Jump to content

Microsoft's last Patch Tuesday of 2013 will be HUGE!


ShyWriter

Recommended Posts

.

dde1.jpg

 

 

Microsoft's last Patch Tuesday of 2013 will be huge

Tim Greene

  • Dec 7, 2013 11:04 AM

 

Microsoft is wrapping up the year’s Patch Tuesday bulletins next week with 11 more fixes, pushing the total for 2013 to 106, up from last year’s total of 83.

 

Five bulletins ranked critical all hold the potential for enabling remote code execution on victimized machines and affect a wide range of platforms including most versions of Windows, Windows Server, Internet Explorer, SharePoint and Exchange.

 

The patches will include a remedy for the .TIFF zero day vulnerability, a flaw in Microsoft Graphics that leaves Microsoft Office and Lync apps and Windows open to attack. Common exploits of the vulnerability include a Word file containing a malicious .TIFF image that leads to the attacker gaining control of the machine with current user rights.

 

“In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation,” says Paul Henry, a forensics and security analyst for Lumension. “Because we know persuading users to click isn’t always that hard to do, a patch for this one is definitely welcome.”

 

The problem and exploits in the wild were discovered last month, but Microsoft didn’t deem it worth an out-of-band fix.

Restarts required

 

All the critical bulletins save one require restarts, so scheduling the patches will be a chore. “Be careful and have a rollback plan in case the patches break your custom environment,” says Tommy Chin, a technical support engineer for CORE Security.

Another critical bulletin this month addresses a vulnerability in all versions of Internet Explorer from 6 through 11.

 

“It is best to patch the ones that require restart quickly, since the vulnerable code is already loaded in those scenarios,” says Chin. “Definitely patch Windows and Internet Explorer first.”

 

 

A bulletin affecting Microsoft Exchange does not require a restart but warrants attention, says Qualys CTO Wolfgang Kandek. “Bulletin #5 is a server-side bulletin for Microsoft Exchange and will probably include the new Outside In library from Oracle that was released during October’s Critical Patch Update,” he says, referencing an Oracle update that included fixes for middleware in Outside In Technology, versions 8.4.0, 8.4.1. Outside In provides tools to access and control content in unstructured file formats.

 

One of the less severe bulletins, ranked important, should still be a high priority, says Kandek. “Bulletin #6 is for Microsoft Office and is only rated important, but it will still deserve your full attention due to the Remote Code Execution possibilities, most likely through file format vulnerabilities,” he says.

 

A vulnerability in Windows XP discovered last week is not being addressed in this wave of patches. “This is perhaps another reminder that end of life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later,” Henry says.

 

SOURCE: http://www.pcworld.com/article/2070661/microsofts-last-patch-tuesday-of-2013-will-be-huge.html

 

/Steve

Link to post
Share on other sites

Well, my windows 8 laptop has been sitting on the 'preparing to configure windows Do not turn off your computer' screen long enough to start making me extremely nervous...anyone else applied these updates yet? Is everything ok? It's been about 10 minutes now and I've never seen this behaviour from this particular machine before. Should have copied my Office e-mail, that is one thing we'll need timely access to. Hopefully I'm just having vapours over nothing...

Link to post
Share on other sites

Hi, Amethyst:

 

2 of my 3 rigs are done (actually, I have a new lappy (4th rig), as well, but I haven't yet even had time to boot it, let alone patch it or transfer my stuff).

They are all Win7 (2 64-bit DTs and 1 32-bit LT), so YMMV...

 

I always do updates in small batches in case of trouble.

 

Here's what I found:

Yup, the kernel level patches took quite some time to configure upon restart.

 

DT:

2887069 initially failed with an 80070057 error, causing the other 3 to fail with 800F0826.

So, I d/l the offline installer for 2887069 > installed (but yes, long time to configure) > rebooted & then did the other 3 together > successful and not as long to configure after reboot.

 

LT:

After being spooked by by experience with the DT, I "electively" installed 2887069 via Windows Update by itself > success (longish time to configure) > rebooted > did the other 3 > successful and not as long to configure after reboot.

 

The other patches (Windows-Non-Security & Office Security/Non-Security, etc) went in fine on both rigs, without much waiting.

 

As I had not yet installed 2858725 (.NET 4.5.1) on any rig, I saved that one for last.

It took a while (as .NET updates usually do), but it installed OK & did not require a reboot on the 2 rigs, so far.

 

>>>FWIW, I've seen scattered reports of issues (minor and otherwise) with both 2898785 (the Cumulative IE patch) and 2887069 (the lowest numbered of the 4 kernel level patches), at sevenforums.com, wilders, answers.microsoft.com, and elsewhere.

 

I'm about to tackle backups then updates on my main production box.

Will post back with any new observations.

 

HTH,

 

daledoc1

Link to post
Share on other sites

No change...DH is suggesting we leave the house for a while. At what point do I try to do something with this? It's been sitting like this for nearly 30 minutes now...leaving house for a while. (I'm pretty sure my next computer is going to be a Mac!)

Worst case is it doesn't come out of this screen...I wonder if I can roll back from this?

Link to post
Share on other sites

Did you try to install ALL of the patches together?

Or is this a small group of patches (e.g. the Windows kernel patches or the Office patches)?

Do you see activity in the HDD, suggesting that it's still working?

 

Well, I'll need to defer to the experts, especially since I have no experience with Win8.

 

I know it's best to be on AC power + wired internet when updating laptops, no matter what the OS.

And it's never a good idea to interrupt the process -- "infinite patience", as Maurice says.

30 minutes does sound very long, though. :(

 

Until someone pops in here, you might want to head over to eightforums.com  or answers.microsoft.com to see what the geeks have to say?

 

Keep us posted,

 

daledoc1

Link to post
Share on other sites

I managed to get a place where I could try system restore, so it's working on that now. It had been over 70 minutes, I think it was pretty safe to say it wasn't going to boot. Hopefully the system restore gets me back into windows. I don't have time for any further work with this update, we're travelling tomorrow. If I can get back into windows, we'll leave this alone for a while.

Link to post
Share on other sites

Whew, got my desktop back! I'm glad I created a restore point manually because Windows hadn't. Anyway, word to the wise, install this mess one at a time! Unfortunately, there's a whole slew of them that are "pending restart". Which means next time I restart, this will happen again. Installed are:

KB2904266

KB2891804

KB2877213

Windows Software Removal Tool

On the pending restart list are:

KB2887069

KB2893984

KB2913152

KB2871690

KB2889784

KB2893294

KB2907997

KB2899190

KB2898785

Fortunately, windows 8 seems to think there's a difference between 'restart' and 'shut down'. I shut this rig down every day, so as long as I don't restart, these little time bombs should sit still until we reach our destination and I have time to remove them.

<deleted rant re how this will be my last Microsoft computer, lol! Really, we only need windows to run the accounting software...and retirement is not far off. Methinks the next laptop will have a fruit logo on it. Life is too short to have to put up with such hassles, and updates shouldn't have to be such a white knuckle experience...>

Thanks for your responses, daledoc1. I always appreciate how willing you are to step in and help. :)

P.S. Typing this on my iPad! If it ran flash, it would be totally perfect. :)

Link to post
Share on other sites

Glad to hear you're back rebooted.

 

Odd that Windoze didn't automatically create RPs before install -- that seems to be the default behavior at least for Win7 & below. I wonder if that is some Win8 oddity?

 

Looks as if you're still needing those 4 kernel-level patches -- they patch zero-day holes, so I guess I'd be careful until you install them, especially if you are taking the lappy on the road (i.e. public or other insecure wifi)?

 

It might help to know that the error codes were, to point to a cause (conflict with security apps, etc)?

 

When you do attempt to reinstall, you might want to try what I saw suggested at sevenforums -- this worked for me so far on the 2 rigs I tried it:

1) Install 2898785 first by itself via Windows Update -- that's the important cumulative IE security patch; it will require a reboot.

2) Then install 2887069 by itself, either through Windows Update (worked on my lappy) or via the standalone installer (worked on my older DT); it will require a reboot and it will take a long time to configure.  You're not alone -- A few reports of similar problems - at least for Win7:

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb2887069-hangs-at-12/b1ae1909-cf28-442f-a44f-f3824f6c1af3

http://www.wilderssecurity.com/showthread.php?p=2315942

3) Then try the other kernel-driver patches (2893984, 2892074, 2893294) -- I did these 3 together and they installed fine on both rigs (did it via Windows Update, but I was prepared to d/l install the standalone installers).

4) After that, it probably doesn't much matter (FWIW, the Windows "non-security" patches DID require a reboot, while the Office patches & MSRT (890830) did not; 2858725 (.NET 4.5.1 likewise did not require a reboot)), although YMMV on Win8.

 

I sympathize with the "white-knuckle" emotions --

-- my nearly 4-year-old "backup" DT has some minor OS issues that make Patch Tuesday a barrel of fun (nuke/pave probably in its future);

-- my 4-year-old lappy has a failing HDD, so I just need to get off my butt to fire up the new one and get stuff migrated;

-- my new lappy will need a million updates, if I ever find time to get it out of the shipping carton;

-- and my main production box is my main production box, so I always get a bit nervous for that one (regardless of backups).

 

Yup, fruit-flavored hardware always looks very enticing on the 2nd Tuesday of the month! :P

 

daledoc1

Link to post
Share on other sites

I found this link, which might have info that someone else might find useful:

http://pcsupport.about.com/od/findbysymptom/a/windows-update-frozen.htm

I ended up pressing the power button to shut down. Then powered back up and started tapping f8 after the Samsung splash screen. From there I followed the prompts to get to where I could do a system restore. I'll work on this in a few days when I have more time to do a slow and careful job of it.

This laptop doesn't get used on public wifi, just at our destinations, both of which are on a secure network and tucked safely behind a secure router. We'll likely just check email tomorrow morning, then pack it away until we get where we're going. It's a 3 day road trip.

I haven't seen any error codes, but I haven't checked event viewer yet either.

Link to post
Share on other sites

I've never had any problems with this laptop until today.  Event viewer isn't telling me anything useful either.  No entries at all between the time the updates started installing and the time I finally did the hard shut down.  When I get a chance, I think I'll remove the pending ones and try them again one at a time.  I don't want to tamper with it right now in case they don't leave gracefully.  I don't have time to do a big computer fix at the moment.  

Link to post
Share on other sites

Aha, I see none of this Tuesday's updates have been installed.  When I check my list of installed updates, none of them are there, so there's nothing to remove.  Windows is back to warning me that I need 14 updates, so when we're finished our travels, I can start over again.  Shywriter, I'm glad things went smoothly with your updates.  :)

Link to post
Share on other sites

Yep, it wasn't nearly as "huge" as billed.

(But those "kernel" level patches are always a bit nerve-wracking...)

Of course, I also had to update: TB, Fx, Air, FlashPlayer (2 flavors), & Snagit on all 3 rigs.

At least there are no Acrobat/Reader updates -- YET.

I could use a full-time, live-in "network administrator".

 

Yep, Shy, you deserved to have a painless Patch Tuesday, after your misadventures a few weeks ago.

 

Sounds like a plan, Amethyst. 

I'm CERTAINLY NO EXPERT, but installing them in smaller sets, installing them from the offline standalone installers, and installing them from a "clean boot" are some standard troubleshooting measures you might try, if you still get stuck.  But I'll defer to the real experts on that.

 

daledoc1

 

 

Link to post
Share on other sites

.
;)

 

It wasn't that "huge" - really.

 

THAT'S what SHE said! :P:D:lol:

 

Really...

 

Yep, it wasn't nearly as "huge" as billed.

 

Some people have naughty minds on here.. I *know* what some of you were thinking about MY, "That's what she said." statement *wry grin*

 

Sorry DD; just teasing and the two posts in a row was too good for me to pass up.

 

I sorry :( :(

 

And thanks to @Amethyst and @DD for the kinds words about my easy update after all last week's misery.. Speaking of my misery, I'll pass along some advice @Maurice gave me.. and which he was kind enough to mail me a loaner. Everyone should make a 512MB flash stick with the "RECOVERY" tools on it. Do a SEARCH in Win8.1 on RECOVERY, read, and when you get to the part that says "You need at least a 32GB flash stick." say "No" and then it gives the option of the 512MB stick tool.

 

And... believe it or not.. I have my Win8.1 boot directly into "Desktop" mode and also bypassing the "password/logon" screen and after my time with 8.1 I can honestly say, "It's a piece of cake.. Different maybe but really just as easy to learn and use as Vista and Win7.. "  And THAT statement *wasn't* a tease or a joke.. :)

 

Good luck with your updates Amethyst...  and DD I feel your pain as I just learned yesterday of all the Adobe updates and not only had to install them but I had to post the updates in the SOFTWARE Forums including the Adobe Beta ones from the 3rd I missed.. :blush: ..

 

Cheers

Steve

Link to post
Share on other sites

Back home and getting it done slowly on the Windows 8 laptop.  I'm doing one or two at a time, one day at a time.  So far, no problems.  I'm taking the plunge with the Windows 7 netbook and doing them all at once, we'll see how it goes.  At least now I know what to do if things freeze up on me.  BTW, I do have Office 2013 but did not get any updates for that in the latest batch.  

Link to post
Share on other sites

IE 11...Ah, I got it done.  (I mentioned that in another thread.)  I ended up downloading it from the microsoft.go site.  I haven't given it much of a try, as I don't use the netbook that often.   When it does get used, I use Opera and DH uses Firefox.   Now, back to the gentle updating of the Windows 8 laptop...:)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.