Posts Tagged ‘Windows update’

Microsoft botches six Windows patches in latest Automatic Update

Friday, August 16th, 2013

Microsoft acknowledges problems with KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639, and KB 2868846, all released earlier this week

In an amazing tour de force, Microsoft’s Automatic Update chute released at least six bad patches on Tuesday. Here’s what’s amazing: It’s just 48 hours or so since the bomb bay doors opened, and Microsoft has acknowledged problems with all of these patches. That’s a first, I think — and the biggest positive development in the Automatic Update minefield I’ve seen in a long time.

The gory details:

  • MS13-061/KB 2876063 — a remote code execution hole in Exchange Server — has been pulled. The problem only affects Exchange 2013. From the Exchange team blog:

Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed. For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily. Note: This issue does not occur in Exchange 2010 or Exchange 2007.

To give credit where due, Microsoft may or may not be the source of the problem. According to the SANS Internet Storm Center, “Oracle … disclosed the vulnerabilities in their patch updates in April and July 2013. Microsoft licensed the vulnerable libraries from Oracle. There are also functional changes non security changes rolled up into this update.”

  • MS13-063/KB 2859537 — another botched Windows Kernel patch — has not been pulled (at least it’s still being offered on the systems I work with), but Microsoft has acknowledged at least one problem in the KB article:

Some users may experience issues with certain games after they install security update 2859537. In some cases, users may not successfully start and sign in to the games. Microsoft is researching this problem and will post more information in this article when the information becomes available.

Apparently, with this patch applied, the game Rift crashes immediately after authentication, as does Defiance. Softpedia reports that the patch causes BSODs on Windows 7 systems. One poster on the Microsoft Answers forum says it triggers an Error 0xc0000005, and “it’s not possible to run almost all applications include IE, Personalize screen, components from control panel and many other ‘native windows features and applications.'” There’s an avalanche of bug reports online, many in Russian.

Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working. Microsoft has removed the updates for ADFS 2.0 from Windows Update and the Download Center. Microsoft is researching this problem and will post more information in this article when the information becomes available.

In addition:

You may experience functionality issues with security update 2843639 if you do not have update 2790338 already applied. We recommend that that customers who are experiencing these issues install update 2790338. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Here’s the punch line. The SANS Internet Storm Center religiously tracks which Microsoft patches cover holes that are publicly known. For this month’s bunch, only two of the eight security bulletins — MS13-061 and MS13-063 — have known active exploits; the others have no publicly known exploits. You guessed it: Both security bulletins are causing major headaches.

Microsoft has had no end of problems with patches lately, with at least four botched patches just last month. For a change, this time the company is fessing up to it — quickly and as best I can tell accurately, and the mea culpas are posted where they’re supposed to be posted.

That’s a start.

Source:  infoworld.com

3 more botched Windows patches: KB 2803821, KB 2840628, and KB 2821895

Thursday, July 18th, 2013

Two Black Tuesday patches — MS 13-052 and MS 13-057 — and last month’s nonsecurity patch KB 2821895 cause a variety of problems

Microsoft’s patching problems have hit a new low, with three botched patches now in desperate need of attention. MS 13-052 is supposed to plug security holes in .Net Framework and Silverlight, but it has problems getting along with Configuration Manager 2012 and ConfigMgr 2007), as well as with plug-ins running under Microsoft CRM 2011. MS 13-057 causes black bands to appear at the top of Windows Media videos, and it still hasn’t been fixed — although Microsoft has finally acknowledged the problem. The KB 2821895 Windows 8/Windows RT patch causes false System File Checker reports and hangs; Microsoft acknowledges the problem in its KB article, but the patch is still available.

Somebody please tell me who is in charge?

I’ve been covering the vagaries of Windows patches for a decade, and I’ve never seen the situation deteriorate like this. Here are the highlights:

  • MS 13-052/KB 2840628, a critical patch rolled out the Automatic Update chute as part of last week’s Black Tuesday disgorge, is throwing out exceptions with plug-ins running under Microsoft CRM 2011. There’s a detailed explanation of the problem on the North52 blog. There are also known problems with Configuration Manager 2012 and ConfigMgr 2007. MyITForum documents one problem with ConfigMgr 2007 and two with ConfigMgr 2012. According to MyITForum, Microsoft has acknowledged the problems as “database replication between sites (CAS/Primary/Secondary) with SQL 2012 will fail” and “Software Update point synchronization may fail at the end of the sync process.” The knowledge base article has no mention of these problems. But it looks like Microsoft has pulled the patch: My Windows 7 and Windows 8 PCs don’t show it. However, there’s been no indication of how to fix the problems (aside from some “short time” kludges in the MyITForum article) or whether Microsoft will release a fix for the patch or a new version of the patch.
  • MS 13-057/KB 2803821 (for Windows 7) has been turning the top half of WMV videos black, either on encoding or decoding. As I reported last week, people running Adobe Premier Pro CS6, Camtasia Studio 8.1, and Serif MoviePlus X6 had all reported problems, with a full description and fix offered by one burned customer on the day after the patch was released. It took five days after that fix appeared online, and four days after my article appeared, for Microsoft to acknowledge the problem in KB 2803821. But as I write this, the patch still appears in the Automatic Update queue, checked, ready to be installed on any Win7 machine that’s looking for updates.
  • KB 2821895, a Windows 8/Windows RT “servicing stack update” released in tandem with last month’s Black Tuesday patches, causes a lot of problems with the System File Checker. After installing the patch, running an sfc /scannow command freezes the computer for up to 10 minutes, then generates many bogus error messages about corrupted files it cannot fix. Microsoft’s recommendation is to run the DISM tool to repair Windows, when the only thing that’s broken is this botched patch. There’s been no fix to the patch, nor a new patch that I can find. If you installed this patch, there’s no way to uninstall it. More damning: Right now, KB 2821895 appears in Windows Update as an optional unchecked patch — Microsoft hasn’t even bothered to pull the patch.

Source: infoworld.com

Microsoft security bulletin advance notification for July 2013

Friday, July 5th, 2013

This is an advance notification of security bulletins that Microsoft is intending to release on July 9, 2013.

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution
May require restart Microsoft .NET Framework,
Microsoft Silverlight
Bulletin 2 Critical
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 3 Critical
Remote Code Execution
May require restart Microsoft Windows,
Microsoft Office,
Microsoft Visual Studio,
Microsoft Lync
Bulletin 4 Critical
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 5 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 6 Critical
Remote Code Execution
May require restart Microsoft Windows
Bulletin 7 Important
Elevation of Privilege
Does not require restart Microsoft Security Software

Excerpt from: microsoft.com

Experts urge prep for Microsoft’s cert-blocking update

Wednesday, September 12th, 2012

Scan networks for too-short keys, audit systems, test Oct. update before it rolls out, urge security pros

Microsoft yesterday delivered two security updates that patched two vulnerabilities in Visual Studio Team Foundation Server and System Center Configuration Manager.

But security experts essentially ignored the updates — with some telling users they could delay deploying them — and again hammered home the message that enterprises should use the small slate to prepare for a potentially disruptive update Microsoft has scheduled for October.

Microsoft’s pair of updates — tagged as MS12-061 and MS12-062 — were both rated “important,” the company’s second-highest threat ranking, and could be used by attackers to acquire elevated rights to a compromised system.

“These can safely be postponed until it’s convenient to install them, maybe next month when Microsoft releases its October Patch Tuesday updates,” said Wolfgang Kandek, CTO of Qualys, in an interview yesterday.

“I agree, there’s no need to patch these immediately,” said Amol Sarwate, manager of Qualys’ vulnerability research lab.

Instead, said Kandek, Sarwate and other security professionals, Microsoft customers should use the next month to audit their networks for soon-to-be-crippled digital certificates, and to test the changes set to hit Windows Update on Oct. 9.

The move was triggered by the discovery of Flame, the sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the landscape, and pilfered information. Among its tricks was what one researcher called the “Holy Grail:” It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by killing off some of its own certificates and beefing up Windows Update’s security. It also decided to harden the Windows certificate infrastructure by blocking access to certificates with keys shorter than 1,024 bits.

“With something that’s this big of a change, everyone should be testing the [Oct. 9] update,” urged Jason Miller, manager of research and development at VMware.

Microsoft first offered the update last month, posting it as a manual download on its Download Center, so it is available for testing.

Kandek recommended IT administrators scan their networks for digital certificate keys shorter than 1,204 bits. “For internal sites and other services that use certificates such as mail servers and VPNs, we recommend using a scanning tool with SSL support, which all major scanners include,” Kandek said.

“The audit is going to be the big thing,” said Miller. “But it’s the amount of time to fix [and uncovered problems] that could be drastic.”

Most experts expected some fallout from next month’s key-crippling update, but were cautiously optimistic that disruptions would impact a small number of firms and websites.

“I don’t think there will be a lot of companies that are negatively affected,” predicted Miller, “but some will be crippled.”

Kandek and Sarwate of Qualys concurred.

“There are very few [affected] keys out there, for a number of reasons,” argued Kandek. “Certificate authorities have been giving out these keys [longer then 1,204 bits] for a while now. Basically, it they will be very old certificates obtained some time ago.”

Certificates are generally valid for just one or two years, said Kandek, although there are exceptions. During Qualys’ survey of website certificates, for example, the company found some keys that were valid for either three or five years.

“Embedded devices might be at risk,” explained Sarwate. “Kiosks running an embedded version of Windows, for example, might not be updated with new certificates very often.”

The most likely enterprise problem areas, added Miller, include VPN, or “virtual private network,” gateways that workers use to establish a secure offsite connection with the company’s network. Another potential trouble spot: Email servers.

“We recommend installing [Microsoft’s update] on a limited number of internal machines in your organization this month to gather feedback on potential impacts,” Kandek said.

IT administrators can, of course, back out the update if they later uncover problems they can’t solve before Oct. 9. “You can remove that security update if necessary, and redeploy it later,” said Miller.

Windows 8, which reached RTM (release to manufacturing) last month, and has been handed to enterprises for deployment, has the shorter-certificate blocking already in place.

“If anything, the most important thing is to get the word out,” said Miller. “Microsoft has been talking about this since June, but I recently talked to two [IT administrators] and they had no idea that this was coming.”

Microsoft will distribute the certificate key update on Oct. 9 through Windows Update and WSUS (Windows Server Update Services). Enterprise IT administrators can use WSUS or other patch management consoles, to block the update from reaching some or all PCs and servers.

Source:  computerworld.com

“Flame” malware was signed by rogue Microsoft certificate

Monday, June 4th, 2012

http://cdn.arstechnica.net/wp-content/uploads/2012/06/windows_update-640x461.jpg

Emergency Windows update nukes credentials minted by Terminal Services bug.

Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries.

The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities that contained the imprimatur of Microsoft’s own root authority certificate—an extremely sensitive cryptographic seal. Rogue intermediate certificate authorities that contained the stamp were then able to trick administrators and end users into trusting various Flame components by falsely certifying they were produced by Microsoft.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday night. “We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.”

The exploit, which abused a series of intermediate authorities that were ultimately signed by Microsoft’s root authority, is the latest coup for Flame, a highly sophisticated piece of espionage malware that came to light last Monday. Flame’s 20-megabyte size, it’s extensive menu of sophisticated spying capabilities, and its focus on computers in Iran have led researchers from Kaspersky Lab, Symantec, and other security firms to conclude it was sponsored by a wealthy nation-state. Microsoft’s disclosure follows Friday’s revelation that the George W. Bush and Obama administrations developed and deployed Stuxnet, the highly advanced software used to set back the Iranian nuclear program by sabotaging uranium centrifuges at Iran’s Natanz refining facility.

The emergency update released by Microsoft blacklists three intermediate certificate authorities tied to Microsoft’s root authority. All versions of Windows that have not applied the new patch can be tricked by the Flame attackers into displaying cryptographically generated assurances that the malicious wares were produced by Microsoft.

Microsoft engineers have also stopped issuing certificates that can be used for code signing with the Terminal Services activation and licensing process. The ability of the licensing mechanism to sign untrusted code that linked Microsoft’s root authority is a mistake of breathtaking proportions. None of Microsoft’s Sunday night blog posts explained why such design was ever allowed to be put in place. A description of the Terminal Services License Server Activation refers to a “limited-use digital certificate that validates server ownership and identity.” Based on Microsoft’s description of the attack, it would appear the capabilities of these certificates weren’t as limited as company engineers had intended.

“This is a pretty big goof,” Marsh Ray, a software developer two-factor authentication company PhoneFactor, told Ars. “I don’t think anyone realized that this enabled the sub CA that was present on the licensing server to have the full authority of the trusted root CA itself.”

Microsoft’s mention of an older cryptography algorithm that could be exploited and used to sign code as if it originated from Microsoft evoked memories of an attack from 2008 to mint a rogue certificate authority that could be trusted by all major browsers. The attack in part relied on weaknesses in the MD5 cryptographic hash function that made it susceptible to “collisions,” in which two or more different plaintext messages generated the same cryptographic hash. By unleashing 200 PlayStation 3 game consoles to essentially find a collision, the attackers could become a certificate authority that could spawn SSL (secure sockets layer) credentials trusted by major browsers and operating systems.

Based on the language in Microsoft’s blog posts, it’s impossible to rule out the possibility that at least one of the certificates revoked in the update was also created using MD5 weaknesses. Indeed, two of the underlying credentials used MD5, while the third used the more advanced SHA-1 algorithm. In a Frequently Asked Questions section of Microsoft Security Advisory (2718704), Microsoft’s security team also said: “During our investigation, a third Certificate Authority has been found to have issued certificates with weak ciphers.” The advisory didn’t elaborate.

It’s also unclear if those with control of one of the rogue Microsoft certificates could sign Windows software updates. Such a feat would allow attackers with control over a victim network to hijack Microsoft’s update mechanism by using the credentials to pass off their malicious wares as official patches. Microsoft representatives didn’t respond to an e-mail seeking comment on that possibility. This article will be updated if an answer arrives later.

Two of the rogue certificates were chained to a Microsoft Enforced Licensing Intermediate PCA. A third was chained to a Microsoft Enforced Licensing Registration Authority CA, and ultimately to the company’s root authority. In addition to potential exploits from the actors behind Flame, unrelated attackers could also use the certificates to apply Microsoft’s signature to malicious pieces of software.

A third Microsoft advisory pointed out that Flame so far has been found only on the machines of highly targeted victims, so the “vast majority of customers are not at risk.”

“That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks,” Jonathan Ness, of Microsoft’s Security Response Center, continued. “Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.”

Source:  arstechnica.com

Microsoft security updates for March 2011

Tuesday, March 8th, 2011

Several critical security updates are pending for Microsoft products as of 3/8/11.  Be sure to update your server and workstation operating systems and MS Office products to repair vulnerabilities.  Details provided by Microsoft are as follows:

Windows XP

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

Critical

Important

Windows XP Service Pack 3

Windows XP Service Pack 3
(Critical)

Windows XP Service Pack 3
(Important)

Windows XP Professional x64 Edition Service Pack 2

Windows XP Professional x64 Edition Service Pack 2
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Important)

Windows Server 2003

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

None

Important

Windows Server 2003 Service Pack 2

Not applicable

Windows Server 2003 Service Pack 2
(Important)

Windows Server 2003 x64 Edition Service Pack 2

Not applicable

Windows Server 2003 x64 Edition Service Pack 2
(Important)

Windows Vista

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

Critical

Important

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista Service Pack 1 and Windows Vista Service Pack 2
(Critical)

Windows Vista Service Pack 1 and Windows Vista Service Pack 2
(Important)

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
(Critical)

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
(Important)

Windows Server 2008

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

None

Important

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Not applicable

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
(Important)

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Not applicable

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
(Important)

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Not applicable

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)

Windows 7

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

Critical

Important

Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Critical)

Windows 7 for 32-bit Systems
(Important)

Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1

Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Critical)

Windows 7 for x64-based Systems
(Important)

Windows Server 2008 R2

Bulletin Identifier

Bulletin 1

Bulletin 2

Aggregate Severity Rating

Important

Important

Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
(Important)

Windows Server 2008 R2 for x64-based Systems**
(Important)

Windows Server 2008 R2 for Itanium-based Systems

Not applicable

Windows Server 2008 R2 for Itanium-based Systems
(Important)

Microsoft Office Programs

Bulletin Identifier

Bulletin 3

Aggregate Severity Rating

Important

Microsoft Groove 2007

Microsoft Groove 2007 Service Pack 2
(Important)

 

Use Windows Update to apply all recommended patches or visit the Microsoft Download Center to select updates a la carte.

Source:  microsoft.com