MS-DEFCON 4: Get patched, but don’t install IE 10 or KB 2670838

With a rather ho-hum collection of patches coming this Tuesday, it’s time to get caught up.

March’s Black Tuesday patches didn’t ring many bells. But there are two ancillary downloads – and a patch from February that’s still causing problems – that should give you pause.

First, if you are running Windows 7 and you haven’t updated to Service Pack 1, now’s the time to do it. Microsoft released Win7 SP1 in February of 2011 — yes, more than two years ago — but it just started including SP1 in “automatic update” runs. If you look at your pending updates and SP1 is on the list, block out some time to run it (say, ten minutes, maybe more), and let ‘er rip.

Second, the late-February patch known as KB 2670838 is still causing problems. The patch should NOT be offered – should not be pre-checked – when you look at the Windows update list. Don’t shoot yourself in the foot, and don’t check the box to install it.

Third, details are all over the map, but a lot of people are complaining about the new version of Internet Explorer, IE 10, screwing up their Windows 7 systems. Simple solution: don’t install IE 10. If you’re running Windows 8, you already have IE 10, and it doesn’t seem to be causing any problems. If you have an earlier version of Windows, IE 10 isn’t even offered. IE 10 on Win7 seems to be a stinker. Once again, IE 10 is not pre-checked in the update list. Don’t check it.

As always, avoid installing driver updates from Microsoft (go directly to the manufacturer’s site, or your PC manufacturer’s site), and if you’re offered Silverlight, laugh heartily; uninstall it if you have to.

With those thoughts in mind, I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

MS-DEFCON 4: Get caught up on all Microsoft patches, except one

Microsoft’s crop of March 2011 Black Tuesday patches has stabilized, and I recommend that you install them now.

I note with some glee that MS08-015 and MS08-016 patch Office 2003, Office 2000, and Office XP – all of which are beyond their support lifetimes. So even if you’re still using older versions of Office, you need to get patches.

There are two quirks you need to know about.

If you use Excel 2003 and you have a VBA macro that refers to a Real Time Data source, the macro come up with goofy results. Details in KB 950340.

If you use Outlook 2003 SP2, you won’t be able to see “external content” – linked images, mostly – on attached email messages. There’s a hotfix described at KB 949031.

I still DO NOT RECOMMEND that you install Windows 7 Service Pack 1. There’s at least one weird installation error still floating around. It ain’t worth the hassle.

So, with the exception of Windows 7 SP1, I’m moving to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

Microsoft fixes botched Outlook 2007 patch

A month ago, I talked about a botched patch that Microsoft slid out the Automatic Update chute. If you had Automatic Updates turned on, and you were using Office 2007, you got treated to KB 2412171, and it caused all sorts of problems.

Microsoft pulled the patch about a week later. Damage done to Automatic Updaters.

Now, a month later, word comes that Microsoft has finally fixed the patch and re-released it. Here’s the official announcement from the Microsoft Office Blog:

This week, we released an update that fixes the three issues identified in the December Update for Microsoft Outlook 2007. The update released on Tuesday, January 11, was distributed by Microsoft Update and referenced as updated KB article KB2412171.

If you did not uninstall the December Update for Outlook 2007, then the update released on Tuesday, January 11, will fix the three known issues which you may be experiencing. For more detail about the issues that were identified with the December update for Outlook 2007, see Issues with the recent update for Outlook 2007.

If you did uninstall the December Update for Outlook 2007, then you can benefit from the new January update.

To receive the January 11 update you can either:
§ Run Windows Update on your computer
§ Download and install the update directly from the Microsoft Download Center.

If you have automatic updates enabled, you will receive this update automatically.

I don’t recommend that you install this patch of a patch. Let’s see what happens to all of the Automatic Update beta testers out there….

Word buffer overflows found in the wild

And you thought that Word-based exploits were so last-century…

Microsoft Malware Protection Center blog reports that the Softies have discovered several bogus RTF files, in the wild, that can take over your PC. Here’s how it works:

You open a bogus RTF file. (RTF = Rich Text Format, an ancient file format that Word opens automatically.)

The RTF file has been jiggered with infectious code at the end of the file. The file itself says it’s “X” bytes long, when in fact it’s longer. The infectious code starts at location “X + 1″.

Word loads the file, then jumps to the location immediately after the end of the file, and starts running. Ooops. It’s running the infectious code at location X+1.

The infectious code does some fancy stuff but, in the end, downloads a Trojan and saves it on your computer as c:\windows\a.exe .

As best I can tell, the Trojan just sits there until you randomly decide you want to run the program a.exe, at which point Windows puts up its usual warning about running unknown programs.

I wouldn’t call that a major security exposure, but it’s certainly embarrassing: the RTF format has been around since the beginning of Word time, and nobody caught the problem until now.

Anyway, the hole was plugged in November, with security bulletin MS10-087. If you’ve been following along, you’ve already applied that patch and have nothing to worry about. If you haven’t applied the patch, avoid randomly running programs called a.exe, OK?

Nope, I still don’t feel comfortable about the December patches, so if you’re waiting, we’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

This month’s patches a real yawner

They’re out. As expected, Microsoft released two Security Bulletins, and they’re both a bit less than compelling.

MS10-030 applies to Outlook Express (XP and earlier) and Windows Mail (Vista). If you’ve already upgraded to Windows Live Mail – and you should, you know – there’s a very tiny exposure, but nothing worth sweating about.

MS10-031 only applies to people running applications made with Visual Basic for Applications. Even if you have VBA going on your PC, there aren’t any known exploits.

You’ll want to patch some day, but for now, let the other folks get the arrows in their backs.

 

Finally, details on the Custom XML modifications in Word 2007 effective January 10

Last week I posted a rather detailed discussion of the Custom XML modifications that Microsoft was implementing in Word 2007, to comply with a court order that found MS violated a patent by i4i.

Now, at looooooong last, we have technical details about what’s changing in Word 2007 (and therefore in Office 2007). Knowledge Base article 978951 addresses the issue:

Versions of Office Word 2007 that are distributed by Microsoft after January 10, 2010 no longer read the custom XML markup that may be contained within .docx, .docm, or .xml files. The new versions of Office Word 2007 can still open these files, but any custom XML markup is removed. Custom XML markup in Word documents is visible in the Office Word user interface as pink (the default color) tag names surrounding text in a document…

Office Word content controls are not affected by this update. Content controls are a common method of structuring document content and mapping content to the XML data that is stored in a document…

Custom XML markup that is stored within Word 97-2003 document (*.doc) files is not affected by this update.

Ribbon XML and Ribbon Extensibility are not affected by this update. The Word object model is not changed by this update. However some Word object model methods that deal with custom XML markup may return different results.

Sound confusing? Yeah, it is, particularly because MS isn’t changing content controls, but it is zapping manually defined custom XML – but only in Word 2007 docx, docm and XML files.

I have absolutely no idea how these changes map to the patent infringement judgment, and would welcome any enlightening words in the Comments to this post.

Office 2003 bug locks you out of your documents

Remember Windows Rights Management Services, the Windows Server-based piece of %$#@! that companies use to lock up their documents, so you can’t get at certain documents on a server? The Wikipedia listing for WRMS describes it thusly:

Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

I railed against WRMS in my books and several articles, many years ago.

Guess what? If your company uses RMS, and it uses Office 2003, starting on December 11, you may not be able to open, print, copy, edit, forward, delete or otherwise use those RMS-protected files. If you try to open a document with Word, Excel or PowerPoint 2003, or you try to open an RMS-protected message in Outlook 2003. you’re completely outta luck. You get the message “Unexpected error occurred. Please try again later or contact your system administrator.”

Yeah, right.

What happened? David Worthington at Technologizer says that Microsoft let an Information Rights Management certificate expire.

I won’t start ranting again. Suffice it to say that if your company was suckered into trusting Microsoft’s digital rights management software, they got what they deserved. You have my permission to yell LOUDLY at the idiot who decided to install it in the first place, and to continue SCREAMING until somebody who controls your server listens to reason. Windows RMS is a disaster waiting to happen. Oh. Wait a sec. It already has happened.

UPDATE: A hotfix has been announced, at least for Word and Excel. I’ve seen very few details, except you have to call Microsoft to get the hotfix, and you have to be running Office 2003 Service Pack 3.

Avast! Ahoy me false positive hardies

Avast is having a bad day. Seems its recent virus definition update started triggering all sort of false positives – incorrectly identifying good programs as malware. SANS Internet Storm Center puts it this way:

We have received a number of reports of Avast Antivirus false positives (Thanks Ken, Don,  Luca & others).   With a recent update the Avast antivirus product have started identifying legitimate products as containing Win32-Dell-MZG.  The Avast forum is awash with some of the products that have been tagged, many of which are known to be good and have been functioning quite normally.

The recommendation at the moment is to not reply delete or quarantine files as this may fry the product they belong to (a few readers are currently reinstalling applications).  As far as we know the files are consistently identified as Win32-Dell-MZG so if others pop up there is a fair chance that these are legit.

UPDATE: A new update was released fixing the issue.  091203-1.  If you haven’t used your computer between 12:00am UTC and 5.50 am UTC, then you will receive the new update and you should be fine.  For those that were affected I recommend you keep an eye on the Avast blog http://forum.avast.com/index.php?topic=51647 as they are working on some how to’s to help fix any issues.