Security

It's Microsoft Patch Tuesday: February 2012

Justin James gathers the information you need to make the right deploy decision when applying Microsoft's February 2012 patches in your organization.

One unique thing about this month's Patch Tuesday is the rash of update rollups for the second-level Windows Server products like Home Server and Storage server. The out-of-band updates were zero, with only minor metadata changes to a few Internet Explorer installation packages. There is yet another very serious vulnerability in Silverlight too. Given its lack of market penetration, I recommend at this point that you disable it unless you need it or restrict it to run only on trusted Web sites.

This blog post is also available in PDF format in a TechRepublic download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-008/KB2660465 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Two exploits in kernel mode drivers can allow maliciously crafted Web sites and drivers to perform remote code execution attacks. To make it worse, one of these exploits is publicly known. Install this patch ASAP. MS12-009/KB2645640 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): The Ancillary Function Driver has a pair of flaws that can allow a locally logged-on user to gain administrative privileges with a specially made application. Install this patch during your normal patch time to close the holes. MS12-010/KB2647516 - Critical (IE6, IE7, IE8, IE9): This is a cumulative update for Internet Explorer that patches four security bugs and one nonsecurity bug. The worst of the security issues can allow remote code execution by viewing malicious Web pages. Install this patch as soon as you can. MS12-011/KB2663841 - Important (SharePoint Server 2010, SharePoint Foundation 2010): SharePoint has three similar vulnerabilities that can allow a malicious link to be created that will allow a third-party page to issue commands to SharePoint on behalf of the user's SharePoint session. Install this patch on your SharePoint servers as needed. MS12-012/KB2643719 - Important (2008, 2008 R2): The color control panel on 2008 and 2008 R2 machines can be manipulated by a maliciously made color profile file to open a DLL on a remote drive share and execute code. This is a rare scenario, and the DLL gets only the locally logged-on user's rights; the patch install can wait until your usual schedule. MS12-013/KB2654428 - Critical (Vista, W7, 2008, 2008 R2): Opening a malformed media file can allow remote code execution attacks to be performed, granting the rights of the logged-on user. The issue is in a runtime library that many applications depend on. Applications that statically link to Msvcrt.dll will need to be recompiled against the updated DLL. You will want to install this patch immediately. MS12-014/KB2661637 - Important (XP): the Indeo Codec that ships with XP has the same vulnerability with opening files in the same directory as a malicious DLL that we've seen in many other pieces of Windows lately. Install this patch when you install other patches. MS12-015/KB2663510 - Important (Visio Viewer 2010): The Microsoft Visio Viewer 2010 component can allow remote code execution vulnerabilities to be performed through malformed Visio files. If you use the Visio Viewer, install this patch. MS12-016/KB2651026 - Critical (.NET Framework 2.0, .NET Framework 3.5.1, .NET Framework 4.0): Windows PCs set up to run Silverlight apps or XAML Browsers Applications (XBAPs) can be exploited to perform remote code execution attacks. One of the vulnerabilities addressed by this update is publicly disclosed. You really should install this patch as soon as you can.

Other updates

KB2600217 - .NET Framework 4 reliability update. KB2603469 - Update for Windows 2008 and 2008 R2 that allows a system state backup to back up private CA keys. This is critical for backing up servers with the Active Directory Certificate Services role. KB2626067 - Update rollup 1.1 for Windows MultiPoint Server 2011. KB2630429 - Update rollup for Windows Small Business Server 2011 Essentials. KB2630434 - Update rollup for Windows Home Server 2011. KB2630436 - Update rollup for Windows Storage Server 2008 R2. KB2640148 - Update for W7 and 2008 R2 to resolve a problem where expanding mapped drives could crash Windows Explorer. KB2660075 - Update for W7 and 2008 R2 to fix a rare problem changing the time zone.

"The Usual Suspects": Updates to the Malicious Software Removal Tool and the Junk Email Filter.

Changed, but not significantly: None.

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday: none.

Changed, but not significantly:

About

Justin James is the Lead Architect for Conigent.

12 comments
ozchorlton
ozchorlton

Can't work out which one did it, but one of these patches, changed the video settings, on my Toshiba Satellite Pro, (W7 32bit), laptop :-( On my desk I have a second monitor, to which, I extend my desktop. After installing, these patches, it changed my settings, to, two duplicate desktops :-(

Dave O
Dave O

I installed the updates on my Gateway with XP Home SP3 and it ran slower than molasses. Right-clicking an icon took 45 seconds before the context menu came up. I uninstalled all the updates one by one in reverse order until things worked again. It was the KB2660465 that was causing my problems. I reinstalled the others and all was well again.

VosaBz
VosaBz

Updates KB951847 (x86), KB982524, and KB2416473 did not install on my system: WinXP SP3 32-bit. Do anybody knows about a comprehensive description of .NET Framework reinstalation, i.e. the order of deinstallation and what and in which order to install. What I found on Internet till now (especially on Microsoft "Support" site) is rather insufficient. On my desktop there are following components of .NET Framework: 1.1 1.1 Czech Language Pack 2.0 Service Pack 2 2.0 Service Pack 2 Language Pack - CSY 3.0 Czech Language Pack 3.0 Service Pack 2 3.0 Service Pack 2 Language Pack - CSY 3.5 SP1 3.5 SP1 - Language Pack - CSY 4 Client Profile 4 Client Profile CSY Language Pack 4 Extended 4 Extended CSY Language Pack Hoping for getting help, Vosabz

kburch
kburch

I have not been able to isolate which update did it but one of them totally creamed one of my gateway desktop networking settings. I could find no way to get it to connect to the internet. But undo last nights update pack and whammo instant internet connectivity.

Ed.Pilling
Ed.Pilling

I had auto update on my laptop. I have a Compaq and it is fairly new so was not overly concerned. Well that massive patch has crashd my system (2X) and had to go restore it. I have turned off auto update. I am going to fully backup my system and then apply the patches one by one.

Gisabun
Gisabun

Oddly KB2660075 seems to be needed [if rare] since it has to do with Semoa changing time zones at the end of last year but I needed it. MS12-015/KB2663510 seems to be required for Office 2010 [Pro] even if you didn't install it. My 3 installs at home wanted it but I don't use Visio or the viewer. I think KB2640696 was also added for Win 7/2008 SP1. "An ADO-based application that is compiled in Win 7SP1 or 2008 SP1 does not run in echo earlier versions of Windows". Not critical.

pgit
pgit

"Applications that statically link to Msvcrt.dll will need to be recompiled against the updated DLL." This wouldn't appear to involve any end user apps, but rather developer tools, right? ...or am I missing something?

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having?

pgit
pgit

Good stuff to know, I hadn't thought that some app might throw duplicates of system files on board for their own use. Seems confusing at best, I'm having a hard time fathoming why someone would want to do this. Is this a hedge against Microsoft updating the dll, potentially breaking the app? Anyhoo, I checked with a vendor of a rather convoluted app one of my clients uses and was told they use system dlls exclusively and never drop their own in with their binaries etc. I tested these patches and all was well with the world.

charlesnburns
charlesnburns

Some applications are likely to be statically linked against the DLL mentioned. Companies paranoid of breaking changes, for example, may way to include a specific known version. It doesn't even need to be statically linked -- the DLLs can simply be included with the program and installed into their working directory. For those unfamiliar, a programmer can use some of Microsoft's helper tools by asking Windows for their location, or they can include a specific version of those tools directly in their program. The only reason to include it directly would be to avoid requiring the user install those tools, or avoid including the installer with the application.

sysop-dr
sysop-dr

What this means for end users is that some programs use the default installed into the windows directory dll and this patch will cover those apps. Some apps come with it statically linked and for the application to be safe you need to get a new version of the app with this updated dll linked in. And some apps have a copy of the dll in their local directory and just putting a new copy of the new dll there may fix this security issue but may also break the program so the best bet is get a new updated version of the application with the new dll. How can you tell which is which, unless you are running debuggers against other peoples apps you can't, so most people can't. And until you are able to determine which apps you run are which you could be vulnerable if you run Windows and any application written in C, C++, etc. So a quick search of my system finds a bunch of copies of this included in java bin directories, etc. (How much of windows itself is using a statically linked copy of the library vs. dynamically linked? Do all of the programmers in Microsoft adhere to just using the dll dynamically?) As a user when you install this patch know that it only patches some of the applications you use. We found on a single computer 40,000 instances of executables or other DLLs that statically link to this library. Now granted that this is a developers system which will have a lot more stuff on it than a regular user, but none of those were software we developed. I don't know how we can mitigate all of these programs in a reasonable way. Hoping Microsoft has something coming that will mitigate it otherwise we are in trouble.

Editor's Picks