Old Posted News

[parkd1]

What to look out for in 2014's last Patch Tuesday

After last month's blizzard of patches tomorrow's last round of Windows updates for the year looks set to be rather quieter.

Only seven bulletins have been announced, of which three are rated Critical and four Important. Of the Critical patches one is for Internet Explorer, one for Office and one for Windows itself -- likely to be for a remote code execution vulnerability.

There's an Important MS Exchange patch to resolve an elevation of privilege problem. Chris Goettl Product Manager of IT management specialist Shavlik says, "As you may recall, this patch was held out of last month's Patch Tuesday updates along with another out-of-band patch that was released later in November. With all of the changes at Microsoft recently, this practice of holding a patch could become a pattern. It is likely that with less important patches, these will be released on a subsequent Patch Tuesday".

The Internet Explorer patch looks set to be a cumulative security update, something that will probably become a regular fixture in future Patch Tuesdays as hackers increasingly target browsers. There are three Office updates in total all of which address remote code vulnerabilities.

Karl Sigler, Threat Intelligence Manager at Trustwave says, "This security update will be light compared to the previous patch Tuesday. None of the CVEs included in this release are exploited in the wild at the moment. Also, it's not likely there will be a vulnerability as nasty as the Schannel Remote Code Execution vulnerability (MS14-066) from last month".

Third-party patches are expected from Adobe too according to Wolfgang Kandek, CTO of cloud security specialist Qualys. "Adobe has notified of a new version of Adobe Reader and Acrobat in APSB14-28. Both versions 10 and 11 on Windows and Mac OS X are affected by this critical vulnerability. In addition we also expect a new version of Flash as Adobe has had monthly release for Flash in every month in 2014 so far".

All versions of Windows, Office and IE are thought to be affected by at least one of the vulnerabilities. Users with automatic updates enabled should receive these updates automatically though a reboot will be required to apply them.

http://betanews.com/2014/12/08/what-to- ... h-tuesday/

[Whatacrock]

Microsoft Fixes Critical Security Hole in Windows

Microsoft has just released the last security updates of the year for its software solutions, thus patching a number of critical flaws in its products, including Windows and Internet Explorer.
Redmond rolled out a total of seven security bulletins this month, three of which were considered to be critical. Obviously, all users are recommended to get these updates as soon as possible in order to make sure that their data is not at risk when using supported Microsoft software.
Internet Explorer and Office getting critical fixes
Specifically, both Internet Explorer and Microsoft Office received critical security fixes today, so in case you’re using any of these two products, make sure that you launch Windows Update in the next few hours.

In IE’s case, Microsoft says that it patched a remote code execution flaw, fixing a total of fourteen privately-reported vulnerabilities in the browser. This means that there’s no public exploit available for the time being, so you’re perfectly secure as soon as you install these patches.

The company warns that these exploits usually involve a malicious website that needs to be loaded in Internet Explorer. Once the user visits this specially crafted webpage, the attacker could get the same privileges as the current user, so you can figure out what could happen if you’re the administrator.

As far as Microsoft Office is concerned, the company’s security experts came across two vulnerabilities in Microsoft Word and Microsoft Office Web Apps which would again allow an attacker to get the same rights as the logged on user with the help of a malicious Word document.

“If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Redmond says.
New Flash Player for Internet Explorer users
In addition to the aforementioned fixes, Internet Explorer users also receive a new Flash Player version that patches critical bugs found in this software solution.

Adobe Flash Player is now bundled into Internet Explorer, so all patches are automatically delivered through Windows Update, which means that no user input is required. At the same time, Internet Explorer users only need to reboot the browser to successfully install the new Flash Player build.

The same is happening for Google Chrome, as the Mountain View-based search giant also integrated Flash Player right into the browser, so updates are automatically shipped to their users as well, without the need for separate downloads.

http://news.softpedia.com/news/Microsof ... 7006.shtml

[Whatacrock]

Microsoft Ships New Botched Update: KB3002339 Failing to Install

Microsoft released a total of seven bulletins as part of this month's Patch Tuesday rollout, but it appears that at least one of the updates is causing issues to a number of users running Visual Studio on their computers.
Bug reports published on Microsoft's Community forums indicate that KB3002339 fails to install properly no matter the Windows version, as there seems to be a compatibility issue with Visual Studio.

At this point, both Windows 7 and Windows 8.1 have been confirmed to be affected by the problem and Visual Studio 2012 is the only version suffering from this. There are no reports pointing to issues experienced with any other VS build number.
How to install it anyway
According to users who have already experienced this problem on their computers, installation of update KB3002339 fails to complete and it sometimes takes up to an hour to return an error.

This is undoubtedly frustrating, but users are not recommended to shut down or reset their computers, as interrupting the update process could lead to more issues.

Basically, the easiest way to deal with this problem is to hide the update from Windows Update, so after getting the error and rebooting the computer, you won't be prompted to reinstall it.

But there are some reports suggesting that manually downloading the update and installing it on PCs where this problem has been reported also solves all issues, so give this workaround a try before anything else.

Others, however, went ahead and restored their computers to make sure that KB3002339 was deployed correctly.

“I let it set for over 90 minutes on four computers the first time. Ended up having to restore the computers, hid Update for Visual Studio 2012 (KB3002339) and even then had to install the other December Microsoft updates in smaller chunks to get everything but KB3002339 installed,” one user explained.
The only botched update of the month
Microsoft is more or less used to fixing botched updates after breaking down a number of computers, as the same thing happened several times this year.

What's worse, however, is that in most of the cases Redmond needed quite a lot of time to fix the problems, so several users were left unprotected because of the issues blocking them from installing the updates.

This time, it appears that KB3002339 is the only update causing the problem, so let's just hope that the company moves a little bit faster this time to provide us with a fix.

http://news.softpedia.com/news/Microsof ... 7024.shtml

[Whatacrock]

Microsoft to Disable IE11 SSL 3.0 Automatically in February

This month’s Patch Tuesday rollout was expected to bring an important security update for Internet Explorer users who wanted to be secure in front of the POODLE vulnerability, but it turns out that Microsoft has actually decided to push back the deadline to February 2015.
So what exactly happened? Microsoft initially said that it would start disabling SSL 3.0 for Protected Mode websites starting December 2014, but the company revealed in an advisory that this deadline was now moved to February.

And still, thanks to the December 2014 Internet Explorer Cumulative Update, users can manually block SSL 3.0 fallback in Internet Explorer 11, the company says.

Enterprise users, who are pretty much the ones most vulnerable in front of POODLE attacks, can do this by setting up their Group Policy rules and Microsoft says that everything would be customizable through registry or a Fix It solution.

The POODLE vulnerability was first reported last summer and allowed cybcriminals to easily decrypt an encrypted connection to a website no matter the browser. Both Firefox and Chrome disabled SSL 3.0 by default in latest updates and Microsoft will do the same next year.

Internet Explorer 11 is currently the default browser in Windows 8.1 and is also available as a standalone update for those running Windows 7. Windows 8 users cannot update to this version and must stick to Internet Explorer 10.

http://www.softpedia.com/blog/Microsoft ... 7225.shtml

[Whatacrock]

Bug in DRM Gets December Silverlight Patch Pulled

Patching folks, when's the last time you were able to breathe a sigh of relief after a Patch Tuesday release? More and more problems are mounting over this month's releases. I'm keeping a tally in this article: Tracking December's Updates: Update KB3008923 Crashing IE9, Other Issues Reported.

Each month, we've been faced with updates that break things. Microsoft eventually pulls the more suspect updates and later states that the problems only affect a very small percentage, but so it is, and so it goes. The sad fact is that as each month's update woes stack up it makes it easier for Microsoft customers to consider migrating to a non-Microsoft OS. Every OS has to be patched, but someone, somewhere, has to be hitting a better success percentage that we've experienced in the last couple years from Microsoft. The problem seems to be growing steadily worse.

Yesterday, another update hit the community headlines. KB3011970 is (was) an update for Silverlight. Over the course of yesterday afternoon, many patchers were finding that the update was slowly disappearing from their patching mechanisms like WSUS and System Center Configuration Manager. And, while not officially stated by Microsoft yet, it does appear that this update has been pulled.

Some that experienced problems noted that navigating web sites that required Silverlight was difficult, while others reported that updating the Silverlight Player halted all video playback. A thread on the TimeWarner Cable web site tells its customers how to uninstall the update, go back and install the previous version, and then how to block this month's update from ever appearing again.

A thread on the Microsoft forums confirmed that the update has been expired.

Someone at Microsoft has to be hearing about these things, right? Heads need to roll before this gets fixed, it seems. It's actually becoming easier to predict bad patches than it is to predict bad weather.

http://windowsitpro.com/windows-update/ ... tch-pulled

[Whatacrock]

Microsoft Releases KB3024777 Update to Fix Botched KB3004394 Patch

The KB3004394 update released by Microsoft this month caused several problems on Windows 7 and Windows Server 2008 R2 systems, and many users confirmed that after installation Windows Defender, Task Manager, and other system tools fail to work properly.
While the company initially remained tight-lipped on this issue, it rapidly discovered that it was actually a widespread program and decided to pull the update completely, thus blocking other systems from getting the botched update as well.

Today, Redmond has also released a fix to address these issues, explaining that, in some cases, users are stopped from installing future updates due to the bugs included in the original update.
KB3024777 to the rescue
KB3024777 is supposed to fix an issue with the original update on Windows 7 and Windows Server 2008 R2, Microsoft says in an updated advisory, recommending users to manually download and install this new patch as soon as possible.

The KB 3004394 update that was dated December 10, 2014 can cause additional problems on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. This new update is available to remove KB 3004394 from your computer, the company adds in the advisory.

One thing that's worth noting is that users experiencing issues with the original patch and who are blocked from installing additional updates need to manually perform the whole process and install today's new release.

Once installation of KB3024777 comes to an end, check for updates once again to make sure that your computer is fully updated.
Windows 7 is the only version affected
According to information coming from Microsoft itself, who confirmed the issues experienced by users with KB3004394, these problems were only reported on Windows 7 Service Pack 1 and Windows Server 2008 R2 SP1.

"This includes the inability to install future updates. The KB 3004394 update does not cause any known problems on the other systems for which it is released. We recommend that you install the update on the other systems," the company explains.

Microsoft also recommends users who have not installed KB3004394 until now to avoid doing so right now and wait until a revised version is released. What's more, the company says that those who have already deployed it and haven't restarted their computers should delay the reboot as much as possible or remove the original patch files completely from their systems.

http://news.softpedia.com/news/Microsof ... 7248.shtml

[TheAPGuy]

This pissed me off for a day. No Netflix was fairly upsetting.

[parkd1]

Hmmmmm just saw this on the windows update this morning, right now. Looks like this is a full patch. The one I saw on patch Tuesday was an update patch. So did Microsoft repost it?

[Whatacrock]

The current version of Silverlight is 5.1.30514.0, according to the Official Silverlight website at http://www.microsoft.com/silverlight/

[parkd1]

Just odd to see it twice the the window update history as installed on the 12-9-14 and 12-13-14 with the same KB3011970.