Microsoft

It's Microsoft Patch Tuesday: November 2011

Justin James gathers the information you need to make the right deploy decisions when applying Microsoft's November 2011 patches in your organization.

So, we're treated to one of the lightest Patch Tuesdays of the year, with no really big items done out of band either. And the whole thing is ruined by MS11-083, which looks like it fixes the worst vulnerability of the year, a problem where attackers can hit closed UDP ports to perform remote code execution attacks.

All those systems directly connected to the Internet, from home PCs to Windows boxes set up to be firewalls, can be hit by this, even if they have nothing open on those UDP ports.

This blog post is also available in PDF format in a TechRepublic download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS11-083/KB2588516 -- Critical (Vista, W7, 2008, 2008 R2): This may be one of the nastiest bugs we've seen in a long time. Malformed UDP packets sent to a closed port can allow a remote code execution attack. This is a "patch before the day is out" item for sure. 487KB - 1.8MB MS11-084/KB2617657 -- Moderate (W7, 2008 R2): Opening malformed TrueType fonts from emails, network shares, or WebDAV locations can create a denial of service attack. Apply the patch on your normal cycle. 1.1MB - 3.0MB MS11-085/KB2620704 -- Important (Vista)/Moderate (2008)/Low (W7, 2008 R2): You know that "opening a file on a network drive can load a DLL from that location" bug? This patch addresses it with Windows Mail and Windows Meeting Space, for opening .eml and .wcinv files. Few folks use these apps, so this patch can wait until your usual scheduled patch time. 660KB - 1.3MB MS11-086/KB2630837 -- Important (XP, Vista, W7, 2003, 2008, 2008 R2): Various Active Directory services (Active Directory, Active Directory Application Mode -- ADAM, Active Directory Lightweight Directory Service -- AD LDS) have a flaw where a revoked certificate for a valid account can be used to authenticate using LDAP over SSL (which is off by default). This is a fairly low-priority issue, and the patch can wait until you usually do your patching. 836KB - 5.5MB

Other updates

None.

"The Usual Suspects": Updates to the Malicious Software Removal Tool (14.9 - 15.2MB) and the Junk Email Filter (2.1MB).

Changed, but not significantly: None.

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

  • KB2526305 - Windows SharePoint Services 3.0 SP3
  • KB2598845 - Update for the IE8 Compatibility View List
  • KB2603229 - Fixes a problem with license information on 32-bit versions of Windows 7 and 2008 R2
  • KB2607576 - Fixes a bug with "Jump Lists" longer than 999 items in Windows 7 and 2008 R2
  • KB931125 - Root certificate update

Changed, but not significantly:

About

Justin James is the Lead Architect for Conigent.

29 comments
johncymru
johncymru

installing the first three patches above, MS11-083 to MS11-085, all together caused a 0x00000051 stop error on reboot on one of my machines. A Windows 7 x64 Ultimate laptop. Rebooting into safe mode and doing a restore to the pre-patch state and then installing them one by one, so as to try and pin down the problem patch, allowed the installation of all three without further problem.

mbwmn
mbwmn

WinXPx86 running on a HP Z400 workstation w/ Office2007 keeps locking up solid almost every hour since the updates were run. Unable to determine cause from Event Viewer, or Performance Mngr, as it STOPS all activity until you cold boot (hold in the power button). I am unable to get to Task Manager when this happens. Am I the only one? This is a production machine, and not much is getting done in the billing dept because of all the bitching that is a repair prerequisite w/ this user...

wjal1
wjal1

[q]"[i]All of those systems directly connected to the Internet, from home PCs to Windows boxes set up to be firewalls can be hit by this, even if they have nothing open on those UDP ports.[/i]"[/q] So, if I am reading this correctly, this applies only to Windows devices like Server 2008 which is acting as a firewall/router, or Windows systems connected directly to the internet through a cable/DSL modem, but anyone behind a Linux based router is not vulnerable? I guess if you had UDP ports open in the router, you would still be vulnerable.

ahorrasi
ahorrasi

I have a real n00bie question - I am no sort of IT expert (ha ha) but I subscribe to this website for edification purposes So saying, I've recently acquired a Windows 7 after years-only on Mac. It's a personal PC and I've nothing like a network or anybody to take care of such things as security/patches. I do notice, however, that the system automatically schedules updates on the computers, before I log out, etc. Are these updates the patches the article mentions, or is this something I should learn to do, to 'patch' my computer? thanks

JCitizen
JCitizen

on my Vista x64 machine; but I have a drove of clients with OEM Win7 x64 machines with too many problems to really tell just what exactly is causing their instability. Networking is not perfect, but still solvable with those folks.

Justin James
Justin James

I've got bad news, on my TMG 2010 server, KB2588516 (the fix for the REALLY bad problem) is causing Network Policy Server to be unable to start, with error 0x80072afc. I tried this last night along with a bunch of other patches, then today I reverted to snapshot and the problem came up again when I did just this one patch (since it is the most important of the bunch). I am contacting Microsoft support and will update folks when I know what's happening. J.Ja

seanferd
seanferd

I wonder what changes were made since XP that created this bug. They never say.

Gisabun
Gisabun

Windows 7: KB2496290 (re-release), KB2592525 Office 2010: kb2553310, kb2553181, kb2553290, kb2553323

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe you peers can help - describe the problems you are having.

Justin James
Justin James

I've passed this on to the Patch Tuesday editor and hopefully we can get this fixed next month, thanks for letting us know! J.Ja

Mark W. Kaelin
Mark W. Kaelin

Apparently, our new search engine works differently than the old one - I'll make an adjustment. With this change, there will be other search links in blog posts that don't deliver results as well as they should - let us know when you come across them.

Justin James
Justin James

Technically, even behind a firewall/router, someone within your network could hack you... so I'd be wary of public WiFi, for example. But assuming that you trust all of the computers within your network, the firewall should block it out unless you've done something like a port forward to the protected machine. J.Ja

compassmike
compassmike

These are the updates that Win7 notifies you about and may also be set to automatically apply for you. This article which comes out once a month is an overview of those patches. A quick FYI of what the patches fix.

Justin James
Justin James

That's not my problem at all, the error codes are completely different. The problem is obviously related to the patch, because it happens when the only thing I do is install the patch. J.Ja

Gisabun
Gisabun

Try the MS Windows Update forum. UInless something critical came through, I generally wait a couple of days. In those two days I see if anything has appeared common in issues to other computers. [Why should I be the guinea pig?].

Gisabun
Gisabun

They obviously won't say exactly what since the scammers/hackers/losers/phishers/scum will use it to their advantage.

Justin James
Justin James

... with the way Microsoft provides the information, it's easy to miss some of those until you see what Windows Update offers. :( Thanks for the update! J.Ja

bkreamer
bkreamer

About three months back, I turned automatic updates on. This month the loops started. I can't find any significant references to a current problem on the web. My fix: I turned on "notify but don/t download" and installed a few of the updates manually through winupdmgr, specifying "custom + don't notify again." All is quiet. windowsupdate.log is not especially helpful. Suggestions?

airjos
airjos

Perhaps something is interfering with the patch install. Perhaps try installing the patch in Safe Mode or Directory Services Restore Mode, or after a clean boot? See: http://www.sevenforums.com/tutorials/666-advanced-boot-options.html also, from: http://support.microsoft.com/kb/331796 "When you start Windows by using a normal startup, several applications and services start automatically, and then run in the background. These programs include basic system processes, antivirus software, system utility applications, and other software that has been previously installed. These applications and services can cause interference when you install or run a program, such as Microsoft Flight Simulator X or Streets & Trips 2010."

Justin James
Justin James

This is the patch for the "attackers can perform remote code execution attacks by sending UDP packets to a closed port" issue... and the machine in question is my firewall, which means that it is 100% exposed to the outside world. There is zero choice in this, the patch needs to happen now. Microsoft support has had the case for nearly 24 hours and all they have done is notify me that they have the case. J.Ja

Gisabun
Gisabun

If you did a search in Microsoft's download page, they are listed [although scrambled with the security updates]. I don't think WU included the Office updates.

Justin James
Justin James

I'd look for a patch that keeps installing and demanding a reboot, but then keeps re-appearing in the list. J.Ja

airjos
airjos

That's why I made the suggestion to give the install a shot with antivirus off, in Safe Mode or Directory Services Restore Mode, or after a clean boot. It seems to me that's what they'll be asking you next, no?

Justin James
Justin James

What's even odder, is that I've had a "critical" incident open with Microsoft since Wednesday morning, and the only response they've given is an acknowledgment of the ticket, a call to get a deeper understanding of the problem, and then when I followed up, they just said that it's been referred to the "expert team". They won't even tell me if they can replicate the problem or not! J.Ja

ozchorlton
ozchorlton

And I think that you do a great job of it :-)

Justin James
Justin James

... this article needs to be produced in a timely manner, and those items get dribbled out, mixed in with a bunch of other stuff. As it is, there is a VERY fine line every month between getting this article published before close of business Eastern Time, so that as many people as possible can use it to make decisions. We're not going to hold it up over a couple of minor, non-security patches that Microsoft isn't listing in a usable format other than their downloads section. :( The purpose of the article is *primarily* to get people aware of the security issues that they need to be aware of, and make decisions around it, the other items are more like icing on the cake. J.Ja

Realvdude
Realvdude

I've run into this once. Go to the KB article for the patch and install the specific patch with installer there, rather than through Windows Update.

Editor's Picks