Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Out-of-Band Security Patch For Windows

Posted by timothy on from the as-circumstances-warrant dept.

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.

23 of 178 comments (clear)

  1. Better go kick WSUS into a sync... by MachineShedFred · · Score: 4, Funny

    I love nothing better than starting out my Tuesday with rebooting every Windows box...

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    1. Re:Better go kick WSUS into a sync... by Richard_at_work · · Score: 4, Insightful

      If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?

    2. Re:Better go kick WSUS into a sync... by Tiger4 · · Score: 4, Informative

      Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.

      --
      Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
    3. Re:Better go kick WSUS into a sync... by bill_mcgonigle · · Score: 5, Interesting

      If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?

      If only security were so binary - in the real world it's a constant process of risk/reward calculations.

      Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 4, Insightful

      Damned if you do, damned if you don't. Welcome to IT.

      --
      Life is not for the lazy.
    5. Re:Better go kick WSUS into a sync... by afidel · · Score: 4, Informative

      Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    6. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 5, Insightful

      THIS! Richard obviously works in a nice posh fortune 500 org where such resources are available to HIM. Meanwhile back int he real world for everyone else (Small Medium Business), rolling the dice is only option. As you said, it's all a risk/reward calculation as to when and where to be proactive with the expendature of resources.

      I find the lambasting of "should do this retard" to be quite insulting. As employees, we don't always get that option to do what is theoretically in the best interests of the company we work for.

      --
      Life is not for the lazy.
    7. Re:Better go kick WSUS into a sync... by MacTO · · Score: 3, Informative

      Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?

      It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.

      (We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)

    8. Re:Better go kick WSUS into a sync... by sexconker · · Score: 5, Informative

      Any worthwhile testing would take weeks to perform.
      Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
      You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).

      Here's the testing you need to do in the real world:
      Install all the patches on your machine.
      Reboot.
      Launch IE, FF, Chrome, Outlook, Word, and Excel.
      Launch any applications mentioned in the bulletin.
      If nothing crashed, deploy the patch to everyone.
      If something crashed, search "Patch Tuesday Breaks " and look for recent shit.

    9. Re:Better go kick WSUS into a sync... by MachineShedFred · · Score: 5, Insightful

      I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?

      I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    10. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 3, Interesting

      Richard, I've lost clients because because these clients were 10+ employees or less running off a single Windows SBS box. It wasn't us. It was the fact IT was just too expensive in general. Running a business, especially a small was is exceedingly risky. They should be so lucky to afford rolling the dice ALONE! Many small business will just adhere to a BYOD policy with a NAS purchased from Best Buy. Yeah, good luck when Cryptolocker pulls you into bankruptcy.

      Risk assessment; learn it, love it, above all else, accept it! Can't stand the heat? Get out of the kitchen!

      BTW; you can't really duplicate an SBS box as it holds all the FSMO roles in addition to P2V testing being optional if they spend the time as a billable activity (assuming you can P2V with enough physical resources).

      --
      Life is not for the lazy.
    11. Re:Better go kick WSUS into a sync... by LordLimecat · · Score: 3, Interesting

      VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V

      This is not correct.

      VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.

      High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.

  2. XP as well? by mrspoonsi · · Score: 3, Insightful

    I guess so, as Server 2003 is from a similar era.

    1. Re:XP as well? by smooth+wombat · · Score: 4, Funny

      Since it's not listed this would mean XP is safer than W7 or W8.

      Hazzah!

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    2. Re:XP as well? by rescendent · · Score: 3, Interesting

      Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.

      So its a patch for the server products.

    3. Re:XP as well? by Anonymous Coward · · Score: 3, Informative

      You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.

  3. "Out of band?" by pigiron · · Score: 4, Informative

    I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)

  4. Not for Windows 8 or 8.1 by ifdef · · Score: 5, Informative

    For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.

    Am I looking at the wrong thing?

  5. Does not Affect Vista, Windows 7, Windows 8, 8.1. by Snake98 · · Score: 4, Informative

    Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
    Windows Server 2003
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2003 Service Pack 2 (Critical)
    Windows Server 2003 x64 Edition Service Pack 2 (Critical)
    Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
    Windows Vista
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows Vista Service Pack 2 (No severity rating)[1]
    Windows Vista x64 Edition Service Pack 2
    (No severity rating)[1]
    Windows Server 2008
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
    Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
    Windows 7 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    None
    Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
    Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
    Windows Server 2008 R2 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
    Windows 8 and Windows 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows 8 for 32-bit Systems
    (No severity rating)[1]
    Windows 8 for x64-based Systems (No severity rating)[1]
    Windows 8.1 for 32-bit Systems
    (No severity rating)[1]
    Windows 8.1 for x64-based Systems (No severity rating)[1]
    Windows Server 2012 and Windows Server 2012 R2
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating Critical
    Windows Server 2012 (Critical)
    Windows Server 2012 R2 (Critical)
    Windows RT and Windows RT 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows RT
    Not applicable
    Windows RT 8.1
    Not applicable
    Server Core installation option
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
    Windows Server 2012 (Server Core installation) (Critical)
    Windows Server 2012 R2 (Server Core installation) (Critical)
    Notes for MS14-068
    Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
    [1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

    --
    Freedom of Speech only include discussion that are approved by the RIAA, MPAA and DMCA.
  6. Re:Out of band? by funwithBSD · · Score: 4, Funny

    You will be getting a USB stick in the mail.

    Don't worry... it is perfectly safe to insert into your server.

    --
    Never answer an anonymous letter. - Yogi Berra
  7. Re:So... by McGruber · · Score: 5, Insightful

    Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?

    Embrace, Extend, Extinguish.

    What you view as "trying to be more open" strikes me as being "Embrace".

  8. Re:So... by Rob+Y. · · Score: 3, Insightful

    For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.

    --
    Posted from my Android phone. Oh, I can change this? There, that's better...
  9. Re:So... by Alrescha · · Score: 4, Insightful

    "For the bazillionth time, Google is not "sharing all your data in the world".

    Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.

    Somehow, that doesn't make folks feel any better.

    A.

    --
    ...bringing you cynical quips since 1998