Network News

X My Profile
View More Activity

The Skinny on April's Batch of Microsoft Patches

Microsoft on Tuesday released five updates to remedy security flaws in its software products, including a huge -- and potentially disruptive -- patch bundle that fixes eight "critical" flaws in Microsoft's Internet Explorer Web browser.

The IE patch corrects a flaw that was publicly disclosed three weeks ago and has been used by attackers to install invasive software on machines of tens of thousands of IE users when they merely visited one of hundreds of Web sites that had been seeded with code to exploit the flaw.

Scroll down to the "executive summary" portion of the IE patch details and you'll find that the roll-up mends no fewer than eight separate security flaws in IE, all of which Redmond awarded its "critical" rating, meaning they could be exploited by attackers to gain complete control over vulnerable PCs without any action on the part of the victim.

But the IE patch isn't all security updates: It also includes a non-security fix that could make surfing the Web a tad less smooth for IE users. Microsoft first released this particular fix in February as voluntary update (that is, if you use Windows Update or Automatic Updates you wouldn't have seen this patch before now without some digging) to addresses a patent spat that Microsoft had with Eolas Technologies over the way IE handles ActiveX controls.

Rather than pay to license the process, Microsoft opted to require Web sites that currently use ActiveX to integrate interactive features such as Macromedia Flash, Apple's QuickTime Player, RealNetworks's RealPlayer and Adobe's Reader to redesign their sites to accommodate the fix. Sites that use ActiveX to serve content to IE users but put off making the changes will force those users to generate an extra mouse click to activate those features on the site.

The changes are likely to most directly affect sites the incorporate ActiveX in their advertisements. But I also experienced the effect of this patch after installing the update and visiting the Web site for the 2006 International Consumer Electronics Show. Visit the page in IE without the patch installed and you'll see a bunch of fast-moving Macromedia Flash content fly across the screen to the beat of some very loud and obnoxious music that you can silence with a single mouse click on the "audio off" text in the corner of the site's Window. Do the same with the IE patch installed and you have to click twice to turn off the blaring music.

Also included in this month's batch of patches is a fix for a critical flaw in Windows Explorer that apparently has been present in every system Microsoft ever produced going back to Windows 98 (Windows Explorer is the core functionality of Windows, in that it provides a nice, clickable, easy to use way for the user to do things like store, retrieve and view files).

PC owners who use Windows 98 Second Edition (Windows SE) or Windows Millennium Edition (Windows ME) may have to wait a while before Microsoft issues a patch that protects them from this flaw. In its advisory, Microsoft said "critical security updates for these platforms may not be available concurrently with the other security updates provided as part of this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site."

Another patch issued Tuesday corrects a critical flaw in an ActiveX control that attackers could use to break into Windows machines if users visited a Web site designed to leverage the flaw. This flaw also is present in versions of Windows dating back to Windows 98, and in this case Microsoft managed to offer the patch to those users to cover this flaw.

Finally, Microsoft released updates to fix a 'moderate' flaw in its FrontPage Web design software, as well as a "cumulative update" for Outlook Express, an e-mail program installed by default on Windows computers.

While the Outlook Express flaws also exist in Windows 98SE and Windows ME, Microsoft does not plan to issue fixes for those systems because the patch earned just an "important" rating from Redmond, its second-most serious (Microsoft said a while back that it would only issue security updates for non-supported operating systems if the flaw earned a "critical" rating.)

Microsoft labels a flaw "important" if its exploitation "could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources." By contrast, a flaw is designated "critical" if its exploitation "could allow the propagation of an Internet worm without user action." The key distinction between the two here appears to be "user action," which I can only imagine might include such onerous actions as visiting a malicious Web site or opening a specially crafted e-mail.

By Brian Krebs  |  April 12, 2006; 11:40 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Some Highlights from CanSecWest
Next: Security Updates for Firefox, Opera Browsers

Comments

Apparently, these patches have flaws. In IE6 now, if I type a web address (as opposed to using a favorite, nothing happens. Also, you can't get Windows Explorer (or MS Word) to look at anything outside the My Documents folder. According to posts on the Microsoft Public newsgroups, I'm not alone.

Posted by: Paul Davison | April 12, 2006 11:58 AM | Report abuse

Paul,

I've installed all of the patches, but am not experiencing any of those problems. Mind posting a link to the newsgroup discussion? I'd love to hear from anyone else who's had similar issues.

Posted by: Bk | April 12, 2006 12:20 PM | Report abuse

There is nothing in your article about the "Genuine Advantage Validation Tool" (KB892130) that apparently must be installed first to get the other patches, and which appears to be MS reneging on its policy of not requiring any validation to get updates.

Posted by: Peter Yingling | April 12, 2006 12:32 PM | Report abuse

I also have downloaded the patches/updates (yesturday) and am not experiencing any problems, yet.

Posted by: sue | April 12, 2006 12:35 PM | Report abuse

Will the new 'WINDOWS Defender' update ever get 'in' and 'work'?

Posted by: Tim | April 12, 2006 12:39 PM | Report abuse

The world seems concerned with advertisements! I work in a hospital which has based its' whole clinical systems strategy around the supposedly open technologies that are W3C supported. Microsoft's spat with Eleolas now sees those applications as unuseable with this patch. A potentially very damaging effect indeed. No choice and not even anywhere to discuss it. I am very annoyed at the whole thing though I have to say I do not believe it is Microsoft's fault on this occasion. Maybe the judges who agreed this patent will also agree 2 I am planning to file on air and water respectively!!
ade@abyrne.me.uk

Posted by: Ed Peckham | April 12, 2006 12:40 PM | Report abuse

Just use Firefox. 'nuff said

Posted by: Skippyboy | April 12, 2006 12:42 PM | Report abuse

Like Paul Davison, after installing the recent patches, nothing would happen if I typed an address into the IE address bar, although "Favorites" worked fine. This was on my 3 yr. old desktop, with XP Home. My new laptop, with XP Media Center, did not experience this problem. I did system restore (on desktop) to prior day, and it worked fine, until I reinstalled the patches; same problem. So I restored again and am not installing the patches until I can resolve this problem. Any help? Anyone? Please!!!!

Posted by: David H. | April 12, 2006 12:51 PM | Report abuse

Firefox isn't necessarily without flaws. It's just not the browser of choice. Hence, there's just not much interest in by evildoers to find exploits with Firefox. If it gained enough popularity, I am sure a stream of security flaws will be found in it as well.

Posted by: cynusX1 | April 12, 2006 12:56 PM | Report abuse

Peter -- I don't mention Microsoft's Genuine Advantage anti-piracy program in this post, you are correct, but I have written about it in past blog entries on MS patches. The thing to remember is that you will only be required to install the tool and run the test if you install patches by visiting Windows/Microsoft Update. You can still get security updates from Microsoft without validating, but you must turn on automatic updates - which of course may mean waiting a day or so (or maybe more depending on the load on Msft's update servers) for your security updates and perhaps having your PC reboot on its own while you are away from the computer.

Posted by: Bk | April 12, 2006 12:59 PM | Report abuse

used both apple and windows and like apple because it wont let you do what it not supposed to do and windows will.

Posted by: joe burnett | April 12, 2006 12:59 PM | Report abuse

Installed the patches on all three of my home network systems, all running XP home. Two are P-4 destops and one P-4 Toshiba laptop. No problems with any of them.

Posted by: Derek G. | April 12, 2006 1:00 PM | Report abuse

My work computer automatically installed the updates last night and now I am unable to run my web reports for one of our computer systems. Whenever I click the print icon or go to file, print I get an error message and regardless of whether I answer yes or no, IE locks up and the only way out is to ctrl, alt, delete. Our programmers are looking into this but I am down for days! UGH!!

Posted by: Lori | April 12, 2006 1:03 PM | Report abuse

r-e-t-r-i-e-v-e...it's called a spellchecker. Perhaps another flaw to patch?

Posted by: cho | April 12, 2006 1:19 PM | Report abuse

First thing I did? Block the eolas patch from downloading and installing. UI annoyance solved.

Posted by: RFJason | April 12, 2006 1:40 PM | Report abuse

I installed the lot earlier today - no problems, except that I'm unable to slipstream the big bundle (KB912812?). Irritating, but not a big deal: just one more program to run as part of my automated installation.

Posted by: jas88 | April 12, 2006 1:45 PM | Report abuse

Bk, perhaps you'd be interested in an automobile that won't exceed 55mph, since you're not "supposed" to.

Posted by: Kevin | April 12, 2006 2:04 PM | Report abuse

Well, obviously, for whatever reason, the patches adversely affect some systems and not others, as shown by the fact that they screwed up my IE on my desktop but not my laptop, and others have had the same problem. Is Microsoft likely to issue "corrective patches" in the near future, that don't cause these problems? Is that the best bet, to wait? What do you folks think?

Posted by: David H. | April 12, 2006 2:05 PM | Report abuse

My apologies, Bk, that was intended for Joe Burnett.

Posted by: Kevin | April 12, 2006 2:05 PM | Report abuse

As far as patches go, every patch will have unexpected results on some unexpected machine in some unexpected place. You cant test everything on every system prior to releasing. It fixes the problems on most peopls computers, and that is what it is intended to do. No im not praising microsloth by any means because i hate the company with a passion but the principle applies to all patches in all companies. Unfortunately nothing runs perfectly.

As far as genuine advantage just delete all registry entries pointing to legitcheckcontroll.dll and it doesnt make you validate. Google could tell you this one. I do believe it is retarded that microsoft requires a validation check to do anything on their website anymore.

And what i dont understand and this is just a complaint i rant about. How is it so hard, to make a browser immune to freaking toolbars? Or is it the fact that all the top companies make toolbars so they dont want to make a program that wont accept them? I can honestly say i've downloaded probably 15 programs in the past month that had Google toolbar as an optional install. Honestly, shouldnt the features offered by popular toolbars that just waste space on your screen be integrated features in browsers?

Posted by: JustANetAdmin | April 12, 2006 2:07 PM | Report abuse

Correction it was legitcheckcontrol.dll (only 1 "l" on the end)

Posted by: JustANetAdmin | April 12, 2006 2:16 PM | Report abuse

Use Firefox.
Get rid of ActiveX!
It is the cause of 95% of all the security bugs out there.
MOST sites don't use it.
And every time something like this happens, more and more of the sites that do use it get rid of it.

I've been running firefox for over 2 years and have NEVER contracted a virus, worm, trojan, etc... IE is the problem.

Firefox is free, it's open source, it's not hardwired into the windows OS, which means if a problem is ever found, you don't need to update the OS to fix it!

If you continue to use MS IE voluntarily (I know some companies force you to use it), you are an idiot!

Posted by: FFAdvocate | April 12, 2006 2:44 PM | Report abuse

The "Click to activate and use this control" problem affects Java applets as well as the other technologies listed. I give more details, including an example with full source code, at http://www.segal.org/java/HelloPatent/.

Posted by: Mickey Segal | April 12, 2006 2:53 PM | Report abuse

Yea right, go ahead install firefox, slow down your surfing speed, can't see half of the stuff on some websites, and have to install all these extensions just to make things work. Don't be fooled with FF, Active X is completely adjustable. IE isn't the problem, it's the fools who don't know how to use what they have.

Posted by: MEMEME | April 12, 2006 3:06 PM | Report abuse

Firefox just doesn't work on all sites. I use it often, but always have IE as a backup for sites that don't display properly in Firefox. Maybe it's time to move to Macintosh and Safari.

Posted by: Rock | April 12, 2006 3:43 PM | Report abuse

I have to agree that using Firefox greatly reduces the issues associated with spyware, malware, viruses and system hijacks. I notice very few sites that perform better with IE and those seem to be tied into the MS proprietary software - WinServer, Frontpage etc. Maybe I just don't hang around in those circles.

Posted by: Kirk | April 12, 2006 3:44 PM | Report abuse

Speaking of Macromedia...

Since it is most frequently used for advertising and/or other annoying purposes, I never installed it in Firefox.

If I want to see Macromedia, I can use Internet Explorer.

Posted by: John Johnson | April 12, 2006 4:01 PM | Report abuse

In my experience Firefox only fails to work on sites that are not W3C compatible. That is, the designer is too lazy to create a compliant site. Additionally, IE often doesn't render W3C compliant html (xhtml) properly. Too many designers target IE and ignore standards.

Posted by: tuxi | April 12, 2006 4:05 PM | Report abuse

Dear, FFAdvocate:
I've been using IE three or four times longer than you've been using Firefox. I've never had a virus, worm etc, either. If you can't keep a Windows system clean enough to avoid these issues, maybe YOU are the idiot. NAV and a firewall and an occasional defrag go a long way, buddy.

Posted by: Bob | April 12, 2006 4:17 PM | Report abuse

I've been using Firefox ever since switching from Netscape. I only use IE when compelled to (i.e., at my office). I can run side-by-side launches of IE and FF to the same page and without fail, FF always gets there first. Smaller footprint, no security hacks that I've ever encountered, no viruses, and faster browsing too. Why would I settle for a sluggish target for every bored prepubescent hacker on the planet when I have something fast, clean and efficient? IE fans, enjoy figuring out all your patches and all the new problems you get, plus anyone betting on how quickly someone will crack the patches and you'll be right back where you are now?

Posted by: windrider | April 12, 2006 4:30 PM | Report abuse

Posted by: Blog Ho | April 12, 2006 4:32 PM | Report abuse

bk,

Sorry for the (sort of) off-topic. You might like this link though:

http://www.regdeveloper.co.uk/2006/04/12/higgins_identity_api/

It should be clear from all of the comments here that the answer to Internet security is not attempting to enforce conformity. Face it, nerds (guilty as charged), like to fiddle not follow directions ... they may not be born anarchists but they do work at it.

Posted by: GTexas | April 12, 2006 5:18 PM | Report abuse

Brian, I was looking for your blog entry yesterday because I knew it was patch day. I was surprised not to hear from you. I installed anyway but always feel better when I hear from you first.

Posted by: April | April 12, 2006 6:30 PM | Report abuse

April,

I am touched. Really, it's very nice of you to say that. I was traveling back from covering a security conference in Vancouver, B.C. most of the day yesterday, and was not able to check the Web long enough to get up to speed on the Msft patches, plus my plane got in at o'dark thirty last night, so I had to delay writing about it until today.

Posted by: Bk | April 12, 2006 8:27 PM | Report abuse

I don't know if this is related or not, but after I installed the patches, my cthelper mcfs (whatever) for my creative labs sound card kept crashing, and I couldn't get any sound. I had to reinstall the drivers and the entire package and then get updates before my sound worked again. Keep in mind that my sound worked fine BEFORE I applied the patches from Microsoft.

Posted by: lh | April 12, 2006 9:21 PM | Report abuse

I also experienced trouble browsing after applying yesterday's patches. I'm having to precede each web address with http://
(as in www.google.com doesn't work, but http://www.google.com does). Try that as a workaround until MS tweaks their patch.

I'm also seeing Windows Explorer behave oddly now, too.

Posted by: Joe in EC | April 12, 2006 10:37 PM | Report abuse

I wonder why so many people including Microsoft think it producing error free software is impossible. If you think it is impossible then you are not going to get very far in improving things; if you accept it is possible but difficult then at least you can try if you are willing to improve matters. If IE were not so closely integrated in Windows it would improve things; if software manufacturers stop putting features that allow or rely on executable downloads to 'enhance' the user experience it would help. Alas, with too many software companies after quick profits and too many users lured by needless 'enhancements' it could take a while before things get better. Why should software companies have less liability when it comes to suitability for the purpose than those producing cars, TVs, washing machines or have less need of care than doctors, accountant, and lawyers. When will those elected to serve the public start to do something to serve the public interest.

Posted by: Anonymous | April 13, 2006 6:35 AM | Report abuse

>go ahead install firefox, slow down your surfing speed...<

When I switched from IE to Firefox 1.5, I immediately noticed that Firefox loads pages _faster_ than IE, and has an instant acting back arrow. I also like Firefox's live bookmarks, shrink-to-fit printing, etc. Firefox is perfectly compatabile with the web sites that I visit.

Posted by: John Johnson | April 13, 2006 2:02 PM | Report abuse

I manually downloaded the batcht of patches and, oh boy, my computer froze after re-booting. I did a system restore, which worked but windows update sent me the whole batch again with the same result. I don't know which patch is doing the dirty deed and I now have windows update turned off until I get the time to figure this out. Its a bummer!

Posted by: Dan | April 14, 2006 8:14 AM | Report abuse

I keep my computer clean - only known websites, no (or few) pop-ups, run NAV and Lavasoft weekly --- so what's the story with this problem in the address bar????

I see someone has had some success with entering "http://" first. Is this an answer?

Posted by: Maria in Columbia MO | April 14, 2006 9:47 AM | Report abuse

I don't know if this is related to the latest Microsoft security patch, but I noticed that after loading it my computer was dramatically slower, to the point that I had to reboot to clear a stuck program and Web browser window. I know that in the Windows world odd computer configurations may bedevil a security patch, but as a rule security patches and software upgrades shouldn't make a computer operate worse than before, but that is what happens way too often with Windows. It makes it difficult for me to trust Vista, since Windows XP has been in many respects as much of a nightmare as Windows 98. I'm thinking about saving up to replace my two PCS with Intel-based Macs next year. If I make that move, which seems more likely each day, I wonder how many frustrated XP users will join me?

Posted by: DC Proud | April 17, 2006 3:28 PM | Report abuse

Firefox and Opera handle a group of RSS feeds differently. Opera uses it's mail system, so when you view a particular feed, you get summaries of the stories, in addition to the title. Not so in Firefox, you just get the titles of the stories in a drop down box for the feed, in the bookmarks toolbar. You can scan the story titles faster in Firefox, as all you have to do is wave the pointer over the feed icon in the toolbar to activate the drop down box.
I have 12 built in RSS feeds in Opera, in my livecd linux.
Here is a link to my technical blog:
http://rapidweatherlinux.blogspot.com

Posted by: Rapidweather | April 17, 2006 8:34 PM | Report abuse

I've run into this problem at several different sites I support. It is almost always on HP and Compaq computers and ran into it with a computer that had a HP all in one installed on it.

Posted by: Anonymous | April 17, 2006 10:24 PM | Report abuse

Today I worked on a computer for three hours that when you type something in the address bar and hit enter it does nothing. ran every virus scan that I know of and came up nothing.

Posted by: Daniel | April 18, 2006 1:23 AM | Report abuse

Try

http://support.microsoft.com/kb/918165

This should work to fix!

Posted by: RAMII | April 18, 2006 11:25 AM | Report abuse

Installed the patch on my HP Laptop. Got slow, slower....gone! Would not reboot, no matter what. Had to replace the hard drive. Thank goodness for extended warranty, but lost everything.

Posted by: Jeff | April 18, 2006 3:17 PM | Report abuse

I have had problems with three computers since the last security update. One was at work and created havoc when I needed to turn in some reports last Friday. Win Explorer was sluggish and Word and Excel would freeze when I tried to save the newly created docunent I removed the update (kb908531)and everythng worked fine after that.

Posted by: George HANK | April 18, 2006 11:07 PM | Report abuse

it is all because of the holes. With the comming of the new vista, everyone is gonna feel safe...until the virus start hitting again. After all the years in the waiting,holes again.

Posted by: Dr.Q | April 19, 2006 3:34 PM | Report abuse

Thought I was the only one with these problems - having to type in "http//" in front of web addresses the last two days - and then today I couldn't save anything in Word or open any folders/files outside My Documents. Have applied the register fix recommended today but am afraid to open Word... in fear that it still won't work. If all else fails I do system restore to last week ... and skip the new patch.

Posted by: Nancy in Cinti | April 20, 2006 5:19 PM | Report abuse

I use FF for browsing, as well as Office/Outlook 2003. The only time I use IE is when it opens automatically for Windows Updates. Do I really need to install any of these updates? If so, which ones? I have XP Media Center on a Dell and so far (knocks on wood) have been trouble-free. Thanks for any insights.

Posted by: FF User | April 21, 2006 3:51 PM | Report abuse

I am having the same problems and had to restore to fix the problems on 2 HP machines. Windows Explorer problems and Download problems

Posted by: Jeff | April 22, 2006 9:53 PM | Report abuse

I'm also having the problem with having to type "http://" to access websites. I hadn't realized how 'spoiled' I had gotten with being able to just type in "google.com" and go to google. I've attempted to remove the most recent batch up patches from MS, but as our computer has Automatic Updates, the dratted things keep ending up back on the machine.

Is MS planning to FIX this soon?

Posted by: Stephanie | April 24, 2006 2:35 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company