| By Susan Bradley |
In the Northern Hemisphere, it’s springtime — time to revisit Windows 7 and Office service packs.
Our lack of major updates at the end of the month means we can devote time to getting needed service packs installed.
931125Microsoft root certificates get another update
One of the confusing aspects of this update is that Microsoft uses the same patch number for every root-certificate update throughout the year. So if you’ve seen 931125 before, that’s why.
As before, I recommend that XP users pass on this update — unless a website specifically requires a root-certificate included in update KB 931125.
(As I’ve noted before, Vista and Windows 7 machines will download and install this update automatically; XPs have to install it manually, typically through Windows Update’s Optional updates section.)
Why make a recommendation that seems to make Windows XP more vulnerable than Vista and Win7? Because I still think there are issues with the entire certificate-authority chain of trust. And the following statement from this update’s page should not add to your level of comfort: “The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.”
It can difficult to find out exactly what’s in a root-certificate update. A Microsoft TechNet Wiki provides some information. But typically, you have to install the update and check what certificates changed.
Moreover, some of the updated certificates have only limited applications. The February release (page), for example, included certificates for the Israeli and Swedish governments. I’ve nothing against these countries, but I can’t recall ever going to any of their websites. And given past problems with trust certificates, why should I go through the work of manually installing SSL certificates for sites I never plan to visit?
► What to do: Unless a website demands an updated trust certificate, Windows XP users can pass on KB 931125.
976932Microsoft takes the gloves off Win7 SP1
It’s been over a year since Windows 7 SP1 was released. Starting this week, the service pack can no longer be blocked by the Windows Service Pack Blocker Tool Kit (page) — a Microsoft utility that lets companies control when service packs are installed on their systems.
If you’ve not yet installed Windows 7 SP1, it’s time to do so. Not sure whether you have SP1 on your system? To check, click the Start button and type cmd into the Search programs and files box. The black command window will open and display your version of Windows at the top. You should see “Microsoft Windows [Version 6.1.7601].” (If it lists Version 6.1.7600, you don’t have SP1.)
► What to do: Look for KB 976932 in Windows Update. If you don’t see it, go to the service pack’s Download Center page and try to download and install it manually. If that fails, install Microsoft’s System Update Readiness Tool (page) to repair any corruption with your Windows system. (The tool automatically runs during its installation.) Next, attempt to install Win7 SP1 again.
976932Advanced tips on installing Windows 7 SP1
I had no problems installing Win7 SP1 on every computer except my personal machine. (Wouldn’t you know it?) The install process kept spitting out an 80004005 error. (In Microsoft-speak, this generic error roughly translates into “It could be anything.”)
When I posted the error on a Microsoft forum, I received a suggestion to try the KB 2530477 “Fix it.” But I’d already tried it, and it didn’t work. Another forum reply suggested reregistering .dlls, but that didn’t help, either.
My final solution was to do a repair installation on top of the existing Win7 setup. But because I did not want to reinstall from scratch, I had to use a less orthodox process, which started with creating a Windows 7 SP1 disc. (A PC World article describes how to do this.)
Next, I applied an old trick once used to update from a release-candidate Windows 7 to the release-to-manufacturer version: editing the cversion.ini file, as documented in a How-To Geek blog. I edited the MinClient value to read 7600.0 and then started the install of Windows 7 SP1 from the setup.exe file on the Win7 SP1 installation disc. SP1 successfully installed and retained all my settings.
► What to do: If Win7 SP1 just won’t install, try the steps listed above.
MS12-020 (2621440, 2667402)RDP exploits appear, but still no real threat
A month after Microsoft reported a potential Remote Desktop Protocol (RDP) vulnerability in Microsoft Security Bulletin MS12-020, there are already warnings of attempted exploits such as denial-of-service attacks. An F-Secure blog describes sample exploits, including one that could be used to crash computers running RDP.
► What to do: If you’ve already applied KB 2621440 for XP systems or KB 2621440 and KB 2667402 for Vista and Windows 7 (MS-12-020), you’re protected. Fortunately, it looks like coding an exploit for this RDP vulnerability is not easy.
2526086, 2658224Keeping Microsoft Office 2007 up to date
If you use Microsoft Update to patch your version of Office, you might be missing out on some cumulative updates for the suite. A Microsoft Update Center page lists the latest Office versions and service packs. To check whether you have Office 2007 Service Pack 3 installed, open Word or Excel and click the Office logo in the top-left corner of the app (shown in Figure 1).
Figure 1. Start with the Office logo to find your current version of Office.
Next, click Excel Options or Word Options (at the bottom of the dialog box), then Resources, and then the About button. If you see 12.0.6545.5000 SP2, you’re still on version SP2. From this screen you can click Get updates to, well, get those updates.
I strongly recommend that you not install the Office File Validation add-ins for Office 2007 or 2003 — they’ve had issues, such as causing delays when opening older files.
► What to do: Once you’ve installed Office SP3 (KB 2526086), look for the latest cumulative updates (in this case, February’s KB 2658224). I’ll be highlighting some I consider worthwhile in a future Patch Watch.
2597052A reminder on installing Office 2010 SP1
I wrote about Office 2010 SP1 several months ago, but readers are still asking about it. So my advice deserves repeating. If you’ve installed Office SP1, you might see a problem where clicking e-mail addresses causes Outlook to flip them over to a different kind of link. To fix this on a short-term basis, you have to manually edit these saved e-mail addresses. The long-term fix is to install KB 2597052.
► What to do: Install KB 2597052 immediately after installing Office 2010 SP1.
Believe it or not, patching has gotten easier
I write this column twice a month mostly because I learned the importance of patch-protecting my systems many years ago. Recently, Microsoft Director of Trustworthy Computing Tim Rains took me down memory lane in his blog post about how much worse patching once was. Up until October 2003, we used to receive weekly updates. Imagine having to install updates once a week!
Although .NET isn’t out of the doghouse with me, and while I still cross my fingers each Patch Tuesday, Tim’s blog is a reminder that we’ve come a long way from those days when we had to actually find updates.
► What to do: Read Tim’s blog if you want to know where we’ve been and where we might be going with Windows patching.
Adobe Flash adds automatic updates
On Wednesday, Adobe released a Flash update that includes an automatic-updates option. Adobe Flash Player update 220.127.116.11 also includes options to “Notify me when updates are available” or “Never check for updates (not recommended),” as shown in Figure 2.
Figure 2. The latest version of Flash offers three update options.
Although the default setting is to allow automatic updates, for now, I recommend, for now, choosing “Notify me when …” — I’m not sure how Adobe’s dater utility will handle nonadministrative users and those offers to install third-party toolbars and Chrome.
► What to do: Install the latest Flash (download page), uncheck the Free MacAfee box, and set the update to “Notify me when updates are available.”
Regularly updated problem-patch chart
This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.
| Patch || Released || Description || Status|
| 2553065 || 09-13 || Office File Validation update || Skip|
| 2553270 || 12-13 || Office 2010 nonsecurity update || Skip|
| 2553385 || 12-13 || Office/Access 2010 nonsecurity update || Skip|
| 2553439 || 12-13 || Excel 2010 nonsecurity update || Skip|
| 2596596 || 12-13 || Excel 2007 update breaks chart printing || Skip|
| 2596964 || 12-13 || Office 2010 nonsecurity update || Skip|
| 2633952 || 12-13 || Windows cumulative time-zone update || Skip|
| 2646524 || 01-10 || Unicode processing fix for Chinese, Japanese, or Korean locales || Skip|
| 2651026 || 02-14 || For XP systems only: February .NET updates; see MS12-016 for complete patch list || Skip|
| 931125 || 03-27 || Root-certificate update for XP || Skip|
| 2528583 || 07-12 || Cumulative update for SQL Server 2008 R2 || Wait|
| 2663841 || 02-14 || SharePoint Server (KB 2597124) and Foundation (KB 2553413) 2010 || Wait|
| 2607576 || 10-25 || Jump-list fix || Optional|
| 976932 || 02-22 || Windows 7 SP1 || Install|
| 2526086 || 10-25 || Office 2007 SP3 || Install|
| 2643584 || 01-10 || Secure Sockets Layer patch for BEAST attacks || Install|
| 2597052 || 02-08 || Patch of Office 2010 SP1 || Install|
| 2643719 || 02-14 || Remote code-execution attacks; Windows Server 2008 and R2 only || Install|
| 2651026 || 02-14 || For Vista and Win7 systems only: February .NET updates; |
see MS12-016 for complete patch list
| 2621440 || 03-13 || Critical Remote Desktop Protocol fix; all supported Win systems || Install|
| 2641653 || 03-13 || Fixed kernel-patching update released again || Install|
| 2647170 || 03-13 || DNS-query attack on Domain Name System servers || Install|
| 2647518 || 03-13 || Third-party ActiveX kill-bit update || Install|
| 2651018 || 03-13 || Expression Design vulnerability; see MS12-022 for list of patches || Install|
| 2651019 || 03-13 || EOP attacks via Visual Studio; see MS12-021 for list of patches || Install|
| 2658224 || 03-13 || Cumulative update for Office 2007 || Install|
| 2665364 || 03-13 || Denial-of-service attack via Instant Messenger || Install|
| 2667402 || 03-13 || Second critical RDP patch for Windows 7 PCs || Install|
Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.
| Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.|
The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.