It’s springtime for Microsoft service packs

Susan bradley
By Susan Bradley

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



In the Northern Hemisphere, it’s springtime — time to revisit Windows 7 and Office service packs.

Our lack of major updates at the end of the month means we can devote time to getting needed service packs installed.

931125

Microsoft root certificates get another update

One of the confusing aspects of this update is that Microsoft uses the same patch number for every root-certificate update throughout the year. So if you’ve seen 931125 before, that’s why.

As before, I recommend that XP users pass on this update — unless a website specifically requires a root-certificate included in update KB 931125.

(As I’ve noted before, Vista and Windows 7 machines will download and install this update automatically; XPs have to install it manually, typically through Windows Update’s Optional updates section.)

Why make a recommendation that seems to make Windows XP more vulnerable than Vista and Win7? Because I still think there are issues with the entire certificate-authority chain of trust. And the following statement from this update’s page should not add to your level of comfort: “The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.”

It can difficult to find out exactly what’s in a root-certificate update. A Microsoft TechNet Wiki provides some information. But typically, you have to install the update and check what certificates changed.

Moreover, some of the updated certificates have only limited applications. The February release (page), for example, included certificates for the Israeli and Swedish governments. I’ve nothing against these countries, but I can’t recall ever going to any of their websites. And given past problems with trust certificates, why should I go through the work of manually installing SSL certificates for sites I never plan to visit?

What to do: Unless a website demands an updated trust certificate, Windows XP users can pass on KB 931125.

976932

Microsoft takes the gloves off Win7 SP1

It’s been over a year since Windows 7 SP1 was released. Starting this week, the service pack can no longer be blocked by the Windows Service Pack Blocker Tool Kit (page) — a Microsoft utility that lets companies control when service packs are installed on their systems.

If you’ve not yet installed Windows 7 SP1, it’s time to do so. Not sure whether you have SP1 on your system? To check, click the Start button and type cmd into the Search programs and files box. The black command window will open and display your version of Windows at the top. You should see “Microsoft Windows [Version 6.1.7601].” (If it lists Version 6.1.7600, you don’t have SP1.)

What to do: Look for KB 976932 in Windows Update. If you don’t see it, go to the service pack’s Download Center page and try to download and install it manually. If that fails, install Microsoft’s System Update Readiness Tool (page) to repair any corruption with your Windows system. (The tool automatically runs during its installation.) Next, attempt to install Win7 SP1 again.

976932

Advanced tips on installing Windows 7 SP1

I had no problems installing Win7 SP1 on every computer except my personal machine. (Wouldn’t you know it?) The install process kept spitting out an 80004005 error. (In Microsoft-speak, this generic error roughly translates into “It could be anything.”)

When I posted the error on a Microsoft forum, I received a suggestion to try the KB 2530477 “Fix it.” But I’d already tried it, and it didn’t work. Another forum reply suggested reregistering .dlls, but that didn’t help, either.

My final solution was to do a repair installation on top of the existing Win7 setup. But because I did not want to reinstall from scratch, I had to use a less orthodox process, which started with creating a Windows 7 SP1 disc. (A PC World article describes how to do this.)

Next, I applied an old trick once used to update from a release-candidate Windows 7 to the release-to-manufacturer version: editing the cversion.ini file, as documented in a How-To Geek blog. I edited the MinClient value to read 7600.0 and then started the install of Windows 7 SP1 from the setup.exe file on the Win7 SP1 installation disc. SP1 successfully installed and retained all my settings.

What to do: If Win7 SP1 just won’t install, try the steps listed above.

MS12-020 (2621440, 2667402)

RDP exploits appear, but still no real threat

A month after Microsoft reported a potential Remote Desktop Protocol (RDP) vulnerability in Microsoft Security Bulletin MS12-020, there are already warnings of attempted exploits such as denial-of-service attacks. An F-Secure blog describes sample exploits, including one that could be used to crash computers running RDP.

What to do: If you’ve already applied KB 2621440 for XP systems or KB 2621440 and KB 2667402 for Vista and Windows 7 (MS-12-020), you’re protected. Fortunately, it looks like coding an exploit for this RDP vulnerability is not easy.

2526086, 2658224

Keeping Microsoft Office 2007 up to date

If you use Microsoft Update to patch your version of Office, you might be missing out on some cumulative updates for the suite. A Microsoft Update Center page lists the latest Office versions and service packs. To check whether you have Office 2007 Service Pack 3 installed, open Word or Excel and click the Office logo in the top-left corner of the app (shown in Figure 1).

Office logo

Figure 1. Start with the Office logo to find your current version of Office.

Next, click Excel Options or Word Options (at the bottom of the dialog box), then Resources, and then the About button. If you see 12.0.6545.5000 SP2, you’re still on version SP2. From this screen you can click Get updates to, well, get those updates.

I strongly recommend that you not install the Office File Validation add-ins for Office 2007 or 2003 — they’ve had issues, such as causing delays when opening older files.

What to do: Once you’ve installed Office SP3 (KB 2526086), look for the latest cumulative updates (in this case, February’s KB 2658224). I’ll be highlighting some I consider worthwhile in a future Patch Watch.

2597052

A reminder on installing Office 2010 SP1

I wrote about Office 2010 SP1 several months ago, but readers are still asking about it. So my advice deserves repeating. If you’ve installed Office SP1, you might see a problem where clicking e-mail addresses causes Outlook to flip them over to a different kind of link. To fix this on a short-term basis, you have to manually edit these saved e-mail addresses. The long-term fix is to install KB 2597052.

What to do: Install KB 2597052 immediately after installing Office 2010 SP1.

Believe it or not, patching has gotten easier

I write this column twice a month mostly because I learned the importance of patch-protecting my systems many years ago. Recently, Microsoft Director of Trustworthy Computing Tim Rains took me down memory lane in his blog post about how much worse patching once was. Up until October 2003, we used to receive weekly updates. Imagine having to install updates once a week!

Although .NET isn’t out of the doghouse with me, and while I still cross my fingers each Patch Tuesday, Tim’s blog is a reminder that we’ve come a long way from those days when we had to actually find updates.

What to do: Read Tim’s blog if you want to know where we’ve been and where we might be going with Windows patching.

Adobe Flash adds automatic updates

On Wednesday, Adobe released a Flash update that includes an automatic-updates option. Adobe Flash Player update 11.2.202.228 also includes options to “Notify me when updates are available” or “Never check for updates (not recommended),” as shown in Figure 2.

Flash update options

Figure 2. The latest version of Flash offers three update options.

Although the default setting is to allow automatic updates, for now, I recommend, for now, choosing “Notify me when …” — I’m not sure how Adobe’s dater utility will handle nonadministrative users and those offers to install third-party toolbars and Chrome.

What to do: Install the latest Flash (download page), uncheck the Free MacAfee box, and set the update to “Notify me when updates are available.”

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.

Patch
Released
Description
Status
2553065
09-13
Office File Validation update
Skip
2553270
12-13
Office 2010 nonsecurity update
Skip
2553385
12-13
Office/Access 2010 nonsecurity update
Skip
2553439
12-13
Excel 2010 nonsecurity update
Skip
2596596
12-13
Excel 2007 update breaks chart printing
Skip
2596964
12-13
Office 2010 nonsecurity update
Skip
2633952
12-13
Windows cumulative time-zone update
Skip
2646524
01-10
Unicode processing fix for Chinese, Japanese, or Korean locales
Skip
2651026
02-14
For XP systems only: February .NET updates; see MS12-016 for complete patch list
Skip
931125
03-27
Root-certificate update for XP
Skip
2528583
07-12
Cumulative update for SQL Server 2008 R2
Wait
2663841
02-14
SharePoint Server (KB 2597124) and Foundation (KB 2553413) 2010
Wait
2607576
10-25
Jump-list fix
Optional
976932
02-22
Windows 7 SP1
Install
2526086
10-25
Office 2007 SP3
Install
2643584
01-10
Secure Sockets Layer patch for BEAST attacks
Install
2597052
02-08
Patch of Office 2010 SP1
Install
2643719
02-14
Remote code-execution attacks; Windows Server 2008 and R2 only
Install
2651026
02-14
For Vista and Win7 systems only: February .NET updates;
see MS12-016 for complete patch list
Install
2621440
03-13
Critical Remote Desktop Protocol fix; all supported Win systems
Install
2641653
03-13
Fixed kernel-patching update released again
Install
2647170
03-13
DNS-query attack on Domain Name System servers
Install
2647518
03-13
Third-party ActiveX kill-bit update
Install
2651018
03-13
Expression Design vulnerability; see MS12-022 for list of patches
Install
2651019
03-13
EOP attacks via Visual Studio; see MS12-021 for list of patches
Install
2658224
03-13
Cumulative update for Office 2007
Install
2665364
03-13
Denial-of-service attack via Instant Messenger
Install
2667402
03-13
Second critical RDP patch for Windows 7 PCs
Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

= Paid content

All Windows Secrets articles posted on 2012-03-29:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.