More June security patching bugs: You can patch an IE security hole, or print inside iFrames – but not both

Topic

New Reply

The latest IE patching conundrum deals with a bug in the June patches that broke the ability to print in iFrames. Automatic Update flops between one c
[See the full post at: More June security patching bugs: You can patch an IE security hole, or print inside iFrames – but not both]

5 users thanked author for this post.

MrBrian, JDeC, walker, ch100, AJNorth

Reply | Quote

Replies

Well we will try this again.  The Internet Explorer iFrame print bug the was introduced in Junes:

Cumulative security update KB4021558 for Internet Explorer 11
or
Monthly rollup 4022726 for Windows 8.1 and Windows Server 2012 R2
or
Monthly rollup 4022719 for Windows 7 SP1 and Server 2008 RS SP1

WAS CORRECTED In:

Update for Internet Explorer 11 for Windows x.x systems KB4032782 released 06/27/2017.

https://support.microsoft.com/en-us/help/4032782/a-blank-page-or-404-error-prints-when-you-try-to-print-a-frame-in-ie

Uodate Catalog Page:

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=%20%20KB4032782

Viper

Reply | Quote

ViperJohn wrote:

The Internet Explorer iFrame print bug the was introduced in…

As well as 4022724, 4022727, 4022714, 4022715, and 4022725, yes?

ViperJohn wrote:

WAS CORRECTED In: Update for Internet Explorer 11 for Windows x.x systems KB4032782 released 06/27/2017.

As mentioned in the article, it WAS corrected – first on June 22, then on June 27 – but in the process of correcting the bug, 4032782 removes the protection for CVE-2017-8529.

Right?

1 user thanked author for this post.

AJNorth

Reply | Quote

Swell. But, since I rarely use IE (Win 7 Pro x64), except for the very few sites that do not render correctly in Firefox, I’ll take KB4025252 for $300 (and hope that it’s not the Monthly Double Whammy).

2 users thanked author for this post.

SueW, JDeC

Reply | Quote

Very balanced article with a very good review of the recent updating events for multiple operating systems.
Somehow difficult to follow even for those of us “in the know”, I am wondering what would other less informed readers think, especially those who are not among our frequent posters or readers here… 🙂

1 user thanked author for this post.

woody

Reply | Quote

cf100 wrote in #125606….Very balanced article with a very good review of the recent updating events for multiple operating systems. Somehow difficult to follow even for those of us “in the know”, I am wondering what would other less informed readers think, especially those who are not among our frequent posters or readers here… 🙂

Well I am one of your less informed readers and have been following this forum since September 2016. This is my first post. I have diligently followed all the Group B recommendations and I can say without reservation and with grateful thanks to you all that without the help provided by all the experts here I would have been totally lost.

But right now this latest debacle with IE patching has me extremely confused. I waited until July 7th to install the June recommended security patches including KB4021558. Now I find it has a double vulnerability with an either/or solution provided. Not being able to print from IE is a non issue for me as I never use it. Firefox is my go to browser.

My primary focus is on keeping my Windows 7 Home Premium 64-bit SP1 HP laptop as secure as possible but I have no idea what steps I should take now. It will soon be time to install the July security patches once the Defcon number reaches 3 and this old guy needs some clear direction and soon. I hope someone here has the answer for me. Thanks all.

2 users thanked author for this post.

Kathy70, Elly

Reply | Quote

Trust me, when the time comes, the instructions will be clear.

Until then, don’t worry about it! Just stay away from IE….

5 users thanked author for this post.

Elly, ch100, Oldster, Charlie, SueW

Reply | Quote

AJNorth wrote:

Swell. But, since I rarely use IE (Win 7 Pro x64), except for the very few sites that do not render correctly in Firefox, I’ll take KB4025252 for $300 (and hope that it’s not the Monthly Double Whammy).

You would apply KB4032782 to correct the Oops’es Microsoft stuffed into the June updates for IE then apply July’s KB4025252 Cumulative Security Update for Internet Explorer as you normally would to get your IE security up to date.

Note that if you do not do a backup Disk Image before updating you should probably wait for a change to DEFCON 3 (but still keep your fingers crosssd) considering Microsoft track record of bad updates lately.

Viper

2 users thanked author for this post.

AJNorth, JDeC

Reply | Quote

There should be no need to apply KB4032782 before applying one of the later updates.

1 user thanked author for this post.

EstherD

Reply | Quote

ViperJohn wrote:

AJNorth wrote:

Swell. But, since I rarely use IE (Win 7 Pro x64), except for the very few sites that do not render correctly in Firefox, I’ll take KB4025252 for $300 (and hope that it’s not the Monthly Double Whammy).

You would apply KB4032782 to correct the Oops’es Microsoft stuffed into the June updates for IE then apply July’s KB4025252 Cumulative Security Update for Internet Explorer as you normally would to get your IE security up to date. Note that if you do not do a backup Disk Image before updating you should probably wait for a change to DEFCON 3 (but still keep your fingers crossed) considering Microsoft track record of bad updates lately. Viper

Hmmmm … It looks like July’s KB4025252 Cumulative Security Update for Internet Explorer DOES NOT contain a patch to protect against CVE-2017-8529 | Microsoft Browser Information Disclosure Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529

at the very bottom of the page:

4.2     07/11/2017     Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE. Microsoft is continuing to investigate a solution for this known issue and will notify customers as soon as an update is available.

2 users thanked author for this post.

AJNorth, samak

Reply | Quote

So if nothing changes between now and when the DEFCON changes to “go ahead”, Group B can avoid the security hole by not installing July’s IE11 update (assuming no updates have been applied since the main June updates) but Group A will automatically get the security hole reinstated. Have I understood this latest MS triumph correctly ?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

Elly

Reply | Quote

Right but then you’re vulnerable to all of the vulnerabilities fixed in the July 2017 Internet Explorer cumulative update.

6 users thanked author for this post.

Lori, Elly, SueW, ch100, AJNorth, samak

Reply | Quote

Ha ha, this is a good game! So now we have to make a judgement call about whether it is better to have June’s vulnerabilities or July’s. What fun!

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

5 users thanked author for this post.

Elly, AJNorth, SueW, woody, EstherD

Reply | Quote

Who’s on first?

(As mentioned in another thread some months back, for those not familiar with the reference, see http://www.baseball-almanac.com/humor4.shtml . After all, as Neils Bohr once said, “Some subjects are so serious that one can only joke about them.” — As quoted in “The Genius of Science: A Portrait Gallery,” 2000, by Abraham Pais, p. 24.)

5 users thanked author for this post.

Lori, Elly, Charlie, SueW, samak

Reply | Quote

I’ve been in Group A since the beginning.

But someone I’ve been helping navigate through the Group B hoops is now seriously considering switching to Group A because of this IE printing problem.

To permanently switch to Group A, and get the IE print bug fix, would a Group B Windows 7 user simply install July 11, 2017—KB4025341 (Monthly Rollup)?

Would they need to uninstall Cumulative security update for Internet Explorer: June 13, 2017 first?

Please let me know and I’ll pass along your advise. Thanks.

Reply | Quote

Thi July Monthly Rollup contains the July Cumulative IE11 patch. You do not need to uninstall anything. Just install the Rollup to get to Group A.

1 user thanked author for this post.

alpha128

Reply | Quote

Thi July Monthly Rollup contains the July Cumulative IE11 patch. You do not need to uninstall anything. Just install the Rollup to get to Group A.

Thanks PKCano. I guessed as much but I wanted to be sure.

Reply | Quote

If this person wants to stay in Group B, she can install the July Internet Explorer cumulative update. Woody hasn’t given the go-ahead for this yet though.

3 users thanked author for this post.

AJNorth, woody, JDeC

Reply | Quote

As a person who intends on staying with Group B, I don’t have the June IE update KB4021558 installed on my computers. It seems to me after reading through that if I now install the KB4025252 July IE update, then that particular security hole is still not patched, but I will also not have the iFrame bug. Is that correct?

Hope for the best. Prepare for the worst.

Reply | Quote

I believe that’s correct.

Given the lack of fixes for the June Office security bugs, I’m waiting until next Tuesday (at the earliest) to change the MS-DEFCON level. There are no July patches that are screaming to be installed.

4 users thanked author for this post.

Oldster, Elly, SueW, AJNorth

Reply | Quote

A “heads up” for you all…

Just because you don’t use IE and instead you use another web browser, this does NOT necessarily mean that IE is not silently running as a hidden window on your computer. It has been several months since I encountered this issue on one of my Win7 laptop computers. I recall that somehow several instances of the infamous KB2952664 update were found to be installed on that particular computer even though several months ago I had uninstalled what I thought was just one installed instance of KB2952664.

I discovered this issue on this particular Win7 laptop computer after cancelling my contract with LoJack and then uninstalling the LoJack software. I incorrectly assumed that LoJack, incorporated into my Win7 laptop’s BIOS, was what was creating a hidden instance of IE every time I rebooted my computer. It was CCleaner which constantly reported that IE had to be closed before CCleaner could then perform its cleaning operations. I always had to tell CCleaner to force the closing of IE so that CCleaner could perform its cleaning operations. After cleaning, IE always magically restarted as a process which had no visible window.

I wrote a batch file which detected all installed instances of KB2952664 and which then uninstalled all installed instances of KB2952664. There were several installed versions which were sequentially uninstalled.

After rebooting this Win7 laptop computer, I then verified that there no longer were any running yet hidden instances of IE.

So there you have it. If you are on Group A and have KB2952664 installed and even if you don’t launch IE, I bet that Task Manager will show that iexplorer.exe is running every time after you reboot your computer. A running instance of IE is a running instance of IE —  regardless of whether or not IE’s window is hidden. A running instance of IE exposes your computer to this vulnerability unless you install the IE patch which fixes this vulnerability yet does not fix the issue of printing inline frames.

Reply | Quote

@ch100 recently confirmed that where IE11 has been uninstalled AND where IE8 has been deselected (unenabled) on a Win7 machine, the computer will be hiding IE7 as the “working version” (he also mentions other WinOS, for those interested).

Reply | Quote

So the question remains, one that i’ve not seen asked anywhere, is what happens when microsoft end support for IE? Since it can’t technically be removed completely we’ll be left with a gaping security hole that is no longer patched. So you can either choose to have an insecure default version or an insecure newest version. Unless microsoft release a patch that somehow neuters IE completely.

-T

Reply | Quote

Just for clarification…

I applied the KB4021558 update, which protects against CVE-2017-8529.

I did not apply the KB4032782 fix to correct the print bug. This means I am still protected again CVE-2017-8529.

I applied KB4025252. Where does that leave me as far as the print bug AND the protection against CVE-2017-8529?

Reply | Quote

Read Woody’s article on ComputerWorld and it will explain more about the updates

Reply | Quote

If you apply KB4025252 (or the July 2017 monthly Windows rollup), the print bug should be fixed, and CVE-2017-8529 is not fixed.

1 user thanked author for this post.

AJNorth

Reply | Quote

Point well taken, MrBrian.

Since security is first and foremost always (and neither I nor those whose machines I care for print from IE), I shall eschew KB4025252 and stay with KB4021558.

Reply | Quote

Also see https://www.askwoody.com/forums/topic/ms-defcon-3-some-lingering-problems-but-its-time-to-get-windows-and-office-patched/#post-126633.

1 user thanked author for this post.

AJNorth

Reply | Quote