MS-DEFCON 3: Time to get patched AND apply a manual fixPosted on October 2nd, 2013 at 10:25 20 comments
I’ll be covering Susan Bradley’s detailed discussion of KB 2859537 tomorrow, after Windows Secrets Newsletter hits, but the bottom line is that MS appears to have nailed the problems with August’s last bad patch.
The comical September bad patches – twelve pulled and re-issued patches – all seem to be working OK.
But there’s a more important reason why I’m suggesting you install all of the outstanding Microsoft patches now. As of just a few hours ago, Lucian Constantin at PC World reported that a working exploit for an Internet Explorer vulnerability just showed up on Metasploit. Chances are very good that you’re going to see that exploit used shortly.
Here’s what’s weird about that IE vulnerability: Microsoft hasn’t released an Automatic Update for it yet, but it does have a Fixit available that you can apply, manually, to shore up your system.
I know that most of you don’t use IE, but this one’s bad enough (and now widespread enough) that it would be prudent to get your system patched. I haven’t heard of any problems with the Fixit, but that doesn’t necessarily imply a clean bill of health, eh?
So I’m recommending that you not only apply all outstanding Microsoft patches, I’m also recommending that you run over to the Fixit site and apply that fix manually.
I’m moving us to MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems – and strongly recommending that you also go to the Fixit site and get that patch applied.
20 responses to “MS-DEFCON 3: Time to get patched AND apply a manual fix”
Woody on the Fix-it do we apply it then shortly after that Uninstall it) It’s a We bit confusing but it sounds like on the Microsoft site that’s what there pointing too you half to Install or Run it on the computer then you need to Uninstall it.. Other than that I’m going to Run the other patches I let you know how things are Going after there up N running)
As always thanks for your Time Sir.. Ron
Woody, I don’t use IE. When I looked to see what version of IE I have installed, it showed version 10. According to the Fixit site, it states the exploit was running version 8 or 9. Do I need to install the Fixit? Also, I saw in IE 10 under the Help, About, that Install New Versions Automatically box was checked. Should I leave that checked?
Woody, there are a few items unchecked in the list of important updates: Service Pack 2 for Office 2010 and a couple of .Net updates. Should I leave those unchecked?
The Fixit site gives links to both apply and uninstall the Fixit solution. I am a new to this – do I run both of these?
When addressing KB2859537 tomorrow please let us know if the update dated 8/13/13, the one I’m still getting listed every day, is the one that supposedly got fixed. Or should there be a later dated one. Thanks.
I installed the two security patches that I was offered this month (KB 2872339 and KB 2876351) and did the fixit you suggested (even though I don’t use IE 9, which is what’s installed on my system).
1. I don’t have KB 2859537 offered any longer (but I think it was back when it was “bad”). So does that mean I no longer need it or need to be concrened about installing it?
2. These are a list of patches I did not install. Some are from months past and a couple are from this month. Is there any need to install any of them?
a. KB 2861855
Updates to Improve Remote Desktop Protocol
b. KB 2862966 (Comes up as KB 2854544 in link)
Updates to Improve Cryptography and Digital Certificate Handling in Windows
c. An update is available for the .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1: June 2013 (THIS IS UNCHECKED)
d. An update is available for the .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1: September 2013
e. Update that protects from internal URL port scanning is available for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2, Windows 8, Windows RT, and Windows Server 2012
f. “0×00000050″ Stop error after you install update 2670838 on a computer that is running Windows 7 SP1 or Windows Server 2008 R2 SP1
g. Loss of consistency with IDE-attached virtual hard disks when a Hyper-V host server experiences an unplanned restart
h. August 2013 cumulative time zone update for Windows operating systems
i. Updates are available that improve the content in warning messages that you receive when you run local executable files in Windows
I’m guessing most, if not all, of these are unnecessary? Let me know the scoop.
Thanks, as always, Woody!
Yep, it’s fixed.
Only run Apply.
If they aren’t checked, don’t check them! Office 2010 SP2 is pretty benign, but .NET updates are always a hassle.
Nope, you don’t need the Fixit.
Personally, I uncheck the Install New Versions automatically box. But them I’m kinda paranoid about that sort of thing anyway.
I never thought of it this way but, yes, you’re right – it is confusing.
Just run the Apply. Maybe someday you’ll have to run Uninstall, but if you do I’ll warn you about it. Chances are very good you’ll never have to uninstall it.
Jonathan October 3rd, 2013 at 22:06
The Fixit dosen’t work on the french version of IE
rc primak October 3rd, 2013 at 23:35
The Fixit description says the vulnerability only applies to Windows XP and Windows 7, running IE8 or IE9. I am running IE10 on Windows 7. The Fixit wouldn’t even try to install.
rc primak October 3rd, 2013 at 23:41
Correction: SANS says IE 10 and 11 (pre- and Release) ARE vulnerable. Second try did install the Fixit into IE 10 in Windows 7.
Dianne October 4th, 2013 at 21:00
I did the updates as you recommended, but did not do the 2859537 yet, and I am not sure if you have given us the go ahead to do it yet?
But this morning I notice that I had an update for KB2889543, IE Flash Player, released 24Sept 2013. I thought I got them all on the 2nd and did the Fixit. Do I need to download this one also? Thank you for your work.
KB2859537 is no longer offered on my Win7. Do you know what happened to it? Was it superseded by a later patch with a different KB number?
There are many possible reasons. If you need it, Microsoft will re-issue it.
Yep, I gave the go-ahead, but I’m about to move to MS-DEFCON 2. Don’t worry about it for now.
I’m just checking back because it looks like you might have missed replying to my post. Let me know the scoop when you can — thanks!
Sorry I didn’t reply earlier.
If the patch isn’ton your list, there’s usually a good reason. Don’t worry about it.
And, yep, the patches you posted are definitely no something to be concerned about. Wait for the next green light, then just apply all of them.
Leave a reply