"Mr. Fixit" wrote in message
Two Windows 7 boxen here have been bugging us to install some update for
about a week now. This started around a week *after* Patch Tuesday.
Anyone else seeing Windows Update complaining that their machines aren't up
to date, starting *in between* two Patch Tuesdays? Or, worse, getting
unexpected reboots when they shouldn't be?
And the specific update would be ???
KB2840149, I think.
"A security issue has been identified ..."
It looks like a bog-standard security patch. It's just the timing that's
weird.
Is it possible for a bad actor to sneak their own bogus update into
Microsoft's update system?
Also, what's with the dumbed-down descriptions these days? Used to be it
would say if it was DoS only, authenticated local attacker only, or
unauthenticated remote attacker. The latter are far more urgent for
machines that don't have possibly untrusted local users. We don't have to
worry about a local privilege escalation attack here, for example.
If anything, I think there should be even more detail about the updates,
including whether a vuln can be exploited through a typical firewall config
or not. If it's in a service like NetBIOS that nobody in his right mind
exposes through his firewall, for example, the danger exists only if there
are untrusted users of the LAN, or it's a home machine that's not behind a
hardware firewall or NAT router. It's still belt-and-suspenders to install
the patch, but it can wait until a convenient time for rebooting. On the
other hand if it's in the Windows Picture Previewer jpeg handler (or worse,
the Explorer jpeg thumbnailer) and allows a maliciously crafted file to
root the box, then it's "install this before saving any image from any web
page!!!" severity.