Software

It's Microsoft Patch Tuesday: June 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's June 2010 patches in your organization.

Microsoft now has a three-month streak of having the out of band patches not being overwhelming. It's nice to see them getting things together on that front! The bad news? Ten security patches covering a massive number of vulnerabilities, including a single Office patch that takes out fourteen bugs. Ouch! Luckily, a much lower ratio of them are "must patch" items than we usually see.

For those who are fascinated with minutia, it looks like Microsoft is changing the numbering for theirKB articles as well, and adding a seventh digit. At the same time, some of the KB article links might not work; Microsoft has not posted all of the yet (as I wrote this, more of them became active). KB articles marked with a * were not active at publication.

This blog post is also available in the PDF format in a TechRepublic Download. The previous month's Microsoft Patch Tuesday blog entries are also available.

Security Patches

MS10-032/KB979559 - Important (2000, XP, 2003, Vista, 7, 2008, 2008 R2): A trio of bugs in the Windows kernel can allow the use of malformed fonts to allow escalation of privileges attacks. It would be a bit hard to sneak a font onto the system without some sort of install privileges anyways, which is why this patch can wait until your next patch cycle. 1.0MB - 4.3MB MS10-033/KB979902 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch addresses a pair of vulnerabilities in Windows' media subsystem which allows specially crafted media files and streaming content to execute remote code execution exploits. One of the vulnerabilities is less serious that the other, but you should patch your systems immediately all the same. Depending on your system, you may need to install up to four separate patches to address of the issues. 105KB - 4.8MB MS10-034/KB980195 - Critical (2000, XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): This patch updates the ActiveX kill bits and fixes two bugs in ActiveX that could allow remote code execution attacks. If you allow ActiveX on your desktops (which you shouldn't, other than for internal sites), install this immediately, otherwise, wait until your next patch cycle. 26KB - 1.0MB MS10-035/KB982381* - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Five security holes in Internet Explorer 5, 6, 7, and 8 which can allow remote code execution attacks are fixed with this cumulative update. Some of them are rating as "Moderate" but I don't see any specific combination of IE version and OS that does not make it "critical." I would install this patch immediately. 3.3MB - 48.4MB MS10-036/KB983235 - Important (Office XP, Office 2003, Office 2007): COM validation in Office has a bug which can allow remote code execution attacks. Since you should not be allowing COM to be running in Office from outside sources, this is a less risky bug than it could be. Patch your systems on the next scheduled times. 2.9 - 15.5MB MS10-037/KB980218 - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Another font handling issue is allowing escalation of privileges attacks across all versions of Windows. Like MS10-032, this one can wait until your next regular patch period. 496KB - 1.3MB MS10-038/KB2027452* - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007 File Formats): A whopping fourteen security bugs in the way Microsoft Office opens files are fixed with this patch. The worst can result in remote code execution attacks. Microsoft says this one is "Important" but I call it "Critical" due to the widespread use of Office, and I suggest that you patch immediately. 9.7MB - 332.8MB MS10-039/KB980218 - Important (InfoPath 2003, InfoPath 2007, Office SharePoint Server 2007, Windows SharePoint Services 2.0): Three problems with SharePoint are fixed with this patch. The issues allow an attacker to perform a variety of attacks, including an escalation of privileges attack if a SharePoint user clicks on a malformed link in SharePoint. This is not a burning issue and the patch can wait until your usual patch time. 2.9MB - 109.3MB Desktop / Server MS10-040/KB982666 - Important (Vista, 7, 2003, 2008, 2008 R2): Computers running IIS 6, 7, and 7.5 are vulnerable to a remote code execution attack that will run with full privileges when an attacker sends a malformed HTTP request. Microsoft calls this patch "Important" but I think that understates the issue for servers. I would patch servers immediately, and leave desktops for the regular path cycle. 43KB - 4.0MB MS10-041/KB981343* - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): A problem affecting all versions of the .NET Framework's handling of signed XML content could allow the data to be altered without being detected. This is a fairly minor issue, so this patch can wait until you do your normal patching. 123KB - 2.2MB

Other Updates

The .NET Framework was updated to improve and strengthen authentication. The following patches affect different versions of the .NET Framework:

  • KB982167 for .NET Framework 2.0 SP2 for Windows Server 2003 and XP 116KB - 313KB
  • KB982168 for .NET Framework 3.0 SP2 for Windows Server 2003 and XP 116KB - 159KB
  • KB982532 for .NET Framework 2.0 SP2 for Windows Server 2008 and Vista 1.1MB
  • KB982533 for .NET Framework 2.0 SP2 for Windows Server 2008 SP2 and Vista SP2 1.3MB - 2.0MB
  • KB982535 for .NET Framework 3.0 SP2 for Windows Server 2008 and Vista 1.1MB
  • KB982536 for .NET Framework 3.0 SP2 for Windows Server 2008 and Vista 1.1MB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (10.3MB - 10.6MB) and Junk Email filters (2.2MB).

Changed, but not significantly:

Updates since the last Patch Tuesday

There have been a number of minor items added and updated since the last Patch Tuesday:

Changed, but not significantly:

None.

About

Justin James is the Lead Architect for Conigent.

32 comments
jason.beale
jason.beale

This may be the last set of patches ever released for Windows 2000; end-of-life for that OS is July of this year. So, maybe there's one more month of patches, but after that, no more updates.

volentib666
volentib666

> 20 laptops went bottoms up. At first, system restore worked, but the WSUS server kept re-applying and now that doesn't even work.

rpr.nospam
rpr.nospam

It is almost unbelievable but May 2010 cumulative time zone update for Windows OS (see http://support.microsoft.com/kb/981793) caused errors and stopping of two services, "WIN-PAK Database Server" and "WIN-PAK Archive Database Server", which are part of Honeywell Access /Northern Computer WIN-PAK SE/PE and WIN-PAK Pro CS software. After uninstalling the Update KB981793 the services run well again.

pjboyles
pjboyles

Would an embedded font be sufficient for this attack? If so, then you may want to bump up the priority for installing the patch.

Who Am I Really
Who Am I Really

Survived another Crash Tuesday so far there doesn't seem to be any ill effects, however, I had to manually go and get them; I've done all but 3 systems here which have been backed up first and then applied, but I had to do it manually, as AU would not DL; - I normally have AU set to "DL and notify" - this time it never starts - so I set it to "notify" only - AU would notify "updates are ready..." - I would select OK to start DL - then AU exits without doing DL this is an on going problem whenever there are "large" updates, any patch over 1MB seems to cause AU to just exit and I'm forced to use IE to manually get them from the winupdate site.

SharonAnn
SharonAnn

Absolutely, serious problems. All my Office applications appear to have been de-installed and when I access them, it wants to "configure" them. Word, Excel, Access, Outlook, FrontPage. Also, my Desktop icons have all been removed and all my settings for Explorer and INternet Explorer have been changed. I'm sure there's more, but this is all I've found so far. I'm furious! I have serious work to do for clients and now I have to spend all this time recovering files, reinstalling programs, reconfiguring settings, etc.

Richaz
Richaz

Looking at the mitigating factors of MS10-40 affects only IIS installed with kb973917. The majority of IIS installs out there is not going to be installed with extended protection for authentication. Exploits being developed for this are unlikely. Not even sure if this really ranks as important.

Justin James
Justin James

I've got all of my internal VMs patched with zero issues. Tomorrow night I will do my servers in the DMZ, and I will probably do the physical machines next Tuesday. No complaints so far. J.Ja

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe we can help?

volentib666
volentib666

The problem was with Symantec EP 11 (11.05, specifically) Resolution: Round 1 Boot to safe mode with networking Start Windows Installer service Uninstall SEP 11.05 - REBOOT Round 2 Install SEP client version 11.06 or later Patch and update, as needed. Hope this helps someone out. I .BAT scripted it, as it turned out we had 50 laptops DOA vs. 25.

Kath58
Kath58

The updates were installed automatically upon shut down. The next time I started-up windows showed corrupted system files but was able to fix them. The 2nd time I started-up windows could not load -- at all -- system restore did not work -- now I'm reformatting and putting on Windows 7 (had XP)...

Neon Samurai
Neon Samurai

Can you tell which patch breaks the notebooks and why? Is it increased resource demand or some such thing?

Justin James
Justin James

... and unfortunately, I do not have the answer. J.Ja

SharonAnn
SharonAnn

and the system wanted to "configure" bunches of programs and settings. My desktop displayed only a few icons, trying to bring up Office or anything else, it was as if it was a new install and had to be configured. I did a "Restore" and am back to before, with my usual operating environment (Windows XP Professional, SP3, updates). Good grief!

pghegseth
pghegseth

Post update, my PC rebooted and since, I am unable to restart windows 7. It just hangs at the start screen. Cannot start in safe mode , nor last known good... either. Tried the Win7 restore CD (http://neosmart.net/blog/2009/windows-7-system-repair-discs/) to no avail. This situation irritates me to no end... Good for me I have my data backed up as it looks to be a reinstall. Thank you Microsoft.

Neon Samurai
Neon Samurai

Did you have Internet Explorer 8 installed previous to getting this last batch of updates? It may be that you had IE6 or IE7 in place still and the IE8 update came down with the rest of the patches. This would account for new icons and Office applications needing to do a quick reconfigure. IE is used as part of the Office apps so they may need to adjust to the new version or where it's stored on the hard drive.

Justin James
Justin James

That's a good point on that requirement. That being said, that particular patch got shoved down people's throats *if I remember right*, and it is built in to IIS 7.5 from what I can tell (because that disclaimer does not apply to W7 and 2008 R2). I definitely remember having major issues with that patch breaking Office Communications Server the first time it was released... J.Ja

santeewelding
santeewelding

In my vast enterprise. Thank you, nonetheless.

cirque1
cirque1

I'm running XP on a Dell. Never had problems with a Microsoft automatic update before. Went to normal shut down process. Alerted that there were 9 updates. Update process started normally. Usually followed shortly thereafter by normal shutdown. Updates appeared to hang on update 7 of 9. Computer ran all night without resolution. Powered down. Now machine will start without normal start up sounds (sounds like it is trying to continue the update process) but I have no video and no idea what is going on with the computer. In fact the monitor will not even turn on now. More garbage from Microsoft???

Sumjay
Sumjay

6 updates are giving me a 'no show' after numerous attempts to install them. I have Windows Vista 64 bit SP2. Here are the ones which just do not install. 1. Infopath 2007 KB979441 2. Office System KB982312 3. Office System KB982331 4. Publisher KB982124 5. Visio KB982127 6. Outlook KB983486 Do any of you folks have the same problem? Thanks

JoeCatterall
JoeCatterall

Have experienced problems with the .Net3.5 update though the problem is associated with Fixit 50123 which is include in the update. Re-registered scrrun.dll (regsvr32 scrrun.dll) and re-ran the update and it finished successfully. I am indebted to Arnoldkrg at forums.techarena.in for the solution Joe

mickames
mickames

The whole of the update installed successfully for me, I'm still using XP, (sad), but there appears to be a side effect. My Logitech headset has ceased to be available and will not install whatever I try. This may be a coincidence. It still won't work after a restore to before the update. I have laboriously gone throught the update procedure again.

dash65867
dash65867

The following 3 patches I had to download an install manually: KB979482 KB975562 KB979559 Tries twice with Microsoft Update and it failed both times. Went to MS Catalog to get pathces. Manual install succeded, but the still show as fialed installs on update history.

volentib666
volentib666

Happened late Friday, so I and user were both heading out the door. Thought we could keep system restoring them until fixed. Haven't gotten hands on one yet, due to them being in regional offices. Should either figuree it out today, or reimage the entire lot. I'd hate to apply 1 at a time for 22 patches to see which it is... The erros we are seeing is 0xc0000005 errors on all application that try to run - except for M$ Office apps - go figure. Can't even get a cmd prompt up.

SharonAnn
SharonAnn

and got back everything (I think). IE 8 is still there. But my desktop, icons, applications, etc. all seem to working OK. I also shut off "Automatic Updates" and set it to let me decide when to install them. I can't risk something like this happening again.

abasi_obori
abasi_obori

Just applied the patches I consider most important so far, no issues Thanks

Justin James
Justin James

If you aren't getting any startup sounds or video (not even the POST screen), your computer is hosed at a hardware level. Which would explain the hang on the install too. J.Ja

pghegseth
pghegseth

I encountered an update that would not install and after 'researching' them discovered that sometimes a corrupt file causes the failure. Look in the update log and determine which file the update fails upon.(http://support.microsoft.com/kb/902093) Rename said file, and try the update again. This resolved a failure to update the .net framework for me (once upon a time). Heere is another article that may help. (http://helpdeskgeek.com/windows-xp-tips/windows-update-fails-to-install-updates/) and: (http://support.microsoft.com/kb/304498) Good luck!

mickames
mickames

After an exchange of emails with Logitech, they concluded that my headset had failed and sent me a new one. It still won't install. I suspect the June 2010 patch even more now. Has anybody else suffered this problem?

Neon Samurai
Neon Samurai

if you can identify and share details that is of course.

Neon Samurai
Neon Samurai

Definitely a good idea to turn off autoupdates. You can leave it to check every week or whatever but use the "ask before install" option so you can sit on them for a few days and watch what comes up in forums like this one.

Sumjay
Sumjay

I was just about to embark on utilizing your solution, when I perchance went to the Microsoft Website where a number of postings showed up having the same problem I was encountering with these updates. The solution was to turn off the UAC in Vista, restart. Install the Office 2007 updates. It worked like a charm! Then turn on the UAC, restart. Now everything is working hunky dory. Thanks.

Editor's Picks