Tuesday, March 16, 2010

Follow-up to Patch Tuesday: Problems with Excel Patch, MS hustles on new IE Patch

If you held off on patching Excel as I advised in my last post, you did the right thing. Check your list of installed Excel patches -- if it looks like Chinese to you, that's because it is. I got caught by this one. Follow the procedure in the article linked to here:
Microsoft admits Office patch gaffes
Microsoft confirmed today that a security update for its Excel spreadsheet had turned English text in an important Windows tool into Chinese.

The admission was the second in the past two days from Microsoft's Office team of a gaffe involving a recent security update.

Friday's announcement involved the seven-patch update Microsoft shipped on Tuesday for Excel. "We have received reports from some of our Excel 2003 and Excel 2002 customers that after installing update KB978471 or KB978474, they are seeing non-English text in the 'Add or Remove Programs' tool (Win[dows] XP) or the 'Programs and Features' --> 'Installed Updates' view (Vista, Win[dows] 7)," Microsoft said in an entry published early today on the "Office Sustained Engineering" blog.

The two updates Microsoft referenced, KB978471 and KB978474 , were the patch collections for Excel 2002 and Excel 2003, respectively.

According to Microsoft , the patches are displayed in "Add or Remove Programs" in simplified Chinese rather than the intended English. "If English text ... is a requirement, there is a two-part workaround available," said Microsoft as it told users to first uninstall Tuesday's Excel update, then download and install a revamped version.

Today's snafu wasn't as serious as the one Microsoft acknowledged Thursday, also on the Office blog .
The article continues with more information about potential problems which won't affect any of my clients or users. The article also says
... a Feb. 9 non- security hotfix that added support for .Net 4.0 to Office 2007 caused the suite's programs to crash when they were run on Windows Server 2008 R2 or Windows Server 2008 with Terminal Services.

Some users claimed that the update also made Internet Explorer 8 (IE8) crash when working with SharePoint 2007.
If you do follow this procedure - remove the patch using Add/Remove Programs, then download it and install it manually, your Add/Remove Programs list will be correct, but your "Installed Patches" information inside Microsoft Update will still show the old patch, as installed by Microsoft Update, rather than the correct patch as installed manually.

In other Microsoft security-related news, if you must run IE, upgrade to IE8. Your better bet is to replace IE with Mozilla Firefox (with the NoScript and Adblock Plus add-ons for anything but Microsoft Updates.

Microsoft hustles on IE patch, tests fix
yesterday, Microsoft offered an automated "Fix it" tool to disable the component in the "iepeers.dll" file that contains the vulnerability. The free tool works on machines powered by Windows XP or Windows Server 2003. That workaround was an addition to those that Microsoft recommended last Tuesday, which included disabling scripting, enabling DEP (data execution prevention) and upgrading to IE8.

Rival browsers, including Mozilla's Firefox, Google's Chrome and Opera Software's Opera, are also safe from the in-the-wild attacks aimed at IE6 and IE7.

The newest zero-day is the second this year that Microsoft has admitted hackers have exploited before a patch was ready. In mid-January, Microsoft said that a flaw in IE had been used to attack several companies' networks, including Google's and Adobe's. Microsoft patched the vulnerability on Jan. 21 in an out-of-band update.

Microsoft's next scheduled Patch Tuesday is April 13, more than four weeks away.

More articles:
Stopgap IE Fix, Safari Update Available — Krebs on Security
Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.

Microsoft offers 'fix-it' workaround for IE zero-day | Zero Day | ZDNet.com
Microsoft has released a one-click “fix-it” workaround to help Web surfers block malware attacks against an unpatched vulnerability in its flagship Internet Explorer browser.

The workaround ffectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.

The workaround, available here, comes on the heels of the public release of exploit code into the freely available Metasploit pen-testing framework.

follow Ryan Naraine on twitter

Microsoft confirmed the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.

The company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

In light of all the recent security issues with IE (all versions), it escapes me why anyone responsible for security on their networks would continue to run IE for day-to-day Internet work. Even if you have legacy applications or websites which require IE, you should run another browser for everything else.

No comments: