MS-DEFCON 4: Time to get patched – and watch out for Java

Last month’s Black Tuesday patches had a bunch of surprises, according to the comments at the SANS Internet Storm Center, but it looks like things have settled down.

There’s one lingering stinker in the bunch: MS 12-060 (KB 2597986/2687323/2687441) can make older Office Visual Basic apps go wonky, with an “Unspecified Automation Error” message. Susan Bradley will have details – including a fix – in tomorrow’s Windows Secrets Newsletter.

The big, big Windows patching problem continues to be Java. Five months ago I was roundly criticized by some self-appointed experts for admonishing that It’s Time to Run Java Out of Town. By Jove, it’s more true now than ever. Oracle issued an “urgent” update to Java 7 last week – Update 7 fixed a big security hole that was being actively exploited. Apparently, researchers had warned Oracle about the flaw months ago, but they didn’t get around to patching until this week. Within hours of Update 7 being posted, the same security researchers announced that the new version had a similar security hole.

Brian Krebs has some good advice: “If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.”

So get your Microsoft patches applied, and think hard about how to wean yourself off the Java Runtime Environment.

I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.