Bonus Windows updates fix other Windows updates

Larry Seltzer
Updated

The Patch Tuesday updates were enough to keep track of, but they weren't all the security updating Microsoft did on Tuesday. The company also reissued two older updates on certain platforms and released a new anti-POODLE feature for Internet Explorer. There are inconsistencies in the description and implementation of the anti-POODLE feature.

MS14-065: Cumulative Security Update for Internet Explorer (3003057), as released on the November Patch Tuesday, had some deficiencies in the update for one specific vulnerability. CVE-2014-6353 is one of two memory corruption vulnerabilities fixed in that update, but version 2.0 of the update was released today for Internet Explorer 10 and for Internet Explorer 8 on Windows 7 or Windows Server 2008 R2. The same fixes are included in the December Cumulative Security Update for Internet Explorer released today.

MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) was the fix for a doozy of a vulnerability in Schannel, Microsoft's SSL/TLS implementation. Tuesday the update was reissued for users of Windows Vista and Windows Server 2008 to address "an issue in the original release."

In addition to the fix for the highly-critical vulnerability in MS14-066, Microsoft added some new security features, specifically new ciphers for the TLS suite. We can only guess that they did this since they were sending out a new version of the files that implement the ciphers anyway, so they thought they'd kill two birds with one stone. What they ended up killing instead was many Windows systems.

It's not clear to us what is new in the new version of the update for Vista and Windows Server 2008, but it may remove the cipher code from those systems. Tuesday's reissue of MS14-066 is the second reissue of the update, the first coming a week after the initial release on November Patch Tuesday. The first reissue removed the new ciphers from the default cipher suite priority list. After Tuesday's second reissue, the security bulletin no longer lists Windows Vista or Windows Server 2008 as platforms on which the ciphers are installed.

On Tuesday Microsoft also reissued Security Advisory 3009008, their announcement of the POODLE bug in SSL version 3, "...announcing the availability of SSL 3.0 fallback warnings in Internet Explorer 11." In the accompanying KB article, the company provides a Fix-It download and instructions for a GPO setting to "...enable SSL 3.0 fallback warnings to be displayed when a connection in Internet Explorer insecurely falls back from TLS 1.0 or a later version to SSL 3.0 or an earlier version." The KB article also says that the update is applied as part of the December Cumulative Security Update for Internet Explorer.

The security bulletin, KB article and even the description line in the Fix it program (pictured below) give the clear impression that the changes are for enabling warnings that an SSL v3 fallback is occurring. But the actual settings in both the Fix it and the GPO clearly indicate that the setting actually disables the fallback, not just warn of it. Furthermore, installing the Fix it re-enables SSL v3 support in Internet Explorer (more accurately in Schannel) if it had been disabled.

The Fix it description and commands are inconsistent.