Wednesday, December 17, 2008

Critical Out of Cycle Update for Internet Explorer

What Is It?

Today, Microsoft released an out of cycle update for all supported versions of Internet Explorer for Windows, to fix an error that could permit a criminal to take over your computer. Microsoft took this unusual step because exploit code was made public the day after the last monthly update cycle, and that code is being actively employed to turn users' machines into remote controlled zombie computers.

Worse yet, there are reports that exploit code has made its way into legitimate Web sites that you would expect to be trustworthy and secure.

Microsoft Security Bulletin MS08-078 covers updates to the following versions of Internet Explorer.

  • Version 5.01, Service Pack 4, when installed on Windows 2000, Service Pack 4.
  • Version 6, Service Pack 1, when installed on the the following operating systems:
    • Windows 2000, Service Pack 4.
    • Windows XP, Service Pack 2.
    • Windows XP, Service Pack 3.
    • Windows XP, x64 edition, Service Pack 2.
    • Windows Server 2003, all editions, Service Pack 1.
    • Windows Server 2003, all editions, Service Pack 2.
  • Version 7, when installed on the the following operating systems:
    • Windows XP, Service Pack 2.
    • Windows XP, Service Pack 3.
    • Windows XP, x64 edition, Service Pack 2.
    • Windows Server 2003, all editions, Service Pack 1.
    • Windows Server 2003, all editions, Service Pack 2.
    • Windows Vista, all editions.
    • Windows Vista, all editions, Service Pack 1.
    • Windows Server 2008, all editions.
  • Windows Internet Explorer 8, Beta 2. If you are evaluating this latest edition, you should download and install the latest update from the beta test Web site.

    What Should You Do?

    If you have Automatic Update enabled, you may have already received this update. My machine had an update awaiting permission to install when I arrived at my office at about 1:30 PM today. Unless you are certain that the update has already arrived, you should visit the Microsoft Update Web site, at http://update.microsoft.com/, and install the update.

    If you have not yet installed the cumulative update for Internet Explorer that was distributed last week, you must install that update before you install this one. If so, both updates should appear on the list of updates offered by the Windows Update service.

    References

    David Gray, MBA, Chief Wizard
    WizardWrx –
    Making computer magic since 1985

    WizardWrx Logo

    V: +1 (817) 812-3041
    TZ: USA Central
    www.wizardwrx.com

    4835 North O'Connor Road
    Suite 200
    Irving, TX 75062-2742
    USA

    Tell me what you need, and I’ll conjure it.

    Wednesday, December 10, 2008

    December 2008 Patch Tuesday, Take Two

    What Is It?

    Yesterday, in the notice that I distributed to VirusWarn subscribers, and published on the VirusWarn Blog, at http://viruswarn.blogspot.com/2008/12/fw-viruswarn-there-is-something-for.html, I neglected to include two key products that require your immediate attention.

    • Microsoft Office 2003. Both Word and Excel received patches to plug several remote code execution vulnerabilities. Even if you don't use Word or Excel, you need this update if Outlook is configured to use Word as its message editor. In this version of Outlook, this setting is optional.
    • Microsoft Office 2007. Both Word and Excel received patches to plug several remote code execution vulnerabilities. Even if you don't use Word or Excel, you need this update if Outlook is configured to use Word as its message editor. In this version of Outlook, this setting is the default.
    In case you have forgotten, or didn't know, remote code execution vulnerabilities are the currently favored means by which the Bad Guys install malicious software onto your computer.

    What Should You Do?

    Unless you know for certain that the updates for Office 2003 or 2007 installed themselves yesterday or today, visit the Microsoft Update Web site, at http://update.microsoft.com/, choose the Express option, and accept everything that is offered.

    Attention Firefox users. You must use Internet Explorer for this task.

    References

    Thank You!

    Thanks to long time subscriber Sara Jenkins for calling my attention to this oversight, and to the fact that the Microsoft Update service requires Internet Explorer.

    David Gray, MBA, Chief Wizard
    WizardWrx –
    Making computer magic since 1985

    WizardWrx Logo

    +1 (817) 812-3041
    TZ: USA Central
    http://www.wizardwrx.com/

    4835 North O'Connor Road
    Suite 200
    Irving, TX 75062-2742
    USA

    Tell me what you need, and I’ll conjure it.

    There Is Something for Everyone This Patch Tuesday


    What Is It?

    The last Patch Tuesday of 2008 is a big one, and it affects virtually all users of Microsoft software products. Although many of you should receive your updates automatically, we are publishing this notice for three reasons.

    1. Breadth of Impact. Due to the large number of bulletins, delivery via Automatic Update may be significantly delayed, and the risk of an update failure increases significantly with the number of affected components.
    2. Restart Requirement. Several of the updates require a restart in order to be fully implemented.
    3. Manual Installation Requirement. Some of the updates are for older versions of Microsoft software that is outside the scope of the Microsoft Update and Windows Update services.

    What Should You Do?

    Windows (All Versions)

    All of the updates, except those for Office 2000 and the programming language products, should be offered on either Windows Update or Microsoft Update.

    If you are still using Windows Update, we strongly urge you to begin using Microsoft Update, because it covers a much broader range of Microsoft software.

    Microsoft Update is at http://update.microsoft.com/.

    Office XP for Microsoft Windows

    Visit the Microsoft Update Web site, at http://update.microsoft.com/, as soon as you can, and run the wizard, to be sure that all of the updates you need have been applied. If you are really paranoid, use the instructions in the various security bulletins listed in the References to verify the installations.

    Office 2000 for Microsoft Windows

    Visit the Office Update Web page, at http://office.microsoft.com/en-us/downloads/maincatalog.aspx, and download everything offered to you.

    Important: Have your Office 2000 CD handy, because you will almost certainly be prompted to insert it, to validate your installation.

    Works 8.0, 8.5, 2004, and 2005

    Since Microsoft Word is the word processor in all recent versions of Microsoft Works, you are affected by the updates covered by security bulletin MS08-072.

    If you are still using Works 2004, 2005, or 8.0, you must upgrade to Works 8.5, in order to get the updates.

    1. If you are unsure of the version of Works installed on your machine, open any application in Microsoft Works, and display the About item on the Help menu.
    2. If your About Box shows any version except 8.5, download and install the free upgrade to the latest version of Works, at http://www.microsoft.com/products/works/international/update_1001.mspx.
    3. Once you have the latest version of Works installed, visit the Microsoft Update Web page, at http://update.microsoft.com/, and accept the update for Office Word.

    Office 2004 for Mac

    Download and install Microsoft Office 2004 for Mac, 11.5.3 Update, from http://www.microsoft.com/downloads/details.aspx?FamilyId=ECA13AD8-62AE-41A8-B308-41E2D1773820&displaylang=en.

    Office 2008 for Mac

    Download and install Microsoft Office 2004 for Mac, 12.1.5 Update, from http://www.microsoft.com/downloads/details.aspx?FamilyId=AB31A564-43D2-45BD-98BF-19E9CA477B62&displaylang=en.

    Open XML File Format Converter for Mac

    Download and install Open XML File Format Converter for Mac 1.0.2, from http://www.microsoft.com/downloads/details.aspx?FamilyId=EDB6CD8F-832C-4123-8982-AC0C601EA0A7&displaylang=en.

    Visual Basic 6.0 ActiveX Components

    Several key ActiveX components that ship with the Microsoft Visual Basic 6.0 compiler, in addition to Visual Studio .NET 2002 and 2003.

    • If you are a software developer, you will need to update your development tools. See MS08-070 for details.
    • You may have other software that uses one or more of these controls. If so, you can expect an update from your software vendor in coming months.
    • If you use custom software that was developed specifically for you, there is a good chance that it was developed using Visual Basic 6, unless it was developed within the last few years.

    References


      David Gray, MBA, Chief Wizard
      WizardWrx –
      Making computer magic since 1985

      WizardWrx Logo

      +1 (817) 812-3041
      TZ: USA Central
      http://www.wizardwrx.com/

      4835 North O'Connor Road
      Suite 200
      Irving, TX 75062-2742
      USA

      Tell me what you need, and I’ll conjure it.