When it came time to run Automatic Update on my Windows XP SP2 virtual machine (running under Parallels) I got 12 updates, so Microsoft pushed more than the security updates. The updates broke down as follows (all links are to the Microsoft Knowledge Base article number listed):

1. Security Update for Media Player 11 (KB936782)
2. Security Update for IE 7 on Windows XP (KB938127)
3. Security Update for Microsoft .NET Framework 2.0 (KB928365)
4. Cumulative Security Update for IE7 on Windows XP (KB937143)
5. Security Update for Microsoft .NET Framework 1.1 (KB928366)
6. Windows Malicious Software Removal Tool - August 2007 (KB890830)
7. Security Update for Windows XP (KB938829)
8. Security Update for Windows XP (KB921503)
9. Definition Update for Windows Defender
10. Update for Windows XP (KB936357)
11. Update for Windows XP (KB938828)
12. Security Update for Windows XP (KB936021)

The updates to Windows Vista Ultimate (also running under Parallels) through Automatic Update included:

1. Update Windows Mail Junk E-Mail Filter (KB905866)
2. Update for Windows Vista (KB938127)
3. Cumulative Security Update for IE 7 in Vista (KB937143)
4. Security Update for Windows Vista (KB933579)
5. Malicious Software Removal Tool - August 2007 (KB890830)
6. Security Update for Windows Vista (KB936021)
7. Security Update for Windows Vista (KB936782)
8. Definition Update for Windows Defender
9. Security Update for Windows Vista (KB938123)

Patching Results (both platforms)

The download and patching was straight-forward. A single reboot at the end of the patching was required. Windows didn’t have any problems starting up or running after being patched. But, I don’t use Windows enough to encounter any but the most severe problems. I also run very few applications so wouldn’t encounter any conflicts. I don’t run any versions of MS Office so I haven’t tried the Office updates.

Have you applied the updates yet? Any problems?

ShareThis

First, Microsoft updated MS07-036 to include Microsoft Office 2004 for Mac as a vulnerable application. So if you run Microsoft Office 2004 for Mac you’ll need to patch it. I don’t run the software so can’t say how the patch works. The vulnerability is rated as “Important” for Microsoft Office 2004 for Mac.
Also, Slashdot has a posting about people experiencing problems with the .NET updates from last Tuesday. This was bulletin MS07-040. Most problems are related to high cpu usage after the update. This isn’t a problem I experienced on my Windows PC or on Windows running under Parallels.

ShareThis

The Quicktime update, to version 7.2 includes eight security vulnerability fixes in addition to updates to the H.264 codec, support for full screen viewing and “numerous bug fixes”. As with all other Quicktime updates if you’ve purchased a Quicktime Pro version prior to 7 and you install this update your older Quicktime Pro will stop working and you’ll have to buy the new version. The update requires a reboot on both Mac and Windows.

The iTunes update brings iTunes to 7.3.1 and fixes a problem with iTunes 7.3 accessing the library. I installed this on both Mac and Windows without incident. As a test I played a short podcast on Windows. I successfully synced my iPod and Apple TV after the update. I didn’t have the access problem this update was supposed to fix so I can’t say whether or not it resolved that specific problem.

ShareThis

My test PCs include Windows XP SP2, Windows Vista Business Premium and Windows Vista Ultimate Edition. The Windows Vista OS’s are running under Parallels on my iMac. All my test PCs were patched through automatic update and required a reboot after applying the patches.

MS07-040 is rated critical and affects .NET versions 1.x and 2.x, version 3.x is not affected. All operating systems are affected if they have a vulnerable version of .NET installed. There are no known issues listed in the bulletin. If you have both versions of .Net on the PC you need a separate patch for each version. I have .NET 1.x and 2.x on Windows XP SP2, Windows Vista Business Premium and Windows Vista Ultimate. I did not have problems with any of the .Net patches.

[Update July 13th] Slashdot has a posting about people seeing high CPU usage and other issues with the MS07-040 patches.

MS07-038 is rated moderate and affects Windows Vista, both 32-bit and 64-bit versions. This patches a vulnerability in the Windows Vista firewall that could allow an attacker to gather information about a host. There are no known issues listed in the bulletin. I did not have any problems installing the patch on either of my Vista systems.

The Microcode Reliability Update (936357) was also installed through automatic update as a required patch. This was run on my older HP laptop which uses a Pentium 4 which leads me to believe the patch runs and then determines the CPU since Pentium 4’s aren’t in the bulletin as needing the patch. This patch also ran on Windows under Parallels.

I couldn’t install the remaining security patches but they are:

Two of the patches affect Microsoft Office software. I did not install either of these patches since I don’t have the affected products.

MS07-036 is rated critical and affects all versions of Microsoft Excel from Excel 2000 on up. It also applies to the Office 2007 compatibility pack. It’s only rated critical for Excel 2000. Microsoft rates the other versions as “important”. The bulletin does not list any known issues.

[Updated July 13th] Microsoft has updated MS07-036 to include Microsoft Office 2004 for Mac in the list of vulnerable software that must be patched. I don’t run this software so won’t be installing this patch either.

MS07-037 is rated important and affects Microsoft Office Publisher 2007 only. The bulletin does not list any known issues.

MS-07-041, is rated important and affects Microsoft Internet Information Server (IIS) when running on Windows XP SP2. Earlier versions of Windows XP may be affected but Microsoft only supports service pack 2. IIS is not installed by default on Windows XP.

The server patch is is MS07-039 and is a vulnerability in Active Directory that’s rated critical.

The patches are available through automatic update or can be downloaded individually from Microsoft.

ShareThis

Two security vulnerabilities are addressed. One is in Webcore and can allow cross-site scripting attacks.

The second patched vulnerability was in Webkit and could allow remote code execution.

I applied the update to an Intel iMac and an Intel Mac Mini without a problem. You can visit my hardware page for the specific hardware patched. The PPC Mac Mini isn’t hooked up at this time so it hasn’t been patched yet.

ShareThis

The critical desktop patches are:

MS07-031 for Windows XP SP2, Windows XP x64 and Windows XP x64 SP2. It’s rated as “important” for Windows 2000 SP4. Earlier versions of Windows 2000 and XP may be affected but aren’t supported by Microsoft. On Windows XP this vulnerability can allow remote code execution. On other OS’s the vulnerability results in a denial of service attack (such as a system crash). The user must visit a malicious website to be exploited.

MS07-033 is the cumulative patch for all versions of Internet Explorer and is critical on all desktop OS’s that run it. Since this is a cumulative update it carries forward any baggage of earlier issues (like changes in ActiveX control handling). As usual, the most serious vulnerability impact is remote code execution. Six new vulnerabilities are identified in the bulletin some of which allow remote code execution.

MS07-034 is for Windows Mail on Vista (including Vista x64). It is rated “important” for Outlook Express 6 on all versions of Windows XP. There are five different vulnerabilities identified. On XP they may disclose information, on Vista they allow remote code execution.

MS07-035 is for all desktop OS’s except Vista. It’s not needed on Vista. (Obligatory MS dig - proves Vista is “more secure”.) This allows remote code execution.

The two other patches are:

MS07-030 is for Visio 2002 SP2 and Visio 2003 SP2 and is rated as “important”. The vulnerability will allow remote code execution although it cannot be exploited automatically. The user must visit a malicious website or open a malicious email attachment.

MS07-032 is for Windows Vista (including x64) and is rated “moderate”. This could result in information disclosure, including some passwords which would allow higher level access. This does require to have valid logon credentials for the PC.

I applied the appropriate patches to Windows XP SP2 without incident. I don’t use the Mail app of Vista so can’t say if it affects the app in some way. The bulletins don’t list any known issues.

The patches are released through Windows Update and are available for individual download.

ShareThis

The Quicktime patch is a security update that patches two vulnerabilities. The vulnerabilities allow a malicious website to either run code on a computer or get infomation from a computer.

Apple also released an update to iTunes that adds support for DRM free music. It looks like Apple might just make their promise of DRM-free music available in iTunes by the end of May.

The updates will be pushed through Apple update or can be downloaded directly.

ShareThis

According to the Apple notification it contains updates to the following components:

• bind
• CarbonCore
• CoreGraphics
• crontabs
• fetchmail
• file
• iChat
• mDNSResponder
• PPP
• ruby
• screen
• texinfo
• VPN

I applied the Universal version of the update to my iMac through software update without a problem. The update does require a reboot and on my iMac it did a bit of a double reboot. During the first reboot, which took longer than usual, another reboot was done. This occurred before the logon screen appeared. That second reboot took the normal length of time.

My PPC Mac Mini is currently packed away so I haven’t tried the PPC version of the update and it will be awhile before I do.

ShareThis

About Pro Application Support 4.0

This update improves general user interface reliability for Apple’s professional applications and is recommended for all users of Final Cut Studio, Final Cut Pro, Motion, Soundtrack Pro, DVD Studio Pro, Aperture, Final Cut Express HD, Soundtrack, Logic Pro and Logic Express.

It’s a 8.3MB download through Software Update and 7.3MB through the Apple website.

ShareThis

Two of the seven bulletins are for servers only. MS07-026 is for Exchange Server, including the latest version. MS07-029 is for the RPC interface to DNS server and affects their server software.

That leaves 5 bulletins for desktops. Three of them are for Office components.

MS07-023 is for Office, specifically Microsoft Excel 2000, 2002 (aka XP), 2003 and the latest version, Excel 2007. Excel 2004 for the Mac is also vulnerable and needs to be patched. The viewer for Excel 2003 and the compatibility pack for Office 2007 is also affected.

MS07-024 is also for Office, this time it’s for Word. The patch is NOT needed for the latest version, Word 2007. But it’s needed for Word 2000, Word 2002 (aka XP), Word 2003, Word 2004 for the Mac. Word Viewer 2003 also needs to be patched. And the list continues with Microsoft Works Suite 2004, 2005 and 2006. the update file for all three Works version is the same one as for Word 2002.

MS07-025 is another Office patch. Multiple Office components, pretty much every Office user will need the update as it affects Office 2000, Office 2002 (aka XP), Office 2003 and the latest version, Office 2007. Office 2004 for Mac is also affected and needs updating.

MS07-027 is the cumulative update for Internet Explorer. All supported versions of Internet Explorer on all supported operating systems are affected and needs to be updated.

MS07-028 is a patch for CAPCOM which is the “Cryptographic API Component Object Model”. CAPCOM is an Active X control that allows scriptors (VBS, ASP, etc…) he ability to encrypt data. It’s part of the Biztalk servers but may be installed by other software. My Windows XP SP2 machine needed the update, other systems may not need it.

This is a pretty depressing set up updates to see Microsoft release. It shoots holes through the statement that Microsoft has improved security and that their latest “2007″ versions are the most secure ever. While they may be the “most secure ever” this set up updates adds ammunition to the argument that they aren’t much more secure. Four of the five desktops updates are needed across all versions, from oldest to newest. I guess it’s possible to say that Vista/Office 2007 only needed 4 out of the 5 patches so it was 20% more secure.

ShareThis

The Quicktime update patches the “hack-a-mac” Quicktime vulnerability that was publicized on April 20th. It doesn’t really provide any detail but Apple has a support article on the patch.

The Airport Extreme Update 2007-003 description is succinct…

This update is recommended for all Intel-based Macintosh computers and includes compatibility updates for certain third-party access points configured to use WPA™ or WPA2™ security.

WPA and WPA2 are trademarks of the Wi-Fi Alliance.

Both patches require a reboot and applied without a problem on my Intel iMac. The Quicktime 7.1.6 update was also available for my Windows XP PC with iTunes.

Apple also released security update 2007-004 v1.1 which is an update a previously released version. None of my Macs qualify for the “update to the update” which includes:

• A fix for OS X 10.3.9 (not a typo, that’s 10.3, not .4) with the 2007-004 security update. Seems there was an issue when waking from sleep.
• Security update 2007-004 applied an incorrect ftp configuration to OS X Server 10.4.9

If you didn’t already apply 2007-004 v1.0 then you’ll be getting 2007-004v1.1 in place of it, not two updates.

ShareThis

I installed it on my 24″ iMac without incident. The shutdown and reboot took longer than normal, long enough that I was beginning to get worried but it was fine. A second reboot took the usual amount of time.

I ran through my typical quick tests without a problem - start/stop iPhoto, Apple Mail, Thunderbird, iTunes (sync iPod), Chicken of the VNC, Firefox and Safari.

The Power PC (PPC) version of the update is 10.0 MB. Other than the download size, the software update information for the PPC version is the same as the Intel version. Installation on my PPC Mac Mini was also without incident.

ShareThis

The software update screen pretty much sums up the information I could find on the specifics of this update.

ShareThis

ShareThis

MS07-018 is for Content Management server and doesn’t affect it’s desktop OS’s.

MS07-019 is for a vulnerability in Universal Plug and Play. It only affects Windows XP SP2 and the 64-bit version of Windows XP. Note that MS doesn’t support WinXP SP1 and the fact that it’s not listed doesn’t mean it isn’t vulnerable. It just means Microsoft wants you on the latest SP and if you aren’t they don’t care. (To be fair, by now you should be on the latest SP) MS doesn’t list any known issues. Windows 2000 and Vista aren’t affected.

MS07-020 is for a vulnerability in Microsoft Agent. It affects all Windows desktop OS’s except Vista. MS doesn’t list any known issues.

MS07-021 is for a vulnerability in CSRSS. It affects all Microsoft desktop OS’s including Vista. MS doesn’t list any known issues.

And there was one bulletin rated “important”. MS07-022 is for a Windows Kernal vulnerability. This will get installed by WIndows Update (by default) as a “High Priority” update. This affects Windows 2000 SP4 (earlier SP’s aren’t supported and may be vulnerable) and Windows XP SP2 (earlier SP’s aren’t supported and may be vulnerable)

So in the final tally, Windows Vista is “more secure” than Windows XP as only one patch was for Vista and four (3 critical) were for Windows XP.

When I applied the patches to my Windows XP machines a reboot was required, which is usually the case.

ShareThis