Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security IT

Microsoft Releases Out-of-Band Security Patch For Windows 178

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.
This discussion has been archived. No new comments can be posted.

Microsoft Releases Out-of-Band Security Patch For Windows

Comments Filter:
  • by MachineShedFred ( 621896 ) on Tuesday November 18, 2014 @10:23AM (#48410793) Journal

    I love nothing better than starting out my Tuesday with rebooting every Windows box...

    • Re: (Score:2, Funny)

      Comment removed based on user account deletion
      • by f3rret ( 1776822 )

        Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

        Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

        Import-module activedirectory
        $ComputerNames = Get-ADcomputer -searchbase (DN of you server/workstation OU here) -filter * | Select-object -expandproperty name

        ForEach($ComputerName in $ComputerNames)
        {
        Restart-computer -force $ComputerName
        }

        Have the nightshift guy run that from a machine that the workstations/servers will accept WMI calls from and then have him feel like a wizard as every computer under the OU magically reboots.

        • Importing modules? Multiple lines? Can't be run from a standard command prompt? Ugh.

          FOR /F "usebackq tokens=1 skip=3" %A IN (`net view /domain:domain`) DO IF [%A] NEQ [The] shutdown /r /t 0 /d p:2:18 /m %A

    • by Richard_at_work ( 517087 ) on Tuesday November 18, 2014 @10:50AM (#48411045)

      If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?

      • by Tiger4 ( 840741 ) on Tuesday November 18, 2014 @11:09AM (#48411215)

        Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.

        • by mlts ( 1038732 )

          That applies to all operating systems. When it comes to production, three things apply: Has the patch been tested in an environment as close to what the field is like, can it be applied without much downtime, and is there a way to back it out without causing major headaches.

          This is one reason I like virtualization with clusters [1]. If a patch does make it past testing and fouls up a production VM, I'm a snapshot away from going back to a working machine. This isn't a magic bullet solution, but it does

          • by LordLimecat ( 1103839 ) on Tuesday November 18, 2014 @01:15PM (#48412251)

            VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V

            This is not correct.

            VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.

            High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.

      • by mysidia ( 191772 )

        There has already been one major compatibility bug in the patch for MS14-066 released November 11, where you update your IIS server to fix the SSL remote code exec bug, and Chrome browsers stop working..

        Furthermore, there were several botched updates in October.

        Windows 7 blue screens with a patch in September

        I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

        • by afidel ( 530433 ) on Tuesday November 18, 2014 @11:23AM (#48411359)

          Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.

          • by mysidia ( 191772 )

            As I understand it they introduced changes independent of the security fix, and the non-fix-related feature additions caused the problem.

            They shouldn't have rolled new features in the same patch, BUT if they did, they should have included common software used by more than 10% of windows systems in their test cases and basic functionality such as HTTPS compatibility.

        • I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

          Having recently "downsized" their QA staff testing work has been outsourced to paying customers.

          When they say they will release a patch 10 AM PST this represents the time they will have managed to get it to compile.

      • by bill_mcgonigle ( 4333 ) * on Tuesday November 18, 2014 @11:13AM (#48411257) Homepage Journal

        If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?

        If only security were so binary - in the real world it's a constant process of risk/reward calculations.

        Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.

        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Tuesday November 18, 2014 @11:31AM (#48411435)
          Comment removed based on user account deletion
          • in a nice posh fortune 500 org where such resources are available to HIM

            In many cases this can be true, but consider a case where there's a zero-day in the MS TLS implementation. The only possible thing that can be done here is to have a pre-existing TLS interception mechanism deployed (local CA root on workstations with on-the-fly cert regeneration on the proxy) and have that be on a non-MS platform.

            Even if that's a good idea, many F500 companies won't have that deployed, much less the F50000.

            There are s

            • Re: (Score:2, Funny)

              by fahrbot-bot ( 874524 )

              I still would not want to be the guy who followed policy and got his internal network completely infested.

              Ya, but you've already got Windows systems on your network ... :-)

          • then if it's a fail, you can lobby to switch to another platform.

      • OTOH, if one of your dufus users clicks on some crap and infests the network with the latest and greatest threat since ILY you get whacked as well, after all there WAS a patch out and why the hell didn't you install it?

      • by sexconker ( 1179573 ) on Tuesday November 18, 2014 @12:29PM (#48411875)

        Any worthwhile testing would take weeks to perform.
        Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
        You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).

        Here's the testing you need to do in the real world:
        Install all the patches on your machine.
        Reboot.
        Launch IE, FF, Chrome, Outlook, Word, and Excel.
        Launch any applications mentioned in the bulletin.
        If nothing crashed, deploy the patch to everyone.
        If something crashed, search "Patch Tuesday Breaks " and look for recent shit.

      • Well, for one thing, it was meant to be kind of funny.

        Second: I really only have to look after a handful of Windows servers, because we do 90% of everything on Linux.

        Third: it's all VMs, and we have snapshots. If something breaks, we disable the patch and roll back. Oh, that was hard.

      • I love running around like a headless chicken. It's my best joke at work and lightens up the dull meetings.

        On that note, let's have a quiet remembrance in honor of Mike the Headless Chicken [wikipedia.org].

    • by MacTO ( 1161105 ) on Tuesday November 18, 2014 @11:59AM (#48411651)

      Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?

      It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.

      (We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)

      • by MachineShedFred ( 621896 ) on Tuesday November 18, 2014 @12:30PM (#48411885) Journal

        I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?

        I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.

        • To be fair, most updates of OS X have required a reboot as well. I'm in the process of installing 10.10.1 right now, and will have to reboot momentarily. There are probably more patches for Windows, but on its own, I'm not sure whether that statistic is objectively bad.

        • A lot of this is historical. IE is baked into the shell, so the shell files can't be updated while a user is logged in. These ties have been broken lately, but not completely. It's not the architecture of Windows, but rather the need to keep up appearances despite most people knowing better. And the architecture of the web browser of course.

          Windows itself relies on having a lot of shared libraries, known as ".dll files". They can't possibly be patched if they are in use.

          Oh wait. Forgive me for not kno

          • the general expectation is that a service will be running when it needs to be running.

            And this expectation can be filled with something like Apple's launchd (open source [apple.com]) which has the ability to spawn or respawn jobs on demand; or monitor them and reload them if they die, throttled in case of crash.

            So, patch the files, then kill the process. launchd then respawns it. Downtime? Less than a second. No reboot needed. The user can be notified by a box saying "The patch has been installed successfully" with a big green check mark.

          • On real operating systems, you can patch files while they're in use. If that doesn't work in Windows, that's a Windows problem, and an architecture issue.

    • You can reboot the server during work hours?

    • Comment removed based on user account deletion
  • XP as well? (Score:4, Insightful)

    by mrspoonsi ( 2955715 ) on Tuesday November 18, 2014 @10:25AM (#48410807)
    I guess so, as Server 2003 is from a similar era.
    • by smooth wombat ( 796938 ) on Tuesday November 18, 2014 @10:28AM (#48410847) Journal

      Since it's not listed this would mean XP is safer than W7 or W8.

      Hazzah!

      • Re: (Score:3, Interesting)

        by rescendent ( 870007 )

        Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.

        So its a patch for the server products.

        • Re: (Score:3, Informative)

          by Anonymous Coward
          You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.
          • As far as the GP asking about XP - XP is out of support and doesn't get patches.

            But Windows Embedded POSReady 2009 does. ;) I wonder if they have been keeping up with security patches, particularly the OLE one.

      • No, it just means that MS isn't issuing a patch for XP. At least not exactly. They have released a patch today "for WEPOS and POSReady 2009", which is the branding given to the point-of-sale variant of Windows XP, which Microsoft still offers support for. There's a registry hack that makes Windows XP identifiy itself as Windows POS [insert joke here] when contacting the MS Update servers, and machines running that variant will get the patch.

        Or so I'm told. ;)

  • So... (Score:3, Interesting)

    by jellomizer ( 103300 ) on Tuesday November 18, 2014 @10:25AM (#48410815)

    With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
    Should we be a bit more welcoming to Microsoft?

    • With Apple continuing to make a more closed ecosystem [...] Should we be a bit more welcoming to Microsoft?

      The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

      Now Microsoft trying to be more open.

      Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT [microsoft.com], where you pay only once it's time to upload your app to Windows Store.

      • by tlhIngan ( 30335 )

        The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

        Only for iOS. OS X still has free Xcode development tools available. They used to ship with the OS, but now it's in the Mac App Store as a separate download. And this started before Microsoft created the Express edition of Visual S

    • Re:So... (Score:5, Insightful)

      by McGruber ( 1417641 ) on Tuesday November 18, 2014 @12:38PM (#48411927)

      Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?

      Embrace, Extend, Extinguish.

      What you view as "trying to be more open" strikes me as being "Embrace".

      • EEE is a cautionary tale, not a knee-jerk reaction.

        Is openness somehow bad? Is having source code for more and more products somehow bad?

        I am going to classify your comment as "I don't know what they are doing, therefore I am confused, therefore they confused me and are trying something sneaky". In other words you are an idiot.

        Embrace is good, and we support that. Extend is when we start to throw red flags. Extinguish is what users should do at the Extend phase.

        Put another way, if they never get to Exte

        • by Trogre ( 513942 )

          Openness is not bad.
          Microsoft's track record is bad.

          Having source code for more and more products is not bad.
          Microsoft's track record is bad.

          Embrace is good.
          Microsoft's track record is bad.

          Someone who questions Microsoft's motives is not an idiot.
          Microsoft's track record is bad.

    • Re:So... (Score:4, Insightful)

      by Rob Y. ( 110975 ) on Tuesday November 18, 2014 @01:20PM (#48412295)

      For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.

      • Re:So... (Score:5, Insightful)

        by Alrescha ( 50745 ) on Tuesday November 18, 2014 @02:21PM (#48412759)

        "For the bazillionth time, Google is not "sharing all your data in the world".

        Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.

        Somehow, that doesn't make folks feel any better.

        A.

        • "For the bazillionth time, Google is not "sharing all your data in the world".

          Technically, I think you are correct.

          Yes, technically correct.

          When my ISP decided to drop their own email services and start funneling all their customer's email through Gmail, it wasn't technically "all my data" that they handed over to Google to index and root around through, it was just the last four years of deleted email they got to play with. Yes, email I deleted four years ago showed up on Gmail. So, technically, because I have some other email accounts that don't go through that ISP, I mean didn't go through them, Google doesn't have

          • by Rob Y. ( 110975 )

            You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest. But don't go claiming that they're sharing the info they have - they're not. Microsoft wants you to think they are - so they can get you to switch to MS services - where they will collect exactly the same data and do the same things with it.

            • You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest.

              My only option in the matter would have been to leave an ISP I've been using for more than a decade. And I didn't expect them to HAVE four years of deleted email on hand to give to Google, so I didn't know Google was going to get it all until WAY too late.

              But don't go claiming that they're sharing the info they have - they're not.

              Citation required.

  • "Out of band?" (Score:4, Informative)

    by pigiron ( 104729 ) on Tuesday November 18, 2014 @10:26AM (#48410821) Homepage

    I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)

    • Seconded.

      If I want to see people misuse computer terminology, there are plenty of TV shows full of it. (I'm not sure if I'm right in thinking that 24 started it.)

    • by caseih ( 160668 )

      Yes I agree. I was wondering if Microsoft was going to be shipping the patch to customers on tapes, or what.

    • Agreed. I read the headline and thought, "They're not offering it through Windows Update? How are people supposed to get it, or even know it exists?"

      • This. Hand the man an insightful, because that's basically the problem.

        I, too, was sitting here, knowing that MS is going to do something "out of schedule" and reading an update coming "out of band". For a moment I was worried that I might have missed something critical, then I said to myself "Wait. You read it on /., better check whether it's so or whether someone just wanted to use jargon to sound cool without knowing what the fuck they write about".

    • They probably meant "out of cycle".
  • by ifdef ( 450739 ) on Tuesday November 18, 2014 @10:26AM (#48410827)

    For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.

    Am I looking at the wrong thing?

    • by jnik ( 1733 )
      Same deal for 7.
    • by TheCarp ( 96830 )

      Well slightly confusing as it sounds like it IS for windows 8 and 8.1, but, its not critical on those platforms since the actual vulnerability is not present, but it still does make some changes.

      This sounds to me like "an unrelated change we made in 8 made this, we think, unexploitable, but we are patching the error anyway, just in case". Not sure that is exactly correct, but that is how I interpret that.

  • by Chrisq ( 894406 ) on Tuesday November 18, 2014 @10:29AM (#48410855)
    In my book this means it will be sent by another channel compared to normal updates [wikipedia.org] I can't see how this applies!
  • by Snake98 ( 911863 ) on Tuesday November 18, 2014 @10:38AM (#48410931)
    Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
    Windows Server 2003
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2003 Service Pack 2 (Critical)
    Windows Server 2003 x64 Edition Service Pack 2 (Critical)
    Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
    Windows Vista
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows Vista Service Pack 2 (No severity rating)[1]
    Windows Vista x64 Edition Service Pack 2
    (No severity rating)[1]
    Windows Server 2008
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
    Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
    Windows 7 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    None
    Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
    Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
    Windows Server 2008 R2 Bulletin Identifier MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
    Windows 8 and Windows 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows 8 for 32-bit Systems
    (No severity rating)[1]
    Windows 8 for x64-based Systems (No severity rating)[1]
    Windows 8.1 for 32-bit Systems
    (No severity rating)[1]
    Windows 8.1 for x64-based Systems (No severity rating)[1]
    Windows Server 2012 and Windows Server 2012 R2
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating Critical
    Windows Server 2012 (Critical)
    Windows Server 2012 R2 (Critical)
    Windows RT and Windows RT 8.1
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    None
    Windows RT
    Not applicable
    Windows RT 8.1
    Not applicable
    Server Core installation option
    Bulletin Identifier
    MS14-068
    Aggregate Severity Rating
    Critical
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
    Windows Server 2012 (Server Core installation) (Critical)
    Windows Server 2012 R2 (Server Core installation) (Critical)
    Notes for MS14-068
    Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
    [1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.
    • Why does MS explain the risk in a footnote instead of the chart of affected software? Why not just say "Unaffected" or some similar term in the chart itself.

    • I don't know what you're looking at, but it's the wrong patch.  The patch in question is MS14-068, and it affects every system listed in summary.

      https://technet.microsoft.com/library/security/MS14-068
      • From TFA (that you linked!):

        What systems are primarily at risk from the vulnerability? Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.

        This isn't meant to dispute what you are saying (it does effect them all), but the article makes it clear that if the DCs are patched, you've mitigated the primary issue. Which seems strongly related to the comments to which you are replying.

      • No, the security bulletin is very clear that the vulnerability doesn't affect client versions of Windows. The patch has been made available anyway only as a defense in depth precaution.

        If you look at the "Affected Software" table, you will note that the "Maximum Security Impact" is "None" for client versions.

        (OK, I guess it depends on what you mean by "affect". But the upshot is that you only need to patch servers - more specifically DCs - now, everything else can wait and be done with next month's update

  • Windows Server 2003 Service Pack 2 (Critical)

    Since XP and 2003 usually go together. I didn't find a technical discussion link on the advisory but if this is the buffer overflow in the TLS library that has been making the rounds recently, this could be the one that finally kills the XP machines on the 'net.

    Unless Microsoft backpedals again and enables the XP holdouts for a while longer.
     

    • by afidel ( 530433 )

      No, the TLS flaw was MS14-066 and it affects XP as well but there is no generally available fix for it since XP is out of extended support. If you care at all about security you're no longer using XP so the fact that there is another critical flaw isn't going to significantly change the situation.

    • by ihtoit ( 3393327 )

      only those that host Kerberos as part of the consolidated domain services.

  • Thank goodness I'm still running XP!

  • Its interesting that a patch on privelege seperation escalation, while be ranked serious, would have so little effect on most users because most computer illiterate users do not know how to use them, the OS contains what is a major problem in that it does not encourage these users to use the feature.

    Most of your common windows users do not use any kind of privilege seperation, they go right in as a superuser account, because, they don't even know what any of this stuff is. Windows ironically seems designed

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...