Microsoft

It's Microsoft Patch Tuesday: March 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's March 2010 patches in your organization.

In late February we saw a large dump of patches out of band. Not a single one was considered a security item. I know I have said this before, but this is really unacceptable. I do not think a single systems administrator has commented on one of these blog posts with praise for out-of-band, nonsecurity patches, and I would be highly surprised if it ever happens (I know I just invited a rash of sarcastic "I love it!" comments). That being said, there are only two security items this month, both of them related to opening poisoned files.

This blog post is also available in PDF format in a free TechRepublic download.

Security patches

MS10-016/KB975561 - Important (XP, Vista, 7, Microsoft Producer 2003): Specially crafted Movie Maker files can be used to exploit Microsoft's Movie Maker and Producer 2003 applications and remotely execute code. This code is executed with the logged-in user's permissions, which makes this less of a security concern. Install this patch during your next regular patch cycle. 1.7MB - 6.1MB MS10-017/KB980150 - Important (Office XP, Office 2003, Office 2007, Office 2004 for Max, Office 2008 for Mac, Office SharePoint Server 2007, Excel Viewer, Office Compatibility Pack): A number of problems in Excel's file handling exposed it to remote code execution attacks with the user's permissions. Microsoft does not rate this as "critical," but given the prevalence of Excel and the likelihood of users opening Excel files, you will want to install it immediately. 4.9MB - 221.5MB

Other updates

KB976002: This patch adds the new "browser ballot" to existing installs of Windows for European users affected by the recent legal actions around this issue. For some reason, they released it out of band in late February and again on March's Patch Tuesday. 104KB - 745KB "The Usual Suspects": Updates to the Malicious Software Removal Tool (9.7MB - 10MB) and Junk Email filters (2.2MB).

Changed, but not significantly:

Updates since the last Patch Tuesday

No new security items were released out of band.

There have been a number of minor items added and updated since the last Patch Tuesday:

Changed, but not significantly:

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

30 comments
thegreenwizard1
thegreenwizard1

If a patch is done and ready, that means it is needed, them install it as soon as possible. No? If it gives more work.... them more money I not again it.

michaels.perry
michaels.perry

The "European Browser Ballot" screen is an totally unnecessary and intrusive appraoch to a problem originally created by M$. It is not needed as most people already know that they can use any browser they wish and can easily install it, then they never need to use IE ever again. But the patch hijacks your browser opening page just to tell you that other broswers are available! Tip: Don't set your system to automatically download and install all the 'patches', have it tell you when they are available. Then YOU can choose which to install and which to avoid, such as this one.

SimonShep
SimonShep

What does "Out of Band" mean please in this thread. Thanks.

santeewelding
santeewelding

Thank you from my quarter, too. I don't lift a finger until I see what you have to say about it.

SwissJon
SwissJon

KB977165.. You state that no security patches were released out of band, yet your last patch is a security release.. Ermm... Hate to be the one poking holes in your moan here!! Anyhow, I'm of the opinion that patches that fix problems are just as important as security holes, and if they're released at the same time as a security patch, where's the harm? **Waits for the flaming to start**

dolph88
dolph88

Justin, Thank you for a well written and concise explanation every month. I visit this blog every month and I, and I'm sure many others, really appreciate having this information available. Thanks again!

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe we can help?

Justin James
Justin James

Patching is a huge deal for system administrators. In the US, most of them are not paid by the hour, do they don't get more money. Even if they did, do you think that they want to lose 4, 5 nights a month patching, or spend that time with that family? I manage a total of 15 servers. It takes me 3 hours to patch and test them all. I have to do that at night. How many nights a month should I spend 3 hours patching and testing? I would much prefer ONCE unless there is a critical security item that needs to be installed, not two or three times, because Microsoft decided to release a "Daylight Security Update" 2 weeks early. That's the whole point of the "Patch Tuesday" schedule, to give system administrators a known date and time to expct patches, and they've been violating it for 6 months now. J.Ja

SwissJon
SwissJon

This is M$'s way of lifting their middle finger. The EU forced M$ to comply, stuck them with a big fine and M$ has grudgingly done exactly what it was told to do without regard for how it effects users, for as cheap as possible.. Anyone complains and M$ will say "It's the EU's fault".. In fact it isn't, it's M$'s fault, the EU only asked them to stop being so "me me me" all the time and give people the chance to choose. As a geek, you might know about Firefox, Opera etc. But I'm quite certain my mum doesn't (Cos I got a call from her) and so it's not people like us this is for, it's the majority of people who don't really understand PC's.

harryolden
harryolden

I seem to get 2 to 4 patches perday and my computer returns about 1 per week when something goes wrong I an't complaning as the computer is going the best it has ever workt Cheers Harry

SwissJon
SwissJon

It means "Not during their usual time".. Microsoft are supposed to only release non-urgent patches once a month on a Tuesday. However this is rarely the case, and we often come accross situations where they release patches whenever the feel like it.

Justin James
Justin James

It's filed under "changed, but not significantly", which means that the metadata changed (like what OS or languages of the OS it will install under) but not the patch itself. This was actually released on or before the last Patch Tuesday. J.Ja

Justin James
Justin James

It's good to know that it's been useful to you! Writing it has been really useful to me, since it has forced me to be really on top of the patch situation. J.Ja

pwhite42
pwhite42

We had trouble after the update with a user's Symantec Network Threat Protection. The computer would not go past "Applying Computer Settings". After the 3rd or 4th try to get to a log in screen (and a 30 minute wait) a Symantec message came up saying ntoskrnl.exe had changed, is it OK. After that everything was fine. I guess I just didn't enough patience the first few times.

TrueDinosaur
TrueDinosaur

I run Vista 64. The updates worked fine. I also run VMWare Workstation 6 with 11 VMs comprising 2000, XP and W7 32. No problems. My home system is W7 64. Updated with no problem.

ozchorlton
ozchorlton

I think that, only urgent patches, should be released, out of band - all others should wait until patch Tuesday. Most of the fixes, released since last patch Tuesday, were not classed as urgent, and so should have waited, until the March patch tuesday!

thegreenwizard1
thegreenwizard1

Ask for more money or do it in the working time if your company do not want it. You are self faulty if you give your own time for a company who can put you out of work the next day. Have some respect for your self.... your time does not come back, so sell it the best you can and do not over time. Over time is a management failure.

SwissJon
SwissJon

I have managed 75 servers over 15 or so clients for the past 5 years. They're all set to automatically update on Sunday morning and the monitoring software keeps a check on things. I have a script that I can run so if there's an issue with a patch, I can shut down the AU service on every server with one click until I can test it for myself. 5 days is plenty I think for issues to emerge in the IT community, I check things first thing on a Sunday, if I have no problems with a server it's business as usual. 5 mins work on a Sunday keeps me and my servers sane, and in the past 5 years I don't remember any occasions where I spent 3 hours working on a Sunday because of issues caused by a patch. I don't know why you feel the need to nurse your servers through what should be an automated process, but I suggest you take a good look at what you are doing and see if you can improve the process at all, because 3 hours work on applying updates over 15 servers is way ott. Before you tell me that your servers are more business critical than mine, those 75 servers are serving in the region of 3000 employees around the world, from Malaysia to Vancouver, if one goes down unexpectedly, I get a call, no matter what time it is. It's about good management, Microsoft might release out of band but that doesn't mean you have to install them out of band. My servers get rebooted EVERY Sunday, no matter of there's a patch or not, the users expect this and manage their time accordingly. If they're busy when the server goes down, that's just tough, trains don't wait for you to buy a coffee, servers don't wait for users to finish whatever they're doing, if you know the train is about to leave and you go to buy a coffee and miss is, you have only yourself to blame. Same goes for servers.

Justin James
Justin James

A year or so ago, I'd agree with "whenever they feel like it", but since the release of W7 and 2008 R2, it's become a regular pattern to do the out of band patches 2 weeks after the proper Patch Tuesday. It's bizarre. They should just own up and make it official policy, so people know to expect it, or go back to once a month. Out of band is *supposed* to only be critical items, like for critical IE exploits that have exploit code in the wild. J.Ja

SimonShep
SimonShep

Many thanks for clarifying, SwissJon. :-)

fun_to_know
fun_to_know

Your concise explanations make short work of sorting through the Microsoft mess every couple of weeks (recently). thans for your posts on behalf of I.T. Administrators everywhere.

sysop-dr
sysop-dr

Thanks Ok we still have to do some testing of old apps but check this space first seems to be a good idea.

Justin James
Justin James

In the US, nearly every systems administrator is on salary (you get paid the same regardless of hours actually worked), and when you negotiate your salary, both sides take into account the fact that you will be working on the nights and weekends on occassion. That being said, when the expectation is "one patch cycle a month, plus the occassional special project or outtage", and the patch cycles double, it is effectively a pay cut, but you can't charge for it. This is the way US labor laws are written, and there is not too much that can be done about it. J.Ja

yarbrough2
yarbrough2

I'm glad you are not on my team. Time management or not, servers do go down and many times unexpectedly. Or at least you notice a predictive failure at inopportune times, which you need to address NOW or spend much more time later fixing a downed system.

Justin James
Justin James

The problem is that certain decisions were made in the interest of cost savings (and they did save a ton of money!) when we shifted to a virtualized environment about our storage. These decisions do not impact our operations, given our relatively small size, but when more than one or two systems try accessing disk at once, it gets very, very slow. As a result, I have to do the patches one or two at a time, and even then it takes a while. :( If you can convince my boss to spring for a SAN, or enough storage so that each VM resides on a seperate disk with no contention, please do so! Since I took this job two years ago, storage has been my #1 challenge. We started using VMs which has been great in terms of uptime (can reboot 1 service without taking down the whole company like it was with 2 physical servers that did everything), snapshotting has been great for when we make updates or changes and something goes wrong, but on the other hand, we have a huge proliferation of data. This was the other big problem with the strategy we persued (a bunch of disks packed into a box, but no SAN), when we put things together it looked like more than enough storage, but now that we're close to being maxed out, we cannot expand any further. These were all things that I cautioned against up front, but we decided that it would be better to deal with them in the future than spend the money on a SAN and deadl with the added complexity of a SAN environment. Hindsight is always 20/20, as they say! J.Ja

bulldurn
bulldurn

I always check out your comments as well as others before applying updates. Its just good to know information. Everyone probably knows being a tech is one of the most unappreciated jobs. Good job Justin !!!

Editor's Picks