Which patches should I avoid?

Reader JB just wrote to say:

I know you listed what to patch and what not to patch, but I’m still confused. I don’t know much about computers so please bear with me. When I go to the update page there are several things listed under Microsoft Office 2007 updates, but they do not all have numbers listed. I have not installed the following: update for Office System (KB967642), Security update for Power Point “07 (KB957789),Security update for Office System (KB969618), Security PP Viewer 2007 (KB970059).

Then there are three Service Pack 2 items listed, but no numbers. One for Compatibility, one for Power Point viewer, and one for MS office suite. So when you say not to take sp2, I don’t know which of the three not to take because they do not have numbers listed next to them. Could you please be very specific in telling me what to take and not to take. I’ve read your blogs and I’m still not sure.

Microsoft makes this much more confusing than it should be.

If you ever wonder about a specific patch, go to Google and type the KB number. For example, typing KB967642 brings up a description about an error message that many people see when they try to install Vista SP2.

In general, though, you should install all of the patches you see except for the specific patches mentioned in my posting. In this case, I recommend that you hold off on any patch marked “Vista Service Pack 2″  or “Office 2007 Service Pack 2.”

MS-DEFCON 4: Get patched, but avoid these stinkers

With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

Here are the ones I suggest you pass by:

Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

One Black Tuesday patch coming next week

Microsoft has announced that it’s only going to release one patch this coming Black Tuesday. It’s a “critical” patch for PowerPoint.

Chances are very good it’s  a patch for the 0day hole I described a little over a month ago.

We’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Office 2007 Service Pack 2 is up – avoid it for now

If you’re feeling lucky, Microsoft just posted Office 2007 Service Pack 2 / KB 953195. It’s a massive update, with hundreds of fixes and a handful of improvements.

For most of us, the main things we’ll notice are save as PDF support (which has always been available via a separate download; now it’s native) and many tweaks to Outlook and Excel. The one I look forward to the most is the promise that Outlook 2007 SP 2 “greatly reduces the number of scenarios in which you receive the following error message when you start Outlook: The data file ‘file name’ was not closed properly. This file is being checked for problems.” I see that message far too often.

There’s nothing earth shattering in SP2. No need to install it now. Let the pioneers get the arrows in their backs first.

UPDATE: There’s a thorough discussion of Office 2007 SP2 on the Office Sustained Engingeering blog. Thanks to MR for the heads-up.

Office 2007 Service Pack 2 sceduled to be released April 28

According to this blog from the MS Technet Blogs site, Microsoft will be releasing Office 2007 SP2 on April 28.

Another PowerPoint 0day

Microsoft just posted Security Advisory 969136, which talks about a newly discovered 0day security hole in PowerPoint. If you use PowerPoint 2000, 2002 (the version in Office XP) or 2003, you’re vulnerable. PowerPoint 2007 dodges the bullet.

If you open a malevolent PPT file – whether you downloaded it, or the file came attached to an email message – PowerPoint’s input routine (called a “parser”) can be made to hiccup, and run a program buried in the slideshow. You won’t even know that it’s happening.

Quoth Microsoft: “So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in targeted attacks and therefore the number of affected customers is very low.”

Microsoft recommends that you use MOICE to automatically convert files to PowerPoint 2007 format (PPTX) and back. The round-trip plugs this security hole. For more info, see Security Advisory 969136.

There’s a detailed discussion of the hole on the MS Security Research Center blog. You can see several examples on the Microsoft Malware Protection Center blog.

In general, you don’t need to worry about it at home, but if you work for a large company – or one with systems worth cracking – it would be wise to avoid opening PPT files unless you know their precise pedigree. Even better, install MOICE. It’s relatively painless.

OK to update the Junk Email Filter?

Reader BS writes:

I have Vista Home Premium. Thanks for the blanket OK to install updates for Windows Defender and the Malicious Software Removal Tool, but what about Windows Mail Junk Email Filter?

I never used Outlook or Outlook Express or anything MS email related. Should I update these?

If you don’t use Windows Mail, Windows Live Mail, Outlook or Outlook Express, you don’t need to update the junk email filter. But I wouldn’t lose any sleep over it. The updates are generally innocuous.

New Excel 0day

This hasn’t yet hit the main news feeds, but Microsoft just released Security Bulletin 968272, which discusses another 0day that takes advantage of a security hole in all modern versions of Excel, and the Excel Viewer.

Yes, you read that right. The Excel Viewer is vulnerable too.

Microsoft’s suggested fix for the moment? “Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.”

The Security Bulletin goes on to give a lengthy set of manual instructions, which includes editing the Registry, that may or may not fend off the worm. Or you can block opening files from Office 2003 or earlier.

Oh boy. In other words, bend over and kiss your keester goodbye.

Symantec has encountered an infected file, Trojan.Mdropper.AC, that’s easy to block. It remains to be seen if the exploit folks are smart and fast enough to morph the Trojan so it isn’t so easy to thwart.

Today would be a very good day to avoid opening any Excel file that you don’t know well.