Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Out-of-Band Security Patch For Windows

Posted by timothy on from the as-circumstances-warrant dept.

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.

16 of 178 comments (clear)

  1. Better go kick WSUS into a sync... by MachineShedFred · · Score: 4, Funny

    I love nothing better than starting out my Tuesday with rebooting every Windows box...

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    1. Re:Better go kick WSUS into a sync... by Richard_at_work · · Score: 4, Insightful

      If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?

    2. Re:Better go kick WSUS into a sync... by Tiger4 · · Score: 4, Informative

      Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.

      --
      Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
    3. Re:Better go kick WSUS into a sync... by bill_mcgonigle · · Score: 5, Interesting

      If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?

      If only security were so binary - in the real world it's a constant process of risk/reward calculations.

      Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 4, Insightful

      Damned if you do, damned if you don't. Welcome to IT.

      --
      Life is not for the lazy.
    5. Re:Better go kick WSUS into a sync... by afidel · · Score: 4, Informative

      Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    6. Re:Better go kick WSUS into a sync... by DigiShaman · · Score: 5, Insightful

      THIS! Richard obviously works in a nice posh fortune 500 org where such resources are available to HIM. Meanwhile back int he real world for everyone else (Small Medium Business), rolling the dice is only option. As you said, it's all a risk/reward calculation as to when and where to be proactive with the expendature of resources.

      I find the lambasting of "should do this retard" to be quite insulting. As employees, we don't always get that option to do what is theoretically in the best interests of the company we work for.

      --
      Life is not for the lazy.
    7. Re:Better go kick WSUS into a sync... by sexconker · · Score: 5, Informative

      Any worthwhile testing would take weeks to perform.
      Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
      You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).

      Here's the testing you need to do in the real world:
      Install all the patches on your machine.
      Reboot.
      Launch IE, FF, Chrome, Outlook, Word, and Excel.
      Launch any applications mentioned in the bulletin.
      If nothing crashed, deploy the patch to everyone.
      If something crashed, search "Patch Tuesday Breaks " and look for recent shit.

    8. Re:Better go kick WSUS into a sync... by MachineShedFred · · Score: 5, Insightful

      I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?

      I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  2. "Out of band?" by pigiron · · Score: 4, Informative

    I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)

  3. Not for Windows 8 or 8.1 by ifdef · · Score: 5, Informative

    For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.

    Am I looking at the wrong thing?

  4. Re:XP as well? by smooth+wombat · · Score: 4, Funny

    Since it's not listed this would mean XP is safer than W7 or W8.

    Hazzah!

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  5. Does not Affect Vista, Windows 7, Windows 8, 8.1. by Snake98 · · Score: 4, Informative

    Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
    Windows Server 2003
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2003 Service Pack 2 (Critical)
    Windows Server 2003 x64 Edition Service Pack 2 (Critical)
    Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
    Windows Vista
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows Vista Service Pack 2 (No severity rating)[1]
    Windows Vista x64 Edition Service Pack 2
    (No severity rating)[1]
    Windows Server 2008
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
    Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
    Windows 7 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    None
    Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
    Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
    Windows Server 2008 R2 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
    Windows 8 and Windows 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows 8 for 32-bit Systems
    (No severity rating)[1]
    Windows 8 for x64-based Systems (No severity rating)[1]
    Windows 8.1 for 32-bit Systems
    (No severity rating)[1]
    Windows 8.1 for x64-based Systems (No severity rating)[1]
    Windows Server 2012 and Windows Server 2012 R2
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating Critical
    Windows Server 2012 (Critical)
    Windows Server 2012 R2 (Critical)
    Windows RT and Windows RT 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows RT
    Not applicable
    Windows RT 8.1
    Not applicable
    Server Core installation option
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
    Windows Server 2012 (Server Core installation) (Critical)
    Windows Server 2012 R2 (Server Core installation) (Critical)
    Notes for MS14-068
    Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
    [1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

    --
    Freedom of Speech only include discussion that are approved by the RIAA, MPAA and DMCA.
  6. Re:Out of band? by funwithBSD · · Score: 4, Funny

    You will be getting a USB stick in the mail.

    Don't worry... it is perfectly safe to insert into your server.

    --
    Never answer an anonymous letter. - Yogi Berra
  7. Re:So... by McGruber · · Score: 5, Insightful

    Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?

    Embrace, Extend, Extinguish.

    What you view as "trying to be more open" strikes me as being "Embrace".

  8. Re:So... by Alrescha · · Score: 4, Insightful

    "For the bazillionth time, Google is not "sharing all your data in the world".

    Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.

    Somehow, that doesn't make folks feel any better.

    A.

    --
    ...bringing you cynical quips since 1998