Posted on June 4th, 2012 at 21:29 14 comments
It looks like Microsoft has finally fixed the “dependency” problem that led to widespread panic when folks with Automatic Update turned on discovered that they had three patches that wouldn’t install.
I’m still not happy with this month’s .NET patches – there’s been so much clamor about the three patches that wouldn’t install, it’s hard to tell what other problems may exist. Still, I haven’t heard of any specific problems, so I’m going to give the go-ahead.
There’s a new out-of-band patch, just out of the chute, that I talk about in the next post. Security Advisory 2718704 raises some soul-searching questions about the methods Microsoft uses to generate security certs. For now, it’s a good idea to get that patch installed, too.
I’m changing us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.
Get all of the Microsoft patches applied, then turn off Automatic Updates (see the tab above). We’ll see how much damage next week’s Black Tuesday brings.
Posted on June 4th, 2012 at 21:21 4 comments
When it’s a Microsoft security cert, of course.
Microsoft just sent an out-of-band patch down the Automatic Update chute. It plugs one of the (many) holes used by the “Flame” malware.
While I figure none of you are susceptible to Flame – the whole thing’s been overblown – you may be susceptible if some cretin figures out how to use the security certificate signing technique to generate a different cert.
I’m about to change the MS-DEFCON level to 4. This patch is good incentive.