Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Out-of-Band Security Patch For Windows

Posted by timothy on from the as-circumstances-warrant dept.

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.

35 of 178 comments (clear)

  1. Better go kick WSUS into a sync... by MachineShedFred · · Score: 4, Funny

    I love nothing better than starting out my Tuesday with rebooting every Windows box...

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    1. Re:Better go kick WSUS into a sync... by Richard_at_work · · Score: 4, Insightful

      If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?

    2. Re:Better go kick WSUS into a sync... by Tiger4 · · Score: 4, Informative

      Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.

      --
      Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
    3. Re:Better go kick WSUS into a sync... by mysidia · · Score: 2

      There has already been one major compatibility bug in the patch for MS14-066 released November 11, where you update your IIS server to fix the SSL remote code exec bug, and Chrome browsers stop working..

      Furthermore, there were several botched updates in October.

      Windows 7 blue screens with a patch in September

      I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

    4. Re:Better go kick WSUS into a sync... by bill_mcgonigle · · Score: 5, Interesting

      If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?

      If only security were so binary - in the real world it's a constant process of risk/reward calculations.

      Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 4, Insightful

      Damned if you do, damned if you don't. Welcome to IT.

      --
      Life is not for the lazy.
    6. Re:Better go kick WSUS into a sync... by afidel · · Score: 4, Informative

      Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    7. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 5, Insightful

      THIS! Richard obviously works in a nice posh fortune 500 org where such resources are available to HIM. Meanwhile back int he real world for everyone else (Small Medium Business), rolling the dice is only option. As you said, it's all a risk/reward calculation as to when and where to be proactive with the expendature of resources.

      I find the lambasting of "should do this retard" to be quite insulting. As employees, we don't always get that option to do what is theoretically in the best interests of the company we work for.

      --
      Life is not for the lazy.
    8. Re:Better go kick WSUS into a sync... by jfbilodeau · · Score: 2, Insightful

      Damned if you do, damned if you don't. Welcome to Windows.

      FTFY ;)

      --
      Goodbye Slashdot. You've changed.
    9. Re:Better go kick WSUS into a sync... by CaptainDork · · Score: 2

      We don't keep files on people's feet.

      --
      It little behooves the best of us to comment on the rest of us.
    10. Re:Better go kick WSUS into a sync... by MacTO · · Score: 3, Informative

      Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?

      It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.

      (We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)

    11. Re:Better go kick WSUS into a sync... by sexconker · · Score: 5, Informative

      Any worthwhile testing would take weeks to perform.
      Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
      You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).

      Here's the testing you need to do in the real world:
      Install all the patches on your machine.
      Reboot.
      Launch IE, FF, Chrome, Outlook, Word, and Excel.
      Launch any applications mentioned in the bulletin.
      If nothing crashed, deploy the patch to everyone.
      If something crashed, search "Patch Tuesday Breaks " and look for recent shit.

    12. Re:Better go kick WSUS into a sync... by MachineShedFred · · Score: 5, Insightful

      I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?

      I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    13. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 3, Interesting

      Richard, I've lost clients because because these clients were 10+ employees or less running off a single Windows SBS box. It wasn't us. It was the fact IT was just too expensive in general. Running a business, especially a small was is exceedingly risky. They should be so lucky to afford rolling the dice ALONE! Many small business will just adhere to a BYOD policy with a NAS purchased from Best Buy. Yeah, good luck when Cryptolocker pulls you into bankruptcy.

      Risk assessment; learn it, love it, above all else, accept it! Can't stand the heat? Get out of the kitchen!

      BTW; you can't really duplicate an SBS box as it holds all the FSMO roles in addition to P2V testing being optional if they spend the time as a billable activity (assuming you can P2V with enough physical resources).

      --
      Life is not for the lazy.
    14. Re:Better go kick WSUS into a sync... by LordLimecat · · Score: 3, Interesting

      VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V

      This is not correct.

      VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.

      High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.

    15. Re:Better go kick WSUS into a sync... by MightyYar · · Score: 2

      It's a file format created by Acrobat.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    16. Re:Better go kick WSUS into a sync... by Bite+The+Pillow · · Score: 2

      A lot of this is historical. IE is baked into the shell, so the shell files can't be updated while a user is logged in. These ties have been broken lately, but not completely. It's not the architecture of Windows, but rather the need to keep up appearances despite most people knowing better. And the architecture of the web browser of course.

      Windows itself relies on having a lot of shared libraries, known as ".dll files". They can't possibly be patched if they are in use.

      Oh wait. Forgive me for not knowing the details off hand, but there is a preamble they emit in the assembly solely for the purposes of hotfixing. If they need to insert a call, do things, return, they have space for it. So they can patch all of the processes that loaded the library without restarting. It's something like MOV EAX,EAX or something else obviously without purpose (yes, not followed by a flag test).

      Anyway, the expectation of the users is probably why restarts are needed. If a service should be running, then users expect it to be running. If it is needed for some reason, like antivirus, then it is needed. Considering that Windows hosts the biggest money-making and proprietary software, the general expectation is that a service will be running when it needs to be running.

      Sure, tell me about how something crashed et cetera, but the software runs how it is expected to run as a matter of course and with some exception. In the world of Microsoft, this benefits the user. In the world of Linux, other attributes help the user.

      TL;DR the architecture is only a small part. Use case and audience seem to be the defining factor.

  2. XP as well? by mrspoonsi · · Score: 3, Insightful

    I guess so, as Server 2003 is from a similar era.

    1. Re:XP as well? by smooth+wombat · · Score: 4, Funny

      Since it's not listed this would mean XP is safer than W7 or W8.

      Hazzah!

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    2. Re:XP as well? by rescendent · · Score: 3, Interesting

      Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.

      So its a patch for the server products.

    3. Re:XP as well? by Anonymous Coward · · Score: 3, Informative

      You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.

    4. Re:XP as well? by NJRoadfan · · Score: 2

      As far as the GP asking about XP - XP is out of support and doesn't get patches.

      But Windows Embedded POSReady 2009 does. ;) I wonder if they have been keeping up with security patches, particularly the OLE one.

  3. So... by jellomizer · · Score: 2, Interesting

    With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
    Should we be a bit more welcoming to Microsoft?

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:So... by McGruber · · Score: 5, Insightful

      Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?

      Embrace, Extend, Extinguish.

      What you view as "trying to be more open" strikes me as being "Embrace".

    2. Re:So... by Rob+Y. · · Score: 3, Insightful

      For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.

      --
      Posted from my Android phone. Oh, I can change this? There, that's better...
    3. Re:So... by Alrescha · · Score: 4, Insightful

      "For the bazillionth time, Google is not "sharing all your data in the world".

      Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.

      Somehow, that doesn't make folks feel any better.

      A.

      --
      ...bringing you cynical quips since 1998
    4. Re:So... by Obfuscant · · Score: 2

      "For the bazillionth time, Google is not "sharing all your data in the world".

      Technically, I think you are correct.

      Yes, technically correct.

      When my ISP decided to drop their own email services and start funneling all their customer's email through Gmail, it wasn't technically "all my data" that they handed over to Google to index and root around through, it was just the last four years of deleted email they got to play with. Yes, email I deleted four years ago showed up on Gmail. So, technically, because I have some other email accounts that don't go through that ISP, I mean didn't go through them, Google doesn't have ALL my data to share. Just a significantly large enough fraction of it.

  4. "Out of band?" by pigiron · · Score: 4, Informative

    I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)

    1. Re:"Out of band?" by arth1 · · Score: 2

      Out of band means that it's not distributed through the normal channels; i.e. Windows Update.

      This one is, so it's not out of band.
      And it's also only for server products, not Windows 7/8/8.1/10.

      But don't let that stop what /. now uses instead of editors from making a stupid headline.

  5. Not for Windows 8 or 8.1 by ifdef · · Score: 5, Informative

    For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.

    Am I looking at the wrong thing?

  6. Out of band? by Chrisq · · Score: 2

    In my book this means it will be sent by another channel compared to normal updates I can't see how this applies!

    1. Re:Out of band? by funwithBSD · · Score: 4, Funny

      You will be getting a USB stick in the mail.

      Don't worry... it is perfectly safe to insert into your server.

      --
      Never answer an anonymous letter. - Yogi Berra
  7. Does not Affect Vista, Windows 7, Windows 8, 8.1. by Snake98 · · Score: 4, Informative

    Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
    Windows Server 2003
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2003 Service Pack 2 (Critical)
    Windows Server 2003 x64 Edition Service Pack 2 (Critical)
    Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
    Windows Vista
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows Vista Service Pack 2 (No severity rating)[1]
    Windows Vista x64 Edition Service Pack 2
    (No severity rating)[1]
    Windows Server 2008
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
    Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
    Windows 7 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    None
    Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
    Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
    Windows Server 2008 R2 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
    Windows 8 and Windows 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows 8 for 32-bit Systems
    (No severity rating)[1]
    Windows 8 for x64-based Systems (No severity rating)[1]
    Windows 8.1 for 32-bit Systems
    (No severity rating)[1]
    Windows 8.1 for x64-based Systems (No severity rating)[1]
    Windows Server 2012 and Windows Server 2012 R2
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating Critical
    Windows Server 2012 (Critical)
    Windows Server 2012 R2 (Critical)
    Windows RT and Windows RT 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows RT
    Not applicable
    Windows RT 8.1
    Not applicable
    Server Core installation option
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
    Windows Server 2012 (Server Core installation) (Critical)
    Windows Server 2012 R2 (Server Core installation) (Critical)
    Notes for MS14-068
    Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
    [1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

    --
    Freedom of Speech only include discussion that are approved by the RIAA, MPAA and DMCA.
  8. Re:XP Killer? by afidel · · Score: 2

    No, the TLS flaw was MS14-066 and it affects XP as well but there is no generally available fix for it since XP is out of extended support. If you care at all about security you're no longer using XP so the fact that there is another critical flaw isn't going to significantly change the situation.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  9. Re:iOS Developer Program and XNA Creators Club by tlhIngan · · Score: 2

    The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

    Only for iOS. OS X still has free Xcode development tools available. They used to ship with the OS, but now it's in the Mac App Store as a separate download. And this started before Microsoft created the Express edition of Visual Studio.

    Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT, where you pay only once it's time to upload your app to Windows Store.

    Great, so Microsoft makes it a one-time payment to code for a dead platform? And given the struggles Microsoft has with their app store(s), it's no wonder Microsoft is trying all sorts of things because developers aren't willing to code for a marginal platform like Windows RT or Windows Phone. They have to make it super cheap or free because developers wouldn't code for it otherwise.