Microsoft Internet Explorer Vulnerability Patch Release

Yesterday we wrote an article about a new Microsoft Vulnerability in Internet Explorer. While we were initially lead to believe that this was a flash issue, it was brought to our attention that the issue goes deeper than that. While we’re working on a script which can solve damage from this vulnerability, right now it is important that you ensure all your client machines are updated with the latest patches available from Microsoft.

Unfortunately, in typical Microsoft fashion, the patches have been released somewhat out of order, which means that if you apply the patches in the order they were released in, you’ll end up borking Internet Explorer on any Windows 7 machines.

There are three updates which have been released at various points:

  1. KB2929437. This is not the patch, but a dependency on Windows 7 machines that the patch requires to be installed before you install the main patch.
  2. KB2964358. This patch will fix the vulnerability in Internet Explorer. However, it requires the previous KB to be installed.
  3. KB2964444. If you do not want to install the first patch, then this can be installed to patch the vulnerability instead of KB2964358.

If you are on Saas2, Saas9, or Saas16, then you will need to identify machines which require the patch and manually apply the patches in the right order. If you’re on our Hosted servers (K2 or VA4) then the patches have already been approved and you should just be able to apply them. If you try to let Kaseya apply the patches, then issues will likely arise.

In order to identify machines missing the KB2929437 patch, you can create a view. Simply click “Edit” on the upper right of View and use the Patch Management  “Machines missing patch” filter. Insert KB2929437 as the missing patch and Kaseya should put together a list of machines to apply that patch to. Once you’ve manually made sure that patch is applied to all Windows 7 machines, then you should be able to allow Kaseya to apply the next update with no further incident.

Here is the official statement from our tech team:

Microsoft has released a patch for Zero-Day vulnerability affecting all versions of Internet Explorer

SaaS partners will need to Allow this in their patch polices.  Using the “Patch Management> Patch Policy> KB Override” function is the quickest way to do this.

In Kaseya the patch is listed as KB2964358 and KB2964444

Out-of-Band Release to Address Microsoft Security Advisory 2963983

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

Good news – “We have made the decision to issue a security update for Windows XP users.”

There are known issues if you do not have KB2929437 installed. You can create a Kaseya view to help you locate these machines – click “Edit” on the upper right of View and use the Patch Management  “Machines missing patch” filter.

See: http://support.microsoft.com/kb/2964358

Known issues with this security update

Internet Explorer will crash if you try to install this security update on a Windows 7-based system that does not already have security update 2929437 installed. To avoid this issue, take either of the following actions:

*Install security update 2929437, and then install security update 2964358. For more information about security update 2929437, click the following article number to view the article in the Microsoft Knowledge Base:2929437 (http://support.microsoft.com/kb/2929437) Description of the security update for Internet Explorer 11 on Windows 7 and Windows Server 2008 R2: April 8, 2014

*Install security update 2964444 instead of security update 2964358. Security update 2964444 is intended for systems that do not have security update 2929437 installed.