MS-DEFCON 4: Time to get patched – and watch out for Java

Last month’s Black Tuesday patches had a bunch of surprises, according to the comments at the SANS Internet Storm Center, but it looks like things have settled down.

There’s one lingering stinker in the bunch: MS 12-060 (KB 2597986/2687323/2687441) can make older Office Visual Basic apps go wonky, with an “Unspecified Automation Error” message. Susan Bradley will have details – including a fix – in tomorrow’s Windows Secrets Newsletter.

The big, big Windows patching problem continues to be Java. Five months ago I was roundly criticized by some self-appointed experts for admonishing that It’s Time to Run Java Out of Town. By Jove, it’s more true now than ever. Oracle issued an “urgent” update to Java 7 last week – Update 7 fixed a big security hole that was being actively exploited. Apparently, researchers had warned Oracle about the flaw months ago, but they didn’t get around to patching until this week. Within hours of Update 7 being posted, the same security researchers announced that the new version had a similar security hole.

Brian Krebs has some good advice: “If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.”

So get your Microsoft patches applied, and think hard about how to wean yourself off the Java Runtime Environment.

I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

Win7 recommended update KB 2647753 installing over and over and over

Right on cue, Susan Bradley pointed me to a problem that people are having with a “Recommended” patch issued August 14.

KB 2647753 is installing itself over and over again, according to many reports on the Microsoft Answers forum, and all over the web. Customers advize that they install the patch, reboot, and the patch is offered again – even though it shows up in the “installed patches” list. Repeatedly.

Apparently the solution is to apply an associated hotfix manually.

Life’s too short, folks. Hold off on applying those patches until they get thoroughly tested! And if you got caught with this one, and you can’t stand the idea of applying the same patch a few dozen times, go ahead and follow the steps in the MS Answers forum to rid yourself of the pesky patch prompt.

MS-DEFCON 2: Turn off Windows Automatic Update

Once again, Microsoft’s Black Tuesday patches cover a lot of ground, with 26 separately identified security holes getting plugged.

The SANS Internet Storm Center advises that none of the patched problems is currently being exploited, although Microsoft says there are targeted attacks for MS12-060, but nobody has yet successfully pulled off an attack using that particular vulnerability. (“Targeted” is the buzzword for “aimed at specific businesses or political organizations.”)

Time to make sure Microsoft/Windows Automatic Update is turned off.

I’m moving us up to MS-DECONF 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Let’s let the cannon fodder see if they can flush out any problems with the patches.