text file somewhere in Explorer and then name it .doc instead of .txt. Then try to oepn the file.
16. Marcel April 17th, 2010 at 20:41
  
  Hi Woody,
  I’ve tried everything I can to get the KB973904 patch downloaded to no avail.
  I did the comand promt and tried worthless windows support.
  For months now I’ve been getting the download window when I shut down and it never downloads or goes away.
  What can I do to fix this ?
Leave a reply

Name (required)

Mail (will not be published) (required)

Website