{"id":8393,"date":"2017-07-20T06:30:15","date_gmt":"2017-07-20T14:30:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/20\/news-2167\/"},"modified":"2017-07-20T06:30:15","modified_gmt":"2017-07-20T14:30:15","slug":"news-2167","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/20\/news-2167\/","title":{"rendered":"More June security patch bugs: You can patch an IE flaw, CVE-2017-8529, or print inside iFrames\u2014but not both"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 19 Jul 2017 12:00:00 -0700<\/strong><\/p>\n

Strap on your hip waders. This particular \u201cscare\u201d article should have you thinking yet again about the advisability of installing Windows updates as soon as they\u2019re available. As you\u2019ll see, Microsoft itself has flip-flopped on the resolution and those who subscribe to Windows Update have been taken along for the ride.<\/p>\n

Buggy June patches to Windows, Internet Explorer and Edge left customers in the horns of a dilemma:<\/p>\n

Microsoft\u2019s up against a hard bug that makes this an either-or proposition: Until Microsoft figures out how to fix both problems at the same time, either you patch the security hole, or you can print inside iFrames with IE, but not both.<\/p>\n

For most people, this isn\u2019t a big deal\u2014just plug the security hole and use something other than IE to print web pages. But in many corporate environments, custom IE-based programs make that approach a non-starter\u2014and companies that have custom IE programs that rely on printing inside iFrames are really feeling the pinch. It\u2019s interesting to see how Microsoft has dealt with the problem, and cut the cards several times in the process.<\/p>\n

And… surprise… if you have Automatic Update turned on, you can now print from iFrames in IE, but the security hole hasn’t been plugged. Microsoft seems to prefer leaving IE intact, and let the security hole take the back seat.<\/p>\n

There are a lot of patches involved. To see the train wreck in slow mo, look at the events chronologically:<\/p>\n

June 13:<\/strong> Microsoft releases a slew of bad patches for IE\u2014June Internet Explorer Cumulative Update 4021558, Monthly Rollups 4022719, 4022724, 4022726 (all fed through Automatic Update), and manually installed Security Updates 4022727, 4022714, 4022715, and 4022725.<\/p>\n

June 21:<\/strong> Microsoft acknowledges the \u201ccan\u2019t print from iFrame\u201d bug in all of those patches.<\/p>\n

June 22:<\/strong> Microsoft releases a second patch, KB 4032782, which fixes the \u201ccan\u2019t print from iFrame bug\u201d by disabling the part of the original patches that deal with CVE-2017-8529. It\u2019s an optional update, so IE users can choose to either (1) fix the CVE-2017-8529 security hole, or (2) enable printing from iFrames. Those using Automatic Update who don\u2019t touch anything will still have problems with printing from iFrames.<\/p>\n

June 27: <\/strong>Microsoft releases another big bunch of IE-related patches. Again, the choices are (1) fix the security hole or (2) enable printing from iFrames. In this case, those using Automatic Update who don\u2019t install the Preview Rollup patches (which are not checked by default), will still have problems with printing from iFrames \u2014 EXCEPT<\/strong> for folks running Win10 Creators Update, 1703. The people running Creators Update are automatically updated with KB 4022716, which enables printing from iFrames, but disables the fix for the security hole.<\/p>\n

As of June 27<\/strong>, if you were installing these patches as they came out the chute, your Win10 1703 machines can print in iFrames but don\u2019t have the security hole plugged. On the other hand, your Win10 1607 and 1511 machines have it the other way around\u2014IE can\u2019t print inside iFrames, but the security hole is plugged.<\/p>\n

Complicated enough for you? Wait. It gets better.<\/p>\n

Unfortunately, the automatically installed June 27<\/strong> cumulative update for Win10 1703, KB 4022716<\/a>, proved to be a disaster<\/a>, with reported problems in IE, Chrome and Firefox, black screens, and a conflict with Comodo firewall. If you let Windows 10 install this cumulative update, IE and Edge would suddenly close<\/a> when you visit particularly complex\u2014but perfectly valid\u2014websites. The same IE crash is documented for:<\/p>\n

Here\u2019s the warning:<\/p>\n

After you install this update, Internet Explorer 11 may close unexpectedly when you visit some websites. When the problem occurs, you may receive an error message that resembles the following:<\/p>\n

We were unable to return you to [previous URL]<\/em> Internet Explorer has stopped trying to restore this website. It appears the website continues to have a problem.<\/p>\n

The problem may occur if the website is complex and uses certain web API’s.<\/p>\n

That\u2019s how things stood until Patch Tuesday, July 11<\/strong>: Another bunch of patches came out the Auto Update chute that day, but this time the role seems to be reversed. You can sift through the details of the 35 patches that include IE and Edge updates \u2014 KB 4022724, 4021558, 4022715, 4022727, 4022714, 4022726, 4022725, 4022719, if I didn\u2019t miss any\u2014but the meat of the changes appears in this Security TechCenter post<\/a>:<\/p>\n

Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE.<\/p>\n

If I read that correctly, Microsoft sent out a \u201csilver bullet\u201d in this month\u2019s Patch Tuesday patches, which turns off the part of the bad June patches that plugs the CVE-2017-8529 security hole. That is, everybody who has Automatic Update turned on should now be able to print inside iFrames with IE, but will be exposed to the security hole.<\/p>\n

I doubt that most customers, given the choice, would trade IE iFrame printing for \u00a0security.<\/p>\n

It\u2019s not at all clear why Microsoft changed horses in the middle of the botched-patch-updating stream, but it now appears as if we\u2019re back to the pre-June update settings for the security hole and the iFrame printing issue.<\/p>\n

Can you make heads from tails out of this? Hit me on the AskWoody Lounge<\/a>.<\/p>\n

Thanks to abbodi86, ch100, and MrBrian<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 19 Jul 2017 12:00:00 -0700<\/strong><\/p>\n

\n
\n

Strap on your hip waders. This particular \u201cscare\u201d article should have you thinking yet again about the advisability of installing Windows updates as soon as they\u2019re available. As you\u2019ll see, Microsoft itself has flip-flopped on the resolution and those who subscribe to Windows Update have been taken along for the ride.<\/p>\n

Buggy June patches to Windows, Internet Explorer and Edge left customers in the horns of a dilemma:<\/p>\n