Despite how it might seem at times, flawed security updates are relatively rare. When there is a problem, Microsoft typically releases an update for the update.
For example, this past December there was a bug in the patch Microsoft released to fix a font vulnerability. In this special New Year’s edition of Patch Watch, I review three problem updates released in December.
Some side effects from fixing vulnerable fonts
For every Patch Watch edition, I install offered updates on my systems and look for any problems the patches might cause. However, if a patch works on my PCs, there is no guarantee it’ll be problem-free on every PC — there’s a huge variety of PC configurations. The patches in MS12-078, for example, were intended to fix a vulnerability in TrueType and OpenType font files. Unfortunately, installing KB 2753842 had the unforeseen side effect of making fonts disappear in a few major applications such as PowerPoint, CorelDRAW, and other apps commonly used in the printing industry.
Root certificates causing headaches for admins
Microsoft’s Windows root-certificate updating process is confusing and often makes me nervous. Too often, we must trust that a root-cert update won’t have long-term consequences to our systems and networks. KB 931125, the December 2012 root-cert update for Windows XP, is a recent example of some unintended consequences — especially for server admins using Network Policy Server (NPS) to protect their systems.
NPS is a technology that lets admins set minimum standards for PCs that connect to a network. These standards can include installed patch levels, browsers, antivirus software, and more. You’ll find NPS typically deployed on larger networks.
Unfortunately, as noted in MS Support article 931125, KB 931125 was incorrectly offered on Microsoft Update to Vista and later systems. It was also offered via Windows Software Update Services to admins who manage client and server updates across a corporate network. Some admins failed to read the update’s fine print and installed the update on servers, causing issues with their systems, as noted in numerous Windows Server Forums posts.
Some servers, for example, stopped processing NAP requests; the only way to fix the issue was to edit the number of certificates allowed by the server — and to manually remove unneeded certs. This was necessary because servers processing SSL certificates have limited space for storing root certs. Installing KB 931125 inadvertently doubles the number of installed certificates, exceeding the servers’ limits.
Take a pass on Windows Management Framework 3.0
In the Dec. 13, 2012, Patch Watch, I recommended passing on KB 2506143, an optional Windows Management Framework 3.0 update that adds PowerShell 3.0 to your workstations and servers. My instincts proved to be on target: there are reports of problems with the update on Exchange 2007/2010 and on Small Business Server 2008/2011, as noted on the MS Exchange Team blog.
Zero-day threat for IE Versions 6, 7, and 8
On Dec. 29, 2012, an MSRC blog announced the release of Security Advisory 2794220. The original blog noted that this exploit is already in use and that MS would release a fixit as soon as possible. The patch is now available.
Regularly updated problem-patch chart
This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.
|2553272||08-14||Office 2010 stability/performance fixes (status change)||Skip|
|2598289||08-14||Office 2010 stability/performance fixes (status change)||Skip|
|2592687||10-23||Windows RDP 8.0 update for Win7 SP1||Skip|
|2574819||10-23||Adds DTLS support to Win7 SP1||Skip|
|2750841||11-13||MS/OpenDNS IPv6 conflict||Skip|
|2735855||09-11||Windows Filtering Platform: Potential third-party firewall impact||Wait|
|2553402||10-09||MS FAST Search Server 2010 for SharePoint SP1||Wait|
|2739159||10-09||Windows 7 encryption||Wait|
|2754849||10-09||SQL Server; see MS12-070 for complete patch list||Wait|
|2756822||10-09||Cumulative time-zone update||Wait|
|2745030||11-13||.NET updates; see MS12-074 for complete patch list||Wait|
|2647753||10-09||Printing core components — timestamp reissue||Optional|
|2732487||10-09||Segoe font — timestamp reissue||Optional|
|2770816||10-23||Install only if KB 2756872 fails; check MS Support site for details||Optional|
|2661254||08-14||Minimum certificate key length||Install|
|2720184||11-13||Excel vulnerabilities; see MS12-076 for complete patch list||Install|
|2761451||11-13||IE 9 cumulative update||Install|
|2753842||12-11||Windows kernel; also KB 2779030 (UPDATE: status change)||Install|
|2758857||12-11||Unicode file names||Install|
|2760416||12-11||Office Compatibility Pack (might be offered)||Install|
|2761465||12-11||Internet Explorer cumulative update||Install|
Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!