back to article Patch Windows boxes NOW – unless you want to be owned by a web page or network packet

"Remote code execution if an attacker sends specially crafted packets" is not what many of you want to hear today – nor "remote code execution if a user views a specially crafted webpage using Internet Explorer" – but it's Patch Tuesday, so what do you expect? Microsoft has issued a batch of security fixes for Internet …

  1. Swiss Anton
    FAIL

    Update FAIL (?)

    I've just applied today's MS updates. IE now crashes when started. To be fair, this is the first time this has happened to me after an update, but thankfully other browsers seem to be OK so I can still access El Reg. The question is, is this update a failure?????

    1. Anonymous Coward
      Trollface

      Re: Update FAIL (?)

      Sounds like an upgrade.

    2. Anonymous Coward
      Anonymous Coward

      Re: Update FAIL (?)

      Works fine here on different IE versions. Try disabling 3rd party add-ons.

      Hopefully this patch resolves the hole first time and we don't get a mess of different patches like the recent BASH vulnerabilities...

      1. Voland's right hand Silver badge

        Re: Update FAIL (?)

        recent BASH vulnerabilities

        Err... No... The equivalent here would be the (not so) recent OpenSSL vulnerabilities. HeartBleed and Co.

        1. Anonymous Coward
          Anonymous Coward

          Re: Update FAIL (?)

          The equivalent here would be the (not so) recent OpenSSL vulnerabilities

          No, that only affected those running a public facing web server, with https.

          1. Anonymous Coward
            Anonymous Coward

            Re: Update FAIL (?)

            "No, that only affected those running a public facing web server, with https."

            I think they were referring to CVE-2014-6321, the first vulnerability listed in TFA, which affects exactly that. Or did you just jump straight to the comments without reading?

      2. Swiss Anton

        Re: Update FAIL (?)

        Er, how do I disable 3rd party add-ons (which I don't have) when IE crashes on start-up?

        1. Steven Raith
          Go

          Re: Update FAIL (?)

          Swiss, if it's a recent version of Windows there's probably a version called 'Internet Explorer (No AddOns)'.

          Can't remember exactly where it lives on all versions, but in Win7 it's Accessories, System Tools.

          That aught to do it.

          Hugs and kisses,

          Raith x

        2. J__M__M

          Re: Update FAIL (?)

          Er, how do I disable 3rd party add-ons (which I don't have)...

          Oh, yes you do.

        3. werdsmith Silver badge

          Re: Update FAIL (?)

          "Er, how do I disable 3rd party add-ons (which I don't have) when IE crashes on start-up?"

          From the command line, -extoff is the one you want. There are other options you might try too.

          iexplore.exe [ [ -embedding ]

          [ -extoff ]

          [ -framemerging ]

          [ -k ]

          [ -noframemerging ]

          [ -nohangrecovery ]

          [ -private ] ]

          [ URL ]

          It's unusual for El Reg readers not to know about this stuff.

          1. Steve Davies 3 Silver badge

            Re: Update FAIL (?)

            It's unusual for El Reg readers not to know about this stuff

            some of us never use IE so how would we ever have to know about the command line options?

            Perhaps you meant to say

            It's unusual for El Reg readers who use IE on a daily basis not to know about this stuff

            1. werdsmith Silver badge

              Re: Update FAIL (?)

              "some of us never use IE so how would we ever have to know about the command line options?"

              Well I didn't know exactly what the options were to be honest.

              But I know that all these major apps are built with command line options.

              So I looked them up and posted them on El Reg. Took all of 5 seconds to find them.

      3. Anonymous Coward
        Anonymous Coward

        Re: Update FAIL (?)

        we don't get a mess of different patches like the recent BASH vulnerabilities

        None of which required a reboot, or any distraction apart from a couple of clicks if security updates aren't on auto.

        *yawn*

        You need to find another line.

        1. Anonymous Coward
          Anonymous Coward

          Re: Update FAIL (?)

          "None of which required a reboot, or any distraction apart from a couple of clicks if security updates aren't on auto."

          If your systems were not already owned - as the BASH vulnerability was public for several days before a properly working patch was finally issued...

    3. arctic_haze

      Re: Update FAIL (?)

      No, it's success. This way you are much safer.

      1. tempemeaty
        Happy

        Re: Update FAIL (?)

        "No, it's success. This way you are much safer."

        HAHAHA! Thank you.

    4. Anonymous Coward
      Anonymous Coward

      Re: Update FAIL (?)

      What version of Windows and what version of IE? If you report a bug, at least report it in a useful way...

      1. Anonymous Coward
        Anonymous Coward

        Re: Update FAIL (?)

        @LDS: are you having a laugh? Do you really think that el Reg is a Bugzilla?

        Anyway, for the record: my windows are Georgian 6 pane and my IE version is IEEEEEEEEEEEEEEEEE .... Hope that helps you fix my bug.

        Actually, you sad shill my windows version is X.

        Love you

        Jon

        1. Anonymous Coward
          Anonymous Coward

          Re: Update FAIL (?)

          The guy below who posted enough info got a reply that should help him to solve his issue. otherwise you can keep on crashing you browser and tell the world in useless comments how much you hate Windows and IE because for unknown reason it makes you feel good - yet you can't never know where help could come from...

          1. Anonymous Coward
            Anonymous Coward

            Re: Update FAIL (?)

            @LDS: "yet you can't never know where help could come from"

            Fair one: I was a little harsh in attacking someone I have never met in my life with some pretty unpleasant vitriol.

            Sorry

            Cheers

            Jon

            1. Destroy All Monsters Silver badge

              Re: Update FAIL (?)

              Fair one: I was a little harsh in attacking someone I have never met in my life with some pretty unpleasant vitriol.

              It happens to the best of us, especially when in thrall to Microsoft Rage.

        2. Fair Dinkum

          Re: Update FAIL (?)

          Anyone remember IX? I saw it once, on an 68030, bitmapped terminal that cost a fortune... Gawd I feel old.

    5. Anonymous Coward
      Holmes

      Re: Update FAIL (?)

      @Swiss Anton - "thankfully other browsers seem to be OK so I can still access El Reg"

      Proof - There IS a God in Heaven! What would you do without your daily Reg?

  2. Neoc
    Coat

    "Someone, come up with a catchy logo for this SSL hole"

    No logo but an acronym:

    Another SSL Security hole.

    Where's my coat?

    1. Anonymous Coward
      Paris Hilton

      Re: "Someone, come up with a catchy logo for this SSL hole"

      ASSLSHOLE?

      I'm a little confused...

  3. TheProf

    EMET

    IE crashes for me too. It appears to run OK in Safe Mode were one can disable all those lovely plug-ins etc. Doesn't help me. It still crashes on full fat windows 7

    EMET may be catching something but I don't know if it's bad or just bad code.

    ** EMET 5.0: EMET detected EAF+(GuardPage) mitigation and will close the application :IEXPLORE.EXE **

    1. Anonymous Coward
      Anonymous Coward

      Re: EMET

      It is a known issue, (http://support.microsoft.com/kb/3015976) upgrade to EMET 5.1 - you should have missed this http://www.theregister.co.uk/2014/11/11/emet_version_5_1_released/ (EMET 5.0 crashes Patch Tuesday party)

      (+1 for the correct identification of EMET as the cause... it should have been added to the patch list too)

      1. Cipher
        FAIL

        Re: EMET

        And people say Linux requires a lot of attention...

        1. Anonymous Coward
          Anonymous Coward

          Re: EMET

          "And people say Linux requires a lot of attention..."

          For good reason. Linux patches might require fewer reboots but you have an order of magnitude more of them to evaluate....and defacement statistics show that you are a lot more likely to be hacked running a Linux facing internet server than a Windows facing internet server!

          1. Alan_Peery

            Re: EMET

            Yes, more patches to evaluate -- because (most) application patches are distributed in the same mechanism as OS patches.

            This is a *good* thing.

            1. Maventi

              Re: EMET

              "This is a *good* thing."

              Agreed. I also get to spend a lot less time evaluating 'nix patches as they are worlds faster to install and don't tend to break things. Faster evaluation, less reboots, less downtime, less time, less money, lower TCO. What's not to like?

          2. Hans 1
            Facepalm

            Re: EMET

            >For good reason. Linux patches might require fewer reboots but you have an order of magnitude more of them to evaluate....and defacement statistics show that you are a lot more likely to be hacked running a Linux facing internet server than a Windows facing internet server!

            Ever heard of social engineering ? It is the main "tool" the crackers use to deface websites.

            As for Internet sites ... since most run Apache/nginx there is no need to panic when Windows server has an SSL vuln ... just saying.

            Ouch, I know, I am sorry, luv!

      2. Swiss Anton

        Re: EMET

        LDS, your post was a bit too late for me as I found out from another site that EMET 5.1 had to be applied before applying the IE11 update (sorry el reg - didn't spot your report on this).

        All is now fixed, and for better or worse, my IE works. But Microsoft, WTF was the EMET not on the list of today's updates? EMET is one of your products.

      3. TheProf

        Re: EMET

        Oh yes I missed the ElReg article. They should have put a more enticing headline and picture on it.

    2. TheProf
      Happy

      Re: EMET

      Thank you commentards. I updated EMET to 5.1 and IE now runs.

      So why wasn't EMET automatically updated? Oh yes, Microsoft blah blah blah!

  4. jason 7

    EMET 5.1 is now out.

    Thank you.

  5. Destroy All Monsters Silver badge
    Facepalm

    Adobe "security bulletin" ...

    NoScript enabled? Blank page! I guess that will fix you, consumer!

    "Now the final solution ... shall be applied!"

  6. techmind

    Secure Channel bug - does this affect XP ?

    Or XP sp3 ?

    Or is XP too old?

    1. Anonymous Coward
      Anonymous Coward

      Re: Secure Channel bug - does this affect XP ?

      It probably affects XP also, unless the SChannel implementation is enough different to be not vulnerable. But SChannel is an XP component also. IIRC it was introduced in Windoows 2000.

      I'm afraid this could be XP tombstone...

    2. MJI Silver badge

      Re: Secure Channel bug - does this affect XP ?

      Just see if it is patched for Server 2003 or XP embedded.

      Microsoft thinks my legally purchased XP Pro SP3 is XP embedded.

      Yes the PC is a Triggers broom

    3. Anonymous Coward
      Anonymous Coward

      Re: Secure Channel bug - does this affect XP ?

      I envy those who can afford to upgrade their computers at the drop of a hat.

      I'm sadly stuck with XP for a long while yet...

  7. leeCh
    Joke

    Welcome back Windows!

    With all of these super nasty andROID, iOS, OSuX and *nix exploits out there I was starting to get disappointed that you weren't keeping up.

    And will whomever is dishing out the OSuX malware actually target the financial credentials of their users - 'cos let's face it, if you got that much money to burn, you ain't going to notice a bit missing ...

  8. Palpy
    Black Helicopters

    So many IE bugs... call it sSLImE?

    Guess I'll wait a week or so to run Splatch Tuesday updates on my standby OS. Is this the third MS update this biennium that's been buggy? Mostly I run vari-flavored Linuxes, so I don't notice the Splatches as much anymore.

    Seems to me the Reg reported a Microsoft President of Vice as "we are not facing an EVOLUTION of malware, but a REVOLUTION." Judging by the holes this summer, he's right. Holey OS, Batman!

  9. Anonymous Coward
    Anonymous Coward

    XML too

    Interesting that Microsoft's XML libs still have security bugs. Same deal in Linux; a few libxml2 security patches this year. Normally one would expect more robust libraries for a (lamentably) near-universal 15-year-old file format.

    But we always knew XML was shit.

    1. Anonymous Coward
      Anonymous Coward

      Re: XML too

      Or the problem lays in those writing XML parsers? XML is far better designed than JSON for example (JSON string are an example of something designed by someone using just one language...) , yet being much more powerful will require more complex parsers as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: XML too

        JSON is used by a lot of mapping technologies. GeoJSON, TopoJSON are two uses of it.

        Much quicker compares to KML which is XML.

  10. MacroRodent

    Heartbleed V2.0

    The first one sounds a lot like the infamous OpenSSL bug (in effects, if not in details).

    1. Michael Wojcik Silver badge

      Re: Heartbleed V2.0

      The first one sounds a lot like the infamous OpenSSL bug (in effects, if not in details).

      If you're hard of hearing, I suppose. Heartbleed was a data-exposure bug - it allowed an active attacker to extract information from a victim process. The SChannel bug is a remote-code-execution vulnerability. Right in the article it says "allows a hacker to execute malicious code".

      Those are somewhat different effects.

  11. Wardy01

    Here we go again ...

    Linux:

    There's a major bug in x

    Community: omg good job we found that!

    Microsoft:

    There's a major bug in x.

    Community: Reason why Microsoft is so bad.

    Ok then ... Idiot!

    1. Disko

      Re: Here we go again ...

      One tends to expect more from a paid product created with a billion dollar budget...

    2. Anonymous Coward
      Anonymous Coward

      Re: Here we go again ...

      The chagrin isn't with Microsoft declaring there is a bug in X, that is something they do almost weekly, usually on Tuesdays. Where commentards take up issue is with the Anon stooges who were claiming X from MS would always be flawless because there are people paid to look at the code while the code is simultaneously closed source.

      This clearly shows that security through obscurity is no safeguard against critical exploits.

      Linux: There's a major bug in x

      Community: omg good job lets fix it in like an hour.

      Microsoft: There's a major bug in x. But don't worry, our products are flawless because ... paid devs + closed source.

      Community: Reason why Microsoft is so bad.

      Ok then ... Idiot!

      1. Wardy01

        Re: Here we go again ...

        It doesn't matter how good your developers are they aren't ever going to be as good as the whole world are they?

        and WTF? ... "But don't worry, our products are flawless because ... paid devs + closed source."

        Yeh Microsoft are terrible for not finding every single bug in every line of code on day 1 before it goes out the door ... show me a company that ever did that and I'll admit I'm an idiot.

        So you're basically saying Microsoft are crap because their code is closed source ... riiiight ... Idiot!

  12. Joe Montana

    No way to force?

    "In all cases, however, an attacker would have no way to force users to visit such websites."

    What about compromised sites?

    What about sites with flaws like cross site scripting that allow insertion of code or redirects to other sites etc?

    There's plenty of ways an attacker can get their exploit code to your browser...

    1. MJI Silver badge

      Re: No way to force?

      I was saved by my HOSTS last night, for various reasons I had the popup blocker disabled, (wife doing surveys - she makes a few hundred a year doing this), suddenly 4 FF windows and some yank wanker waffling away.

      Killed, added more domains to hosts, found it was an attempted incredibar install, why do AV companies not block this?

      My HOSTS is getting very large, I even used to have Facebook in it!

      1. Hans 1
        Windows

        Re: No way to force?

        >Killed, added more domains to hosts, found it was an attempted incredibar install, why do AV companies not block this?

        Because "incredibar" is an addon and not a virus, it ticks all boxes for trojan in my opinion, but AV companies think otherwise. It is, after all, the type of "addon" you can get with very legitimate Windows software - a source of income for many.

        >My HOSTS is getting very large, I even used to have Facebook in it!

        Why is facebook not in it anymore ? Ever considered, maybe, moving to Linux ? Seriously, you won't get any of this shit .... just my $0.02...

  13. Anonymous Coward
    Anonymous Coward

    remove and purge

    Please Remove the browsers from the standard install of windows ,which are way too integrated (still) with the OS ...

    fps :-This has been the issue since windows**.

    Still dont get it !.

    1. Anonymous Coward
      Anonymous Coward

      Re: remove and purge

      "Please Remove the browsers from the standard install of windows ,which are way too integrated (still) with the OS ..."

      They haven't been included by default (or a GUI) since Server 2012.

    2. Wardy01

      Re: remove and purge

      Name 1 other OS that doesn't include a browser out of the box?

      That's just plain stupid these days, at the very least you need a browser to find a better browser unless you have an app store function built in to the OS.

  14. Easy

    EMET 5.0 rejects new IE 11 install & Updates, closes IE 11 forcefully (SLAM!)

    EMET says,"detected EAF+ (GuardPage) mitigation & will close IE.exe"

    Problem Event: BEX

    App. Version : 11.0.9600.17420

    Fault module : MSHTML.dll

    OS : 6.1.7601.2.1.0.768.3 (Win 7 SP1)

    Serves me right for impulsively deciding to abandon my perfectly stable IE 8 browser for the "faster, smoother, better security" of IE11. I'm not desperate or anything, just a bit miffed that I personally fed my machine garbage. Does anyone here know what this is about & possibly have some advice?

    I'm not going to bother ranting about Microsoft, except to say even if we are in a Hacker Revolution, it's still their damn job to meet it head on with dependable. bug-free updates.

  15. David Roberts

    Just checking

    EMET is softwate specifically designed to protect you from dodgy software running on your PC.

    It isn't installed as standard - you have to install it and configure it.

    It is blocking IE.

    Job done?

    Noted that it should be included in optional updates because of the dependency.

    Question - how many people have actually installed this?

    1. jason 7

      Re: Just checking

      Not many I guess. I often mention it to tech folks as a extra level of security and most go "never heard of it!"

      I surprised that MS isn't actually putting this into Windows 10 as standard. However, if they did as per usual it would be switched off by default.

      After all it would be bad press if old man Withers 2002 shareware email application stopped working because of it.

      Okay okay and all the hokey coded in house software that didn't conform to modern coding standards from 2003 onwards.

    2. Tom 13

      Re: how many people have actually installed this?

      Hard to say. Last shop I was in made it part of their baseline. Current one hasn't.

      My personal experience is that it borked legitimate programs more often than it stopped bad stuff from happening to your computer. As always YMMV.

      1. Roland6 Silver badge

        Re: how many people have actually installed this?

        >My personal experience is that it borked legitimate programs more often than it stopped bad stuff from happening to your computer.

        I think things got better with EMET 4.1, certainly the out-of-the-box recommended profiles seem to work without problems (until this patch Tuesday). Its only real problem is that because EMET has been downplayed, creating profiles for other applications is largely a DIY hit-and-miss affair. But then if you are mainly running mainstream/popular applications the out-of-the-box profiles are probably sufficient.

        But yes the bork reports and "your on your own" approach to profile building were certainly an disincentive to download and install.

  16. eldakka

    Right, I'll wait until at least Friday next week (1 1/2 weeks after release) before patching to make sure it hasn't introduced critical issues like the last couple of patch Tuesdays...

  17. lansalot

    careful

    If you have KB2990214 installed, you'll also be offered Windows 10 Technical Preview - yes, as part of Windows Updates.... the cure to get rid of being, reinstall base OS from scratch.

    1. Roland6 Silver badge

      Re: careful

      According to MS forums this update applies to Windows 7 & 8.1 (I suspect if you have 8 you'll first be hit with the 8.1 update before you see this one).

      Thanks Iansalot for the warning!

      Edit: Done some more research, it seems currently you should only see this update if you've decided in the past to install the Win 10 tech preview...

  18. Michael Wojcik Silver badge

    Five major SSL implementations fallen this year

    So, in the space of a year or so, we've had public disclosure of major flaws in RSA BSAFE (defaulting to Dual_EC_DRBG and CVE-2014-0636), OpenSSL (Heartbleed), GnuTLS (certificate validation bug), Apple's SSL implementation (ephemeral key substitution and weak PRNG), and now Microsoft's SChannel.

    That's five major implementations - possibly the four biggest, plus GnuTLS, which is not widely used but is the darling of some FLOSS ideologues - in about a year.

    SSL is broken. No one can produce a secure version of it, whether FLOSS or proprietary (and damned expensive). It's overengineered and yoked to terrible ideas like X.509 PKI (and thus to ASN.1, a horrible mess all on its own), but perhaps the biggest failing is the requirement for interoperability, which makes the attack surface too damn big and the system too complex.

    And no, the LibreSSL hipsters are not going to fix this, regardless of how much they ironically employ Comic Sans (and unironically use KNF, which needs to be killed with fire).

    I remarked on this back in April. I speculated then that we'd be seeing an exploit against SChannel soon. Right on the money, but then it was hardly a daring prediction.

  19. rlange

    Consider the old maxim that 'absence of evidence is not evidence of absence': In the context of a vulnerability any statement that 'the flaw has not yet been exploited in the wild' should really be 'we haven't any evidence that the flaw has been exploited in the wild but it is possible that it has and is being exploited and we are not yet aware of this'.

  20. Wardy01

    Daft question but ...

    Isn't it time Microsoft binned IE?

    It's been falling apart since v1 and they don't seem to have done anything to make it trustworthy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like