back to article It's nearly 2016, and Windows DNS servers can be pwned remotely

Microsoft is closing out the year with a fix for 71 security vulnerabilities in Windows Server, client-side Windows, Office, Internet Explorer, and Edge. Among the patches are two vulnerabilities that are already being exploited in the wild for elevation of privilege and remote code execution. The December Patch Tuesday load …

  1. Shadow Systems

    KB3112148

    Update for Windows 7 for x64-based Systems.

    KB3112148

    Download size: 680 KB

    You may need to restart your computer for this update to take effect.

    Update type: Recommended

    Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have

    to restart your computer.

    More information:

    http://support.microsoft.com/kb/3112148

    Help and Support:

    http://support.microsoft.com

    This one hit my system but when I clicked the link for more information got the MS version of "Huh? Whachu talkinbout Willis?" result.

    I tried to search the MSKB site using their own search widget for the KBA & found nothing.

    I did a Google search for the KBA & got a whopping three results, none of which applied.

    I unchecked the box so it wouldn't apply, and will continue to search for what it does & why I should apply it.

    If anyone else finds it before I reply to my own post with the info, please be kind & reply with what you've found.

    Dear Microsoft, it's generaly A Bad Thing when *you* can't even find your own damned KBA using *YOUR* vaunted search engine on your own site.

    If you think this inspires confidence in your customers, I strongly urge you to go bugger a Power Transformer. Thanks.

    1. Anonymous Coward
      Anonymous Coward

      Re: KB3112148

      It's there now:

      December 2015, cumulative time zone update for Windows operating systems

      I'm holding off until I know for sure that there is nothing awkward about it. The write-up says that you need to be aware of potential Outlook issues.

      1. david 12 Silver badge

        Re: KB3112148

        Time zone updates always cause problems for scheduling/meeting/appointments. Appointments are recorded using UTC, but happen at local time: If you keep the same local time, people in other times are either going to see a time change. Apointment already made will need to have UTC time corrected, etc.

        This problem always happens with time zone updates, and waiting just makes it worse (because you are more likely to have scheduled a meeting in the new time zone setting).

        Outlook is a scheduling/appointment/meeting application.

    2. JHSyd

      Re: KB3112148

      If KB3112148 is for 64-bit Win7 machines, why has it been delivered to my 32-bit PC?

      It's apparently beyond Microsoft's assembled wisdom to create a simple, two-layer (on top of its own Technet and other highly technical none-MS sources) explanatory system for Patch Tuesdays: one for a general audience that doesn't much care; and one for the far more technically inclined that supplies specific, detailed info about each upgrade.

      Why do we need this? Because it has become abundantly clear, over the years since MS was heavily caned for using the WU channel to push inappropriate software to consumers, that this murkiness actually suits MS fine. It's working right now to pester the bejesus out of the unfortunates who installed the Win10 nags.

      Other questions abound: why not include the relevant MSxxxx number with each use of the KBxxxx label, to improve our ability to research the KBs? Why do some KBs list as "critical" in the US, but only as "important" in Australia? And why, for pity's sake, is there any need to change the KBxxxx for the same update in different countries?

    3. Anonymous Coward
      Anonymous Coward

      Re: KB3112148

      "It's nearly 2016, and Windows DNS servers can be pwned remotely"

      Playing catch up with Linux then:

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0122

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5722

      etc.

      1. el_oscuro

        Re: KB3112148

        The first link is from 2008, and the second on involves a denial of service. While bad, it is not the same level as the Windows vulnerability which allows the attacker to completely pwn the entire machine, executing arbitrary code as LocalSystem.

  2. Anonymous Coward
    Anonymous Coward

    SMH... Edge was promised to be better, safer and without the baggage!

    same old shit, different day.

    Microsoft the company that refuses to allow users to remove the buggy web browser from the OS...

    I think Microsoft should move to North Korea...

    https://www.youtube.com/watch?v=EPfsr8BBdA8

    1. Mikel

      Re: SMH... Edge was promised to be better, safer and without the baggage!

      >I think Microsoft should move to North Korea...

      Isn't that a little harsh?

      .

      .

      What did Best Korea ever do to you?

      1. a_yank_lurker

        Re: SMH... Edge was promised to be better, safer and without the baggage!

        Someone must really hate the NORKS, nobody so evil they deserve the Slurp.

  3. TaabuTheCat

    Watch out for 3114409

    We installed this on a few test machines and it's supposed to allow administrators to add a reg key to disallow Safe Mode in Outlook. What it seems to be doing instead, at least on our test machines, is forcing Outlook into Safe Mode on startup. If you add the reg key (BTW, the KB article for this only shows the location for the 64-bit version of Outlook; if you're using 32-bit Office use the WOW64 branch instead) you can get Outlook to run again in "normal" mode. So it looks like another month with yet another flaky patch. Sigh.

  4. Howard Hanek
    Happy

    MS15-166637588490329a

    This update will correct the flaws found in MS15-166637588490329.........

  5. Mark 85

    Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

    I'm going through them a second time... Just jumpy I guess after the other times.

    1. Anonymous Coward
      Anonymous Coward

      Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

      KB3112343:

      "This update enables support for additional upgrade scenarios from Windows 7 to Windows 10, and provides a smoother experience when you have to retry an operating system upgrade because of certain failure conditions. This update also improves the ability of Microsoft to monitor the quality of the upgrade experience."

      1. Pascal Monett Silver badge

        "This update also improves the ability of Microsoft to monitor the quality of the upgrade experience"

        Right, one more to avoid then.

      2. Stoneshop
        Devil

        Re: Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

        and provides a smoother experience

        Ah, an extra dash of lube.

        1. GW7
          Windows

          Re: Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

          I'll be needing a bucket load then.

          I haven't trusted Microsoft to automatically update Windows 7 since they started forcing Windows 10 on world & dog. So they only get to "Check for updates but let me choose". When updates are available, I wait a couple of days while they are beta tested on world & dog. Then comes the tedium of reviewing the list of recommended and optional updates for Microsoft trojans. Yada yada yada.

          The latest batch have provoked a red hot CPU with wuauserv (Windows Update) the culprit. And that's without installing any of them. The only way I have found to stop this high CPU tantrum, while I wait a couple of days, is to disable updating completely.

          It feels like Microsoft's way of punishment for not fully submitting to their recommended violation.

          1. Mark 85

            Re: Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

            Exactly. That's why I asked. One can't be too careful. I'm glad someone picked up on KB3112343 as I hadn't got through them all yet. What a clusterfsck things have become.

            Sidenote, still sorting out my programs and Linux so I can break free of this tyranny.

            1. Captain Badmouth
              Holmes

              Re: Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

              KB3112343:

              The win 8.1 version of this POS is KB3112336 for those interested.

      3. arctic_haze

        Re: Anything lurking there for us Win7 users who have no intent to upgrade/downgrade to Win10?

        It was the first one I checked. But it was easy: it was the only non-security update. As I do not expect Microsoft to add anything useful to Windows 7, it must have been another ploy to push Windows 10.

    2. phuzz Silver badge
      Joke

      Why not just downgrade to XP? No chance of getting the Win10 upgrade then.

      In fact, you better just downgrade to win95 to be on the safe side.

      1. swm
        Happy

        I run XP without any virus checking or firewall and it runs great. Of course I have to be careful and it is behind a router. I surf the web through an X connection to my linux machine running an unprivileged account. This is not totally safe (I would like to run the connection to a virtual machine) but so far I haven't had any trouble.

        I have a laptop running windows 7 but it never sees the network and no updates are ever installed on it.

  6. Allan George Dyer

    Did Shantanu Narayen and Satya Nadella have a bet about the number of patches they could dump at once?

    1. TheVogon

      "Did Shantanu Narayen and Satya Nadella have a bet about the number of patches they could dump at once?"

      Still fewer than a single Java release though!

      1. Anonymous Coward
        Anonymous Coward

        Still fewer than a single Java release though!

        And what's your point?

        Nobody has to use Java.

        1. Anonymous Coward
          Anonymous Coward

          "Nobody has to use Java."

          Nobody has to use Windows for DNS either.

          1. CrazyOldCatMan Silver badge

            > Nobody has to use Windows for DNS either.

            Unless they are using active directory. Yes - you *can* use Samba4 as a DC with Bind9 as DNS but it seems to have some quite odd failure modes that essentially result in "dump your DNS and start again"..

            I'd love it if someone gave me the ability to have AD without having to run Windows server but Samba4 isn't there yet.

  7. John P

    Can we please quit with the 'it's nearly x and y is still being pwned by z' headlines, they're getting a bit tiresome now.

    1. VinceH

      But the fact that it's nearly x and y can still be pwned by z is itself getting a bit tiresome!

    2. Dan 55 Silver badge

      Not the avalanche of Windows, Office, and Flash patches themselves?

    3. Roo
      Windows

      "Can we please quit with the 'it's nearly x and y is still being pwned by z' headlines, they're getting a bit tiresome now."

      They may be tiresome but unfortunately it appears to be true... I noticed that one of the vulns mentioned says that priv escalation can happen via a corrupted font, which has been an ongoing problem since NT 4.0 and it's already been patched twice this year alone that I know of...

      The fact that multi-billion dollar company is still struggling to fix a design flaw they introduced over 15 years ago is worth knowing if you care about your box being rooted (Aussie interpretation is legit too ere) simply by viewing a web page.

  8. Anonymous Coward
    Anonymous Coward

    Woah, people use Windows for DNS?

    1. Anonymous Coward
      Anonymous Coward

      Yes, especially if you use Active Directory (you can use other DNS but you need to do some plumbing yourself). If using a Windows DNS outside a LAN is a good idea is another matter...

      1. Anonymous South African Coward Bronze badge

        Yoh.. fun times for sure.

  9. Anonymous Coward
    Anonymous Coward

    Just for balance: OSX updates

    Apple came through with a bunch of OSX updates (well, one, but if you also have Xcode installed you'll end up with 2 extra ones, being Xcode and the command line tools) which cover quite a load of CVEs.

    Oh, and for a change, this one requires a reboot as well (if you're running off an SSD, count on an outage of about 20 minutes).

    Note to self: check why Flash hasn't been flagging that there is an update due. I never allow it to do so automatically, but as it tries to sneakily reset that setting every time it patches it may have slipped under the radar - if I didn't need it for some sites it would have been fully removed already.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just for balance: OSX updates

      If I've read it right the Safari update is 11 individual CVEs to solve "Multiple memory corruption issues "

      and the OS X covers 39 issues

  10. Steve B

    Always said MS and IBM put computing back decades. Still seems to be a problem.

    In the 70s our English OS would not let code be changed on the fly as quite honestly there is no justification.

    The data could be changed but it was loaded into different program segments so there was no interaction on corrupt data. Various levels of kernel were afforded protection and user code running at higher levels could not interfere with the lower levels - the program just bombed out.

    Unfortunately the US had better marketing skills and flooded the world with substandard IT.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like