Work-around: win32k.sys TrueType Font Parsing Vulnerability

Windows updates (both Automatic and "regular") are now RE-offering me Security Bulletins MS10-001 and MS10-076 (both of which seem to already be installed on this system).   Both of these were [older] fixes for a Vulnerability in the Embedded OpenType Font Engine.   My ASSUMPTION is that Microsoft is trying to be sure users have these older updates already installed, before they try to push out a fix for the newest problem (a fix whose success could depend on these prior installations).

EDIT #1:   After RE-download/installing these two, Windows Updates still insisted that I needed to download/install these two!   Even after I rebooted and checked again.   Since there's no question that I now have these installed, I have unchecked them ("Don't show this update again").

I know that Joe and Ron have experienced the same problem (repeated messages for already-installed updates), in particular on XP systems.

EDIT #2: Well, upon "hiding" those two updates, Windows then decided to tell me I needed an even older update MS09-029 (also for an OpenType Font Engine vulnerability).   I hid that one as well... and hopefully that will quiet things down.

Windows updates (both Automatic and "regular") are now RE-offering me Security Bulletins MS10-001 and MS10-076 (both of which seem to already be installed on this system).

I'm not being offered these by MSU/WU for XP or for Win 7. I haven't tried the Fixit, however.

I know that Joe and Ron have experienced the same problem (repeated messages for already-installed updates), in particular on XP systems.

You got that right!

For me it was those blasted .Net Framework security updates last month for XP. MSU kept insisting I needed them, even though its own update history said they were sucessfully installed. Belarc Advisor said I needed them, but Add/Remove Programs said they were there.

No amount of "hiding" these updates, nor uninstalling/re-installing them,  not even a System Restore or ERUNT to a date prior to the patch updates helped. New and different "old" updates would get offered.

I finally called Microsoft's North American toll-free number to trouble-shoot security updates: 1-866-PCSAFETY, and for once I lucked out. The technician had me turn over my PC to her remote control, and spent the better part of an hour fiddling in my files. Finally sorted everything out, as far as I could tell.

But that was for .Net Framework updates, notorious from what I have read for such highjinks. From what you seem to say, it was a  single"Fixit" that initiated it for you.

For my part, I have vowed to:
1) Download no patches or fixits for several days, til I am sure the bugs have been fixed
2) Download/install each and every update or fixit one at a time, and reboot after every one, whether prompted or not. Even it takes a month. If Microsoft can afford to wait a month between publishing these "critical"patches, I can afford to take the time to make sure each is successfully installed before proceeding to the next one.
3)  Run a Qfecheck.exe to confirm successful installation after every hotfix:
http://support.microsoft.com/kb/282784
4) Be a little more diligent to make full system image to an external hard drive prior to any patch session, to enable a quick return to the status quo ante.

I hate to say it, but I think my days of  trusting security patches from MS (at least for XP) are nearly over, when MS tools send such conflicting messages as to whether or not one is protected.

 

 

Joe,

It's indeed unfortunate that Microsoft's various analysis tools [including WU itself] can't definitively determine whether or not a patch/fix has already been installed :emotion-6:

So what are users supposed to do?   On the one hand, Secunia classifies this particular exploit as "An extremely critical 0-day vulnerability", while Microsoft asserts "we see low customer impact at this time".   Which is it???

Did my implementation of the fix-it "confuse" Windows Updates into believing I now needed to reinstall those two (or three) older patches?   Perhaps... or could it just be a coincidence???

And did re-installing those updates UNDO the new fix-it?   Who knows??!!!

With all of the defenses I have installed/running (including EMET, which allegedly helps prevent even some yet-unknown 0-day exploits)... and if I stick to safe surfing... did I (personally) really need to apply the fix-it?   (Probably not)   Or was doing so paranoia on my part??  (In all likelihood :emotion-5: )

 

Excellent questions, ky, which I can't answer.

But I've seen this particular problem arise twice now in recent months on this 6 year old XP system, and expect I haven't seen the end of it.  I have installed some ~300 "(KBxxxxx)" patches & hotfixes of various Microsoft components over this time, so perhaps it's not surprising I'm starting to see glitches like this.

How long can one expect a 10 year old operating system to keep successfully patching updates, and updating patches, before the laws of entropy (and a possible decline in Microsoft's commitment to fully support XP) render it insecure and inadvisable to use?

To be fair to XP, it has never failed me nor been compromised. I still use it as much as Windows 7. And over the years I have been very often extremely tardy in keeping it updated with security patches, with no adverse consequences. This is considered heresy in certain circles, and I don't advocate it. But FWIW, that is my experience. Perhaps safe surfimg and other layers of security are more important than these Windows patches.

Addendum:

I should add that all internet surfing I do these days in XP is using a sandboxed browser.

How long can one expect a 10 year old operating system to keep successfully patching updates, and updating patches, before the laws of entropy (and a possible decline in Microsoft's commitment to fully support XP) render it insecure and inadvisable to use?

I think that sums it up, Joe. :emotion-2:

First off, as a reminder to the multitudes who still have and use it, Windows XP Extended Support will be available for about another 2 1/2 years, until 04/08/2014.   That's the official word from Microsoft.   Updates/patches should be available until then.

What's different about "extended" support, vs. "mainstream" support [which ended 04/14/2009]?   During extended support, Microsoft will continue to supply security updates for XP, but it will no-longer offer NON-security hotfixes.

Granted, this means some "low-level" problems will remain, due to the complexity of fixing them [without having to re-engineer everything from scratch].   For example, per Secunia Advisory SA24314, IE 8 has been subject to a "Charset Inheritance Cross-Site Scripting Vulnerability" for several years now!!   Secunia rates this vulnerability "less critical".   The presumption is that, at this late date, Microsoft has no plans to fix this any more.

As Joe knows, I kept my Windows Millenium system around long past its end-of-support date.   And I never had a problem with it.   Joe jokingly conjectured that I had achieved "security via obsolescence" :emotion-5: --- by virtue of the fact that people weren't bothering to write ME malware any more :emotion-3:

And as Joe seriously said, "Perhaps safe surfing and other layers of security are more important...".   Indeed, there are some [radical] people who claim to survive even without an antivirus, by virtue of self-imposed strict safe surfing [NOT that I would advocate anyone try this!].   Joe and I often concede that our advocacy of certain programs is based on their reputation, as to the best of my knowledge, neither of us has first-hand experience in being attacked by a virus.   Much of that is due to safe-surfing on our parts.   I DON'T WANT MY SYSTEM TO GET INFECTED.   And the simplest first step in that direction is to avoid risky behavior --- to practice safe surfing.

Of course, I am not defenseless either.   As noted in my signature (and in several posts in this forum), I believe I currently have 5 layers of protection that (together) attempt to keep out malware:  1) MVPS HOSTS file.  2)  OpenDNS's Family Shield.  3)  WOT, set to BLOCK (rather than merely warn).  4) Avast Anti-virus [with its multiple resident shields] and 5) MBAM Pro (resident) AntiMalware.   And as if that isn't "99.44% pure",  I have recently started testing Sandboxie at sites that might be riskier, such as Facebook.   In order for malware to attack my system, it has to be something that can work its way though all five of these layers --- my belief is that any one of these 5 should successfully stop any malware known to its database.   [So yes, if something is brand new, unknown to them all, it can get indeed get through.]   I also have EMET installed, which allegedly helps block some even unknown 0-day attacks.   Finally, I DO make it a point to keep my third-party major attack vectors (Adobe Flash & Reader) always up-to-date.   [I do not run Java, and have (for the time being) uninstalled QuickTime and RealPlayer.]

To answer one of the questions raised earlier in this thread, it appears there is indeed a direct cause/effect correlation between applying Microsoft Fix-it 50792 and Windows Update then finding a need to reinstall Security Bulletins MS10-001 and MS10-076.

This just happened on a second/separate XP-SP3 system.

When I UNdid the Fixit, the old Security Bulletins were no longer found... and when I re-applied the Fixit, they again were deemed necessary.

At this point, I do feel it's necessary to put this in perspective (to be fair to Microsoft):

The "fix-it" mentioned in this thread is not intended to be a "long-term" solution to the problem it addresses --- indeed, it is merely a "temporary work-around".   It does its job (temporarily protecting you from an exploit) by "breaking" some already-installed mechanisms, preventing them from doing their tasks.   So when Windows Updates scans your system to see what's been installed, it discovers that a previously-installed solution has been "broken"... and on that basis, [reasonably] concludes that your system needs to (re-)download that solution.   

However, the "ancient" download "solves" only what it was intended for... but it can't handle the "monkey-wrench" that the "fix-it" tossed-in to "break" the system.  Hence, seeing that the system is still "broken", WU will advise you that you need to re-download the "solution" again... and again... and again.

When Microsoft ultimately addresses this issue with a "long term" solution, THAT should properly interact with the Windows Update mechanism, and (hopefully) older updates will no longer be found and deemed necessary.   As an important reminder, when the long term solution is released, be sure to UNDO the "fix-it" BEFORE applying the long-term solution.   When I learn of its release/existence, I'll be sure to post that information in this thread.

Microsoft has officially addressed the issue of the update re-offering:

"After applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer."

from http://technet.microsoft.com/en-us/security/advisory/2639658 , version 1.3, Suggested Actions / Workarounds / Impact of Workaround 

Cutting to the chase, the "updated" information BB is referring to above boils down to one simple statement/caveat:

[Upon implementing the work-around] Applications with functionality that relies on T2EMBED.DLL, such as generating PDF files, may fail to work as expected. For example, Microsoft Office software will fail to generate PDF files.

Updated: Friday, November 11, 2011

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege

https://technet.microsoft.com/en-us/security/advisory/2639658

Thanks RD!

Always nice to know there's a simple test to verify [or disprove] something is working correctly.