MS-DEFCON 2: Black Tuesday patches are out

Make sure Automatic Updates are turned off.

There’s only one “critical” patch in this month’s crop of four, and even Microsoft is downplaying its exploitability.

Bottom line: MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

MS-DEFCON 4: Patch everything except the Office 2010 Service Pack

Microsoft has announced that next Tuesday’s crop of patches will include four security bulletins, once of which may be interesting. Or maybe not.

Accordingly, it’s a good time to go ahead and get caught up on your Microsoft patches, with one exception: there’s no pressing reason to install the Office 2010 Service Pack 1 / KB 2510690 patch.

Also note that Office 2007 Service Pack 3 / KB 2526086 is out and available if you go looking for it, but shouldn’t be offered as part of the normal Windows Update cycle. That’s just as well. There’s no particularly good reason to install Office 2007 SP3, either.

Accordingly, I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

In minimizing zero-days, Microsoft misses the point

They may not be numerous, but they’re dangerous.

InfoWorld Tech Watch.

MS-DEFCON 2: Get your system locked down, patches are coming

Microsoft’s Advanced Notification says there are eight security bulletins coming for October’s Black Tuesday.

None of them sound particularly interesting.

As usual for this time of the month, I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Make sure you have automatic update turned off. Click the Automatic Update link above for instructions if you aren’t sure how to protect yourself against the automatic update blues.

Let’s see what happens.

MS-DEFCON 4: Get patched, but know that there are problems

OK. I give up.

Microsoft’s .NET patching continues to cause problems. August’s Black Tuesday crop included three .NET patches, and they (like all .NET patches before them, in recent history) have led to all sorts of unexplained behavior.

But they’re out. They’ve been out for almost two months, and it doesn’t look like Microsoft is going to fix them. So – considering that the percentage chances of you getting stung by one of the patches is admittedly small – I’m going to go begrudgingly advise you to install all of the outstanding Microsoft patches.

September’s Black Tuesday patches turned out to be relatively benign. There have been some much-publicized SSL certificate revocations, as well, which arrived after the Black Tuesday bunch.

October’s Black Tuesday is in the wings, and you’d better get patched now.

If you’re willing to hunt and peck and choose and install or shun individual patches, Susan Bradley’s latest list in Windows Secrets Newsletter tells you which individual patches are stinkers. If you subscribe to WSN (either free or paid version), you received her list in the September 29 issue.

On the other hand, if you don’t really want to futz with individual patches — Susan lists 12 recent patches as either “Skip” or “Wait” — now would be a good time to get caught up. Yes, I recommend that you apply Service Pack 1 to Office 2010, and that you install the Office File Validation update.

So I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

Go ahead and get caught up with all of the Microsoft patches.

Microsoft Security Essentials identifies Chrome as malware

Reader DB asked me to mention the fact that Microsoft Security Essentials came up with a false positive on Google Chrome. In some cases, MSE stepped people through the process of uninstalling Chrome, claiming it had a copy of the Zeus botnet inside.

Chrome was (and is) fine. MSE screwed up.

Microsoft fixed the problem within a couple of hours and issued updates. Chances are very slim that you were affected.

The sorry tale of the (un)Secure Sockets Layer

If you think using https – or watching for the “lock” icon in your favorite browser – is going to keep you out of harm’s way, you don’t know the latest.

See my Windows Secrets Top Story for details.

Microsoft patches are out and they’re duds

A very unimpressive bunch of patches this month. None of them even come up to the Microsoft-set level of “critical.”

Don’t worry about applying them, for now. Ultimately you’ll want to, of course, but right now sit tight and see if any of the patches hurt anything.

Better to spend your time watching Sinofsky’s keynote at the Windows 8 BUILD Conference.