Woody Leonhard's no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon
  • Resurrected KB 951847 ‘zombie’ patch fixed — but now has new problem

    Posted on October 18th, 2013 at 19:34 woody 2 comments

    If you’re running XP or Server 2003, and you’re trying to keep .NET off of them, this is going to be a very complicated re-re-patch.

    InfoWorld Tech Watch

  • MS-DEFCON 3: Get patched now

    Posted on July 30th, 2009 at 11:01 woody 20 comments

    With the Black Hat conference in full swing in Las Vegas, and detailed instructions for bypassing Microsoft’s killbit patches posted on the Web, it’s time to get everything patched.

    Rub your lucky rabbit’s foot, bend over and kiss your keester, and install all of Microsoft’s outstanding patches. Yes, that includes the killbit patches I’ve been moaning about, and the patches Microsoft released two days ago. Susan Bradley’s Top Story in Windows Secrets Newsletter, released about an hour ago, convinced me that the bad guys are hovering, and a rash of infectious junk is about to hit the fan.

    Specifically, you should install Windows Vista Service Pack 2/KB 948645 , the .NET Framework patch, KB 951847 , Office 2007 Service Pack 2 / KB 953195 , Windows XP Service Pack 3, KB 936929 , the old killbit patch KB 960715 , and the two new ones, MS09-034 / KB 972260, and MS09-035 / KB 969706.

    If you get repeated notifications to install the killbit patches, check out this workaround.

    Microsoft has screwed up the killbit patches so much that you may well break some of your old applications, but the fact that the security holes go all the way into the libraries means there are thousands of newly discovered infectious vectors. The only way you’re going to guard against them is by applying Microsoft’s horrendous updates. You can thank Microsoft’s use of ActiveX for that.

    Do me a favor and boycott Internet Explorer, OK? Use Firefox. We’ll both sleep better at night.

    We’re at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

    Get all caught up, and stay tuned for more fixes, as a result of disclosures at the conference.

  • MS-DEFCON 4: Get patched, but avoid these stinkers

    Posted on June 5th, 2009 at 06:09 woody 16 comments

    With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

    Here are the ones I suggest you pass by:

    Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

    Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

    KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

    KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

    KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

    I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

    I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

    Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

  • More .NET Framework patch stupidities

    Posted on June 2nd, 2009 at 09:53 woody 3 comments

    Several of you have written, pointing to an article by Brian Krebs in the Washington Post, adding yet more fuel to the pyre that is known as the .NET Framework patch or KB 951847.

    Quoth Brian:

    [T]he .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed.

    The so-called .NET Framework Assistant for Firefox is difficult, but not impossible to uninstall. Details appear on Brad Abrams blog.

    Thie particular piece of Microsoft “support” shouldn’t come as a big surprise to anyone who follows .NET Framework updates religiously. Microsoft employees have been blogging about it since May 12, at least.

    Still, it’s a bit disconcerting to have Microsoft install a drive-by Firefox add-in as part of a “security update.”

    I hope that the folks at Microsoft return the favor. I would love to see Firefox 3.0.11 – the next security update to Firefox – automatically, silently install a hard-to-remove add-on to Internet Explorer that makes IE infinitely more secure by, oh, disabling ActiveX controls.

    The fact that Microsoft released such a patch – and installs it silently as part of a “security” update – should give you pause. But also consider the corporate culture that allows such blatant acts of hubris to take place. Repeatedly.

    The old Microsoft is with us still.

    Hold off on your Microsoft patches, folks. Beware of Redmond Geeks bearing gifts. The PC you wreck may be your own.

  • Where are we with the patches?

    Posted on April 30th, 2009 at 14:36 woody 9 comments

    Reader BH writes:

    Before the current MS update release on Tuesday you were at Defcon 4
    and stated to install the patches. Did that statement include:

    Microsoft.NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)

    KB952004

    KB956572

    KB959426

    KB960803

    Update Rollup for Actice X Killbit for Windows Vista (KB960715)

    I have been sitting on these for awhile and wish to know what to do with them.

    Your post regarding loading the patches did not specify the above and all along you have been stating not to load the Net Framework and Active X Killbit updates for some time now.

    I follow your MS-DEFCON and only load when you say so and I would guess many others follow the same procedure. Wish you would incorporate a chart with each to the updates listed and what to do with them. It would only involve the lastest listing plus those from past months  that you do not wish us to update.

    Wish I had time to do that! But it would be a monstrous task.

    Here’s what I recommend:

    I’m still ambivalent about KB951847. It breaks a lot of stuff. The ActiveX Killbit rollup also breaks a lot of stuff. I talk about both here.

    KB952004 and KB956572 are MS09-012. You should’ve installed that already, but if you haven’t, wait.

    KB959426 is MS09-015. Same comment.

    KB960803 is MS09-013, part of the massive Internet Explorer patch. Same comment, especially if you use Firefox.

    In general, if you follow the MS-DEFCON level, you’ll apply patches when they’re safe, and avoid applying patches when they aren’t. There are always a few stinkers – the ActiveX Killbit and .NET Framework patches fall into that category – but by and large you can apply the patches, when they’re fully baked, en masse.

    For now, hold off.

  • MS-DEFCON 4: Watch out, but go ahead and install April patches

    Posted on April 24th, 2009 at 08:52 woody 5 comments

    The crop of April Black Tuesday patches looks reasonably stable. The SANS Internet Storm Center reports that Symantec has raised an alert about possible MS09-013 / KB 960803 based infections – “but it could also be old vulnerabilities from 2002 (both Apache and IIS).” MS09-013 and MS09-014 are the (now expectable) monthly humongous Internet Explorer patches.

    There are known problems with all of the following:

    MS09-010 / KB 960477 Wordpad and Office converter patches may refuse to install, and they change the way Wordpad handles Word 6 and Write files. When you install this patch, go ahead and install the new Office Compatibility Pack immediately after. I haven’t seen any advice as to whether the new Compatibility Pack eliminates the need to install MS09-010 or not, so to be safe, install the patch, then the new converters.

    MS09-014 / KB 963027, the massive Internet Explorer patch, may trigger a bogus “Connection Denied” message which requires a Registry change to eliminate. Of course, you’re using Firefox, so you aren’t overly concerned. Go ahead and patch.

    MS09-015 / KB 959426 has an interesting problem: if you install the patch on a Windows 2000 computer, you have to dig into the Registry to make the patch work. Kinda makes me feel warm and fuzzy about the testing that goes into these patches…

    At any rate, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

    I still recommend that you HOLD OFF on these patches:

    KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

    KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

    KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

    I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

    I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  • .NET Patch of a Patch of a Patch

    Posted on March 17th, 2009 at 20:23 woody 7 comments

    On January 30, I talked about the problems with the .NET Framework 3.5 Service Pack 1 patch known as KB 951847. At the time I recommended you avoid applying the patch. I continue to recommend that you avoid applying the patch.

    If you install the “.NET Framework 3.5 SP 1″ patch you actually get three versions of .NET Framework installed on your system, regardless of which version(s) of .NET you may already have: .NET Framework 2.0 SP2, .NET Framework 3.0 SP2, and .NET Framework 3.5 SP1.

    That’s a Real Big Deal because different versions – or even different Service Packs – of .NET Framework are notorious for their incompatibilities. If you install a program, and it installs .NET Framework, you better keep that version around, if you want to continue to run the application.

    Sound complicated? That ain’t the half of it.

    Today Microsoft posted a patch for the .NET Framework 3.5 Service Pack 1 patch. Dubbed KB 967190, the patch fixes a problem with .NET 3.5 SP1 that makes it impossible to use the XPS document viewer on 64-bit versions of Vista.

    The KB article goes on to say:

    You must have .NET Framework 3.5 SP1 or .NET Framework 3.0 SP2 installed to apply this hotfix.

    But there’s no separate confirmation that .NET Framework 3.0 SP2 also has the bug.

    To make things even more, uh, entertaining, if you look at the patch, it doesn’t patch .NET Framework at all. It patches the XPSviewer.exe application.

    Oy.