A Windows-patching December to remember

Susan Bradley

Despite how it might seem at times, flawed security updates are relatively rare. When there is a problem, Microsoft typically releases an update for the update.

For example, this past December there was a bug in the patch Microsoft released to fix a font vulnerability. In this special New Year’s edition of Patch Watch, I review three problem updates released in December.

MS12-078 (2753842)

Some side effects from fixing vulnerable fonts

For every Patch Watch edition, I install offered updates on my systems and look for any problems the patches might cause. However, if a patch works on my PCs, there is no guarantee it’ll be problem-free on every PC — there’s a huge variety of PC configurations. The patches in MS12-078, for example, were intended to fix a vulnerability in TrueType and OpenType font files. Unfortunately, installing KB 2753842 had the unforeseen side effect of making fonts disappear in a few major applications such as PowerPoint, CorelDRAW, and other apps commonly used in the printing industry.

A Dec. 14, 2012, Graphics Unleashed blog post gives more details on the problem. Windows Secrets Lounge member Doug.S was also quick to note a discussion of the problem in a CorelDRAW forum

-
What to do: Microsoft rereleased KB 2753842 on Dec. 20, 2012. Install the new version — and if you are still having issues with this update, please post that information in the related Windows Secrets Lounge thread. I’ll do some more investigation.

931125

Root certificates causing headaches for admins

Microsoft’s Windows root-certificate updating process is confusing and often makes me nervous. Too often, we must trust that a root-cert update won’t have long-term consequences to our systems and networks. KB 931125, the December 2012 root-cert update for Windows XP, is a recent example of some unintended consequences — especially for server admins using Network Policy Server (NPS) to protect their systems.

NPS is a technology that lets admins set minimum standards for PCs that connect to a network. These standards can include installed patch levels, browsers, antivirus software, and more. You’ll find NPS typically deployed on larger networks.

Unfortunately, as noted in MS Support article 931125, KB 931125 was incorrectly offered on Microsoft Update to Vista and later systems. It was also offered via Windows Software Update Services to admins who manage client and server updates across a corporate network. Some admins failed to read the update’s fine print and installed the update on servers, causing issues with their systems, as noted in numerous Windows Server Forums posts.

Some servers, for example, stopped processing NAP requests; the only way to fix the issue was to edit the number of certificates allowed by the server — and to manually remove unneeded certs. This was necessary because servers processing SSL certificates have limited space for storing root certs. Installing KB 931125 inadvertently doubles the number of installed certificates, exceeding the servers’ limits.

-
What to do: Although the issue with KB 931125 impacts only servers handing SSL certificates, it’s a good reminder that we should, from time to time, review the root certificates installed on our PCs and remove expired and out-of-date certs. I’ll give step-by-step instructions in the next Windows Secrets.

2506143

Take a pass on Windows Management Framework 3.0

In the Dec. 13, 2012, Patch Watch, I recommended passing on KB 2506143, an optional Windows Management Framework 3.0 update that adds PowerShell 3.0 to your workstations and servers. My instincts proved to be on target: there are reports of problems with the update on Exchange 2007/2010 and on Small Business Server 2008/2011, as noted on the MS Exchange Team blog.

-
What to do: Don’t install this update until I say otherwise. If you’ve already installed it on your Small Business Server, an SBS blog offers steps to fully remove the update.

Zero-day threat for IE Versions 6, 7, and 8

On Dec. 29, 2012, an MSRC blog announced the release of Security Advisory 2794220. The original blog noted that this exploit is already in use and that MS would release a fixit as soon as possible. The patch is now available.

-
What to do: Your options for avoiding this latest IE threat include immediately upgrading to IE 9 or higher, or using another browser such as Firefox or Chrome. If you must use IE Versions 6, 7, or 8, install the fixit offered in MS Security Advisory 2794220.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.

Patch Released Description Status
2553272 08-14 Office 2010 stability/performance fixes (status change) Skip
2598289 08-14 Office 2010 stability/performance fixes (status change) Skip
2592687 10-23 Windows RDP 8.0 update for Win7 SP1 Skip
2574819 10-23 Adds DTLS support to Win7 SP1 Skip
2750841 11-13 MS/OpenDNS IPv6 conflict Skip
931125 12-11 Root certificates Skip
2506143 12-11 PowerShell 3 Skip
2779562 12-11 Time-zone fix Skip
2735855 09-11 Windows Filtering Platform: Potential third-party firewall impact Wait
2553402 10-09 MS FAST Search Server 2010 for SharePoint SP1 Wait
2731771 10-09 Time-zone conversion Wait
2739159 10-09 Windows 7 encryption Wait
2754849 10-09 SQL Server; see MS12-070 for complete patch list Wait
2756822 10-09 Cumulative time-zone update Wait
2745030 11-13 .NET updates; see MS12-074 for complete patch list Wait
2647753 10-09 Printing core components — timestamp reissue Optional
2732487 10-09 Segoe font — timestamp reissue Optional
2770816 10-23 Install only if KB 2756872 fails; check MS Support site for details Optional
2661254 08-14 Minimum certificate key length Install
2720184 11-13 Excel vulnerabilities; see MS12-076 for complete patch list Install
2727528 11-13 Windows Briefcase Install
2761226 11-13 TrueType kernel Install
2761451 11-13 IE 9 cumulative update Install
2753842 12-11 Windows kernel; also KB 2779030 (UPDATE: status change) Install
2758857 12-11 Unicode file names Install
2760410 12-11 Word 2010 Install
2760416 12-11 Office Compatibility Pack (might be offered) Install
2760421 12-11 Word 2007 Install
2760497 12-11 Word 2003 Install
2761465 12-11 Internet Explorer cumulative update Install
2770660 12-11 DirectPlay Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.



Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!

= Paid content

All Windows Secrets articles posted on 2013-01-03:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.