Making Office secure is November’s patching task

Topic

New Reply

---

PATCH WATCH

Making Office secure is November’s patching task

By Susan Bradley November is shaping up to be a hefty patch month. My Win7 machine was offered 30 updates, including a reissued Office patch and the all-too-regular .NET fixes. (The number you see depends on your configuration.) As usual, I’ll tell you which updates are priorities and which should be put on hold for now. The good news? Most of the security fixes are rated just important.

---

The full text of this column is posted at windowssecrets.com/patch-watch/making-office-secure-is-novembers-patching-task/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

Reply | Quote

Replies

Thanks for the advice as always Susan. A couple of questions if I may:-

First, there is no mention in the article of KB3100773 which appears to be part of the Cumulative IE updates. I’m running IE9 (although I rarely use it).

Second, there’s also no mention of KB3098781 which is showing as a .NET Framework update.

Also, KB3092601 is showing in the summary chart as recommended for installation, but doesn’t appear to be included in the article.

I’m assuming that all three updates should be installed, but would appreciate confirmation please.

Again, many thanks!

Reply | Quote

I too am wondering how we get a go/stop from Susan Bradley on suspect Win patches. Does anyone know where I go to see her followup comments which she often promises?

Reply | Quote

I too am wondering how we get a go/stop from Susan Bradley on suspect Win patches. Does anyone know where I go to see her followup comments which she often promises?

From Susan’s original PatchWatch column in paid newsletter issue 505:

Patching the kernel always includes a bit of caution. But because some of these patches are critical, I’ll give an early yea/nay in the Windows Secrets Lounge (see the link at the bottom of this column)

Would be nice if someone of the officials could confirm that this here is the right thread to look for any upcoming comments by Susan. IMHO it should be, as the “the link at the bottom of this column” is pointing rightaway to this thread.

Reply | Quote

The latest slew of patches for Microsoft Office 2010 has caused Outlook 2010 to crash whenever I open an e-mail that contains an image. I don’t know which patch causes it. One might assume it’s the patch for Outlook 2010 (KB3101535), but it may be more complicated than that. I have had to restore the system twice since these patches were released, as Microsoft considers them “important,” and will automatically install them when shutting down the computer. I’ll try hiding the Outlook 2010 patch, and get back to you with the results.

Reply | Quote

The latest slew of patches for Microsoft Office 2010 has caused Outlook 2010 to crash whenever I open an e-mail that contains an image.

Apparently it’s not the Outlook 2010 patch, but a security patch for Windows that is causing Outlook 2010 to crash. Today’s issue of “Office Watch” describes the issue:

The November 2015 security patch referenced MS15-115 is supposed to stop attacks via fonts. Unfortunately, the security fix seems to have broken Outlook’s ability to display HTML formatted emails. Not for all users, but enough to raise many complaints in forums. Microsoft, of course, is talking about it affecting ‘some’ customers. Presumably their usual phrasing about a ‘small number’ of Office users will appear in due course. There’s no hard information just a mix of reports, not all of which might be caused by the faulty patch. It seems there’s a range of errors and even a ‘black screen’. While Microsoft investigates their mistake and how to fix it, the best option if your Outlook breaks down is to remove the Windows update labelled KB3097877 then reboot your computer.

Reply | Quote

Apparently it’s not the Outlook 2010 patch, but a security patch for Windows that is causing Outlook 2010 to crash. Today’s issue of “Office Watch” describes the issue:

The November 2015 security patch referenced MS15-115 is supposed to stop attacks via fonts. Unfortunately, the security fix seems to have broken Outlook’s ability to display HTML formatted emails. Not for all users, but enough to raise many complaints in forums. Microsoft, of course, is talking about it affecting ‘some’ customers. Presumably their usual phrasing about a ‘small number’ of Office users will appear in due course. There’s no hard information just a mix of reports, not all of which might be caused by the faulty patch. It seems there’s a range of errors and even a ‘black screen’. While Microsoft investigates their mistake and how to fix it, the best option if your Outlook breaks down is to remove the Windows update labelled KB3097877 then reboot your computer.

Michael, In Windows Update, highlight kb 3097877. Then click on More Information. This will take you to instructions for removing this update and then reinstalling this update and MS recommended updates. My advice would be to reinstall only Susan’s recommended updates.

Like everyone else, I’m hoping to see more information about the patches Susan mentioned telling us more about. Hope everyone has a good holiday.

Reply | Quote

This problem was caused by KB3097877, not the Outlook patch. KB309877 was re-released on Thursday morning, 11/12/15, with Microsoft claiming it had fixed the bug. Susan had already noted early reports of problems after installing this patch in her column. You should have heeded her advice to hold off installing it.

Reply | Quote

@Tandor: Susan references the Microsoft patch bulletins in her article. Sometimes patches have different KB numbers for different versions of Windows and, of course, Microsoft tends to report the KB numbers for the latest version of Windows only. Also, Microsoft sometimes issues an “umbrella” KB number that covers all of the patches which each have their own (different) KB number. That is why it is best to refer to the MS99-999 patch number although, unfortunately, Windows Update does not mention it – you have to click on the “More information” link to find out what it is and it is a real pain if there are lots of patches. For the patches that you mention:

KB3100773 is the Windows 7 version of MS15-112 – Cumulative Security Update for Internet Explorer

KB3098781 – I am not sure about this one but I am guessing that it is MS15-118 – .Net Framework (I have KB3098778 on my Windows 7 Pro 64 PC)

KB3092601 is MS15-119 – Winsock

Susan specifies all three as “Install”.

Hope this helps!

patermann

P.S. There is a small typo in the article which references MS115-119, MS115-120 and MS115-123 – they should be MS15-119, MS15-120 and MS15-123 of course.

Reply | Quote

Thank you Susan.

I have been offered a few patches that have not shown up in Patch Watch and would like to know if I should install them.

Apart from KB3101558 (MS Compatibility Pack SP3) which I installed I’m offered KB3085551 (also MS Compatibility Pack SP3).

Others are:
KB3101555 MS Office 2007 suites.

Also as mentioned above KB3098781 .NET Framework 4.5, 4.5.1 and 4.5.2.

Reply | Quote

All Office Patches in MS15-116 are listed for install. For some reason the ones you list missed a specific reference in the email.
Same for the .NET patches.

cheers, Paul

Reply | Quote

I am following Susan’ Bradley’s valuable advice about MS updates, as usual.
On my Win 7 Pro 64-bit system with Office 2010,
WU offers two patches that are not yet mentioned in Susan’s column, nor in the Lounge:

KB3054978
“MS15-116: Description of the security update for OneNote 2010: November 10, 2015”

and
KB3101535
“November 10, 2015, update for Outlook 2010 (KB3101535)”

I am holding off installation of these two until Susan or someone here can clarify that they are safe to install.
OneNote is installed on my machine but I never use it.
Outlook is my primary calendar program, so it is more important.

On a separate note, it seems that this month’s updates are painfully slow to install. I usually update just 2-4 items at a time, but WU seems to sit at 0% for a really really long time.
Thank you very much for any advice.

Reply | Quote

Did Susan ever reply to your question?

I am trying to work out where I go to see her follow-up on patches she discussed in early November.

Reply | Quote

Patches to applications are generally fine, it’s kernel patches that need more attention.

Why don’t you make an image backup to an external disk – the one you usually use for backup – then install the updates?

cheers, Paul

Reply | Quote

Problematic cipher-suite update reissued

Windows’ cipher suites are a set of encryption algorithms, used to create keys and cryptographic information. Back on May 12, Microsoft released KB 3042058 to add more cipher suites and enhance suite priority.

Unfortunately, the update caused problems for Web servers and network admins. Microsoft pulled the update back, did extensive testing, and then set it for manual download so that admins could test it on their platforms.

When you do test it, watch out for issues with SSL-based Web sites and other authentication. I’ll follow up in the next Patch Watch for any real-world issues we run across.

You’ll also want to test KB 2960358, an update designed to disable RC4 in Transport Layer Security (TLS). Web-server admins might see the side effects noted in MS Support article KB 2978675 — Internet Explorer-hosted managed applications no longer work correctly. To fix it, you’ll have to move away from the No-Touch methodology and use ClickOnce, where appropriate.

Still no come back on this, or did I miss something?

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Wavy, I couldn’t find anything on kb3042058, also.

Charles

Reply | Quote

I’m more worried about MS15-122.
Apparently there’s a known exploit that can get around Bitlocker.

http://www.pcworld.com/article/3005182/encryption/bitlocker-encryption-can-be-defeated-with-trivial-windows-authentication-bypass.html

Not sure if I want to wait on this one.

Reply | Quote

I’m more worried about MS15-122.
Apparently there’s a known exploit that can get around Bitlocker

The hack is so convoluted that anyone who can perform it already has most of the details they need to access your data, so I think you have a greater problem than an un-patched machine.

cheers, Paul

Reply | Quote

I had the Office updates pending starting Sunday(?!). And I don’t have Office (2007). But I do have MS’ Viewers for Word, Excel, Visio and Powerpoint to support my brother and they are 2007. Oh, the things we do for love. Good thing I don’t have Access or Report Runtime.

pending Sunday:
KB2596843
KB2687499
KB2687311
KB2596672
KB2596848
Microsoft Office 2007 SP3
KB2596785
KB2596615
KB2760416
-now installed…got to assume those stubs are insecure. Now I can’t wait for my brother to retire.

pending now:
KB2760591
KB2825645
KB2837610
KB3085546
KB3101555
KB3085551
KB3101558

Reply | Quote

There should be a further Patch Watch article next week, I believe.

Reply | Quote

There should be a further Patch Watch article next week, I believe.

Tandor: Do you mean a followup Win Secrets email sent to all the paid up subscribers, or will the article be buried somewhere in Win Secrets Lounge? Thanks.

Reply | Quote

Tandor: Do you mean a followup Win Secrets email sent to all the paid up subscribers, or will the article be buried somewhere in Win Secrets Lounge? Thanks.

Patch Watch articles form part of the paid-for content and are accessed under the Newsletter Archives heading, and also form part of the newsletters sent to subscribers. The subscription is, of course, purely nominal.

Reply | Quote