December 13, 2011

Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).


30 thoughts on “Security Updates for Microsoft Windows, Java

  1. Jay Wocky

    Well, I’m off to an auspicious start on the MS updates. Long ago, I set my updater control (XP) to “notify only.” The shield appeared in my tray this afternoon. I clicked on it to initiate the downloads and…the shield promptly disappeared without downloading anything.

    Not the first time this has happened, but it is still annoying. Yeah, everybody, I know: the updates can also be downloaded from the MS website. Just venting.

    Guess I’ll update Java for now, even though I only use it for the Secunia online scan (and disable it all other times).

    1. Neej

      The update mechanism that Windows XP uses is really slow and unreliable – this was fixed in Vista code but XP was always slow and it doesn’t seem to be anything to do with a users network speed or MS resources that they dedicate to updating users.

      Just unfortunately badly implemented process by MS IMO.

    1. Jay Wocky

      I installed Java update 30 immediately after my initial post, via the Windows Control Panel. Still waiting for the MS shield to reappear (yeah, I know: I don’t have to wait for it).

  2. SecureTenor

    For what it’s worth, I’m having trouble installing the Windows updates on my wife’s XP machine. I am a security freak like most who frequent this blog, with a 100% score on Secunia, Chrome running inside Sandboxie, and constantly updated antivirus. Thus, I think we can rule out malware as a factor. After repeated attempts to update through Internet Explorer, I’ve given up temporarily. My Windows 7 machine updated with no trouble. Haven’t had trouble with Windows updates in a LONG time.

    1. SecureTenor

      Just an update…logged into Windows in safe mode…it would appear, after running several Windows fixits that my Windows update is up to date, but in need of repair and not even running. Bizarre how these things happen from seemingly nothing.

      Sent an email to Microsoft’s tech support, so we’ll see what they have to say. I’ll try to post an update once the problem is fixed in case it would help anyone else.

      Cheers!

      1. Jay Wocky

        My own update: The MS update shield reappeared this evening on my XP. This time, it successfully downloaded and installed this month’s “Patch Tuesday” items once I allowed it to do so.

        Why do I not enable automatic downloads and installations of Patch Tuesday stuff? Because a few years ago, a Patch Tuesday issue crippled hundreds of thousands of computers for a day or two until MS fixed its glitch. No such thing has happened since, but once was one too many times for me. Typically, I wait for several days after Patch Tuesday to download and install MS monthly fixes. Today, I lived dangerously, and did it the same day.

        Don’t know what got into me. Getting complacent and careless in my later years, I guess.

  3. Harry Johnston

    The release notes for Java 6u30 claims that there are no security updates included. None of the bugs you list look exploitable to me, so I think they’re right.

  4. Windows users will not heed advice, they're like battered wives who cling to their abusers

    That’s correct you slaves, update your Windows computers to address yet still more remote exploits which can take control of your computer. Do you comprehend how stupid it is to run a proprietary OS and years fly by before the huge list of backdoors…….. hahaha no they’re coined remote exploits when crackers find them…..Thumb me down but you’re the ones who wear the crown, suckered into another purchase of a tyrannical operating system which has never and will never resolve the excessive amount of remote exploits being patched all the time……
    if you’re stupid enough to trust a proprietary OS, where else in your lives are you being stupid? Ask youself this and thumb me down.

    1. Neej

      That’s hackers not crackers numbnuts and since you apparently don’t follow security news there’s plenty of exploiting of operating systems that have completely open source code going on as well.

      1. grumpy

        While I deeply disagree with the OP, it IS “crackers”. We hackers object to being bundled with parasites. But one can’t expect the youth of today to understand, what with Hollywood and various other scaremongers abusing the term constantly…

        1. PW

          Agree. Hackers is the original term for those who hack to improve – Crackers is the term for malicious idiots but it just never caught on in the mainstream.
          Most true security folks know the difference.

          1. Rookie

            The original post bashing Windows users is just trolling drivel.

            I think the (endless) debate of hackers vs crackers terminoligy is reaching a conclusion.

            In English words sometimes change meaning over time, and the term “hacker” has done that. To the majority of the people in the US, it refers to someone doing bad things on computers, almost always in a negative light. Even in the IT security community, the old distinction between hackers and crackers has generally been replaced with white-hat (or ethical) hackers and black-hat hackers.

            It is indeed only a sub-culture that remembers the original terminology, as well as other differentiators such as phreakers, phrackers, etc.

            When it comes to defining the term hacker, the ship has already sailed whether we like it or not, so we may as well get used to it.

            1. JCitizen

              Yes, but we will continue to fight for the original meaning no matter what. That is what we do.

  5. Laav

    JRE 7u1 didn’t update either, had to go download and execute it manually.

  6. George

    “if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). ”

    You should encourage users to dump it only if they don’t need it. There are users who actually need it. Same can be said for adobe reader, flash and windows. There’s always security issues popping up with them but you don’t hear people saying “dump adobe reader altogether” cos you probably need it for something or an other.

    Awareness to keep software up-to-date is the best advice imo.

    1. george

      This is not correct, George (with uppercase G), there are good alternatives to almost any software you listed. I’m very happy with Foxit Reader, for Adobe Flash there is Gnash, there are alternative, compatible Java VM to the one issued by Oracle, not to mention countless cheaper and overall better alternatives to MS Windows. Yes, I know they have their weaknesses too, but we should show those complacent vendors that we care and would not hesitate to seek an alternative if they think their current market share entitles them to deliver “good enough” software.

      1. jay

        Thanks for the info about Gnash, had not heard of it.
        I have to use Java for my federal govt VPN and applying for FCC licenses, so I use a virtual PC window to do that.

        Two of my banks don’t recognize my Flash free PC, so I’m assuming they are using LSOs to help authenticate.

        I run process explorer while I’m doing my banking session to make sure no gremlins are lurking in the background.

        1. Jay Wocky

          Gnash is a new one on me, too. Will definitely research it.

          As for “I run process explorer while I’m doing my banking session to make sure no gremlins are lurking in the background,” that’s a cool idea. I am a long-time PE user, but I never before used it that way.

          1. Nick

            I hope you aren’t feeling too safe by using PE to detect “gremlins.” You’ll surely find many of them, but plenty are smart enough to hide themselves. If it’s a rootkit, nothing you do from within the OS will detect them.

            As a matter of fact, both of the recent banking “gremlins” I’ve heard of have been rootkits.

            1. jay

              Process explorer is just one tool, along with not using netbios over tcpip, file sharing or windows network client on the NIC in the virtual window.
              I only use that window for bank sites, so I’m pretty sure I’m rootkit free.

              I see where Gates and company have released a new bootable media security scanner, windows defender offline, which looks very similar in size and function to their system sweeper tool. I don’t know if I could scan a virtual window using something like that.

      2. qka

        I’m curious – are the alternatives to Java, Flash, etc. that much more secure, or are they operating on security thru obscurity?

        I don’t ask this to be snarky. I just want to know if these alternatives have been thoroughly tested and proven to be secure.

        Alternatives can have a funny way of going from outsider alternative to mainstream – think Firefox.

        1. Jay Wocky

          Years ago, I abandoned Adobe Reader for Foxit based on Brian’s opinions on this blog. I made a quick visit to Gnash yesterday. At this writing, I find no compelling reason to walk away from Flash. Thanks, again, to Brian’s posts, we are alerted to Flash updates in a timely manner. Thus, it “ain’t broke” yet. If, someday, Brian writes something like “Flash is a perennial risk beyond redemption, and I suggest you try X, Y or Z as an alternative,” I will likely do as he suggests.

          BTW: No disrespect intended toward lower-case george for introducing Gnash to this thread.

  7. José Mejía

    I prefer to be careful with windows updates. Like viruses, a windows update fixes something but cause damage in another.
    The updater is on notice only. I generate a restore point, check the Microsoft site in detail and select which updates if and what not to download.
    The interesting thing is that I have Windows Vista, I get 3 patches as critical only applicable to Windows 7.
    I ask: Download or not those patches for Windows 7?

  8. Level-security

    Keeping system and browser software up-to-date is the biggest step to secure the computer. Thanks for the informative topic.

  9. Martin

    Brian appears to be completely wrong on the issue of security. The update to Java 7 seems to include security fixes while the update to Java 6 does not. I get this from the security baseline published by Oracle. Also, from a Shavlik blog.

  10. iamwired

    I did the updates on my home Windows 7 PC, and test PC’s here at work last night. All is well. I guess I will set the rest to update tonight.

  11. Nuuki

    Must admit I’m slightly confused regarding the security implications of Java 1.6 U30.

    Checking the release notes (http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html), they’re still referencing U29 as the “security baseline”, and in the Bug Fixes section don’t list security issues.

    Compare this with the U29 notes (http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html) which clearly show the basline brought up to that level, and clear (if brief) comments.

    Must admit I’d assumed U30 was akin to U25, which was performance and stability related only, not security.

    Am I being dense? Quite possibly. Still, Oracle don’t make it easy do they (though they’re doing a far better job than Sun did)…

    1. prairie_sailor

      Reviewing the release note I agree. The only thing affecting security is in Java 7 Update 2. The only security implications of that update are to add a feature which checks to see if you’re running a version of Java that is up to the latest security baseline. The update does not contain fixes for any exploits

Comments are closed.