New computers come with old software, a situation that, considering the recent slew of critical bug fixes, can be quite dangerous.
To illustrate just how old some of the software is, consider a new Windows XP machine that I got yesterday. The computer, a ThinkCentre A61 tower, was ordered from Lenovo on January 6, 2008. It was delivered to someone on January 16th, exactly who I'll never know. As I wrote about last month, UPS lost my computer. But that's another story.
I've got my new computer routine down pat at this point. First, I run a slew of hardware diagnostics, then I make a disk image backup. Next, I remove the pre-installed software that I don't want, followed by updating the pre-installed software that I'm keeping.
The first update is to Windows itself. I start by manually running Windows Update at www.update.microsoft.com. The Windows Update software is always old. Every new Windows XP computer I've touched required a couple software updates to Windows Update itself before it would even start scanning for missing bug fixes (a.k.a. patches and updates).
The machine was missing 60 fixes to Windows XP. I installed them, re-booted and went back to Windows Update. Experience has shown that Windows Update is far from perfect. Running it a second time often reports a new bug fix that was either missed the first time or is needed because the first go-round installed buggy software. Sure enough, a custom scan shows the machine is missing the .NET Framework version 1.1 Service Pack 1.
After dealing with Windows, I tried the Adobe Flash tester page, which reported that Internet Explorer was using Flash version 7.0.68. This is a really old version of Flash (the latest is 9,0,115,0).
The other popular Adobe product, the Acrobat Reader, was the only reasonably recent software. That said, the pre-installed version, 8.1.0, is missing critical bug fixes that make it too, a security risk.
At this point I turn to the online Secunia Software Inspector to see what other software is missing security patches.
In addition to the ancient version 7 of Flash, the machine also came with the downright pre-historic, and buggy, versions 4 and 6 pre-installed.
Java too, was missing security fixes. Secunia reported that Java was at version 1.5.0_6, which was released about December 2005. The latest version of the 1.5.x family, version 1.5.0_14 is secure, according to Secunia. However, the current version of Java is 1.6.0_4. You can see which version you have at javatester.org.
Lenovo has their own version of Windows Update called ThinkVantage System Update that updates the software they pre-install. It also seems to update other software, but exactly what it targets is not at all clear from the supplied instructions. Just like Windows Update, the first update it finds is to itself.
After self-updating, ThinkVantage System Update finds about a dozen or so software updates, mostly to Lenovo applications. The number would have probably been larger, but I had already un-installed some of the Lenovo software. Interestingly, it offered to install the latest version of the Adobe Flash player, despite the fact that Internet Explorer was already using the latest version at this point, at least according to Adobe's Flash tester page. The updates I chose to accept were 422 megabytes.
Finally, the computer came with Picasa version 2 from Google. The first time I ran Picasa, it wanted to update itself to a newer version.
The hardware in a new computer may be new, but the software never is.
See a summary of all my Defensive Computing postings.
Yet again, a bug fix created a new problem. This time it occurred with Internet Explorer 6 and 7 on Windows XP and Vista.
The problem is that Internet Explorer crashes after viewing a web page. Not all web pages though, I was able to successfully view about half of those I tested with IE6. One site that crashes it pretty quickly is Microsoft's own msn.com (they offered it as an example).
It wasn't hard to find information online about this problem which was introduced in the December 11th round of bug fixes to Windows.
According to Computerworld, reports came in immediately after the release of the December 11th patches, about problems with Internet Explorer. I was just hit with this because I always wait a bit before installing new bug fixes. This wasn't the first time that a poorly tested fix created a new problem.
To document the problem Microsoft created Knowledge Base article 946627.
On December 18th, Microsoft offered a work-around in the form of a registry zap. Not your most user-friendly undertaking.
On December 20th, however, they incorporated the registry zap into a downloadable EXE file, and updated the Knowledge Base article with a link to the file.
Uninstalling
Rather than fix the fix with a registry zap that seems to target the symptom rather than the underlying problem*, my first reaction was to un-install the buggy bug fix.
Windows XP users can do this using the "Add or Remove Programs" applet in the Control Panel (see above). At the top of the window, turn on the checkbox for Show updates and sort by date last used. Then, scroll to the bottom and look for KB942615.
When I did this however, I was scared off by the warning message shown above. Even if I was willing to risk breaking two other bug fixes, I want no more to do with the Adobe Flash player. If you try this, please leave a comment below about the patches and applications, if any, that you get warned about.
Installing
You can download the automated registry zap here . The file is WindowsXP-KB946627-x86-ENU.exe, and running it starts up a Wizard (below) that walks you through a simple, standard installation process.
I suggest making a restore point before installing anything. Can't hurt. In my case, the fix was immediate, there was no need to restart Windows.
According to this Microsoft Security Response Center blog posting the newly automated fix has been incorporated into windows update.
<sarcasm>
Considering how so few people use Internet Explorer and even fewer use Windows XP and Vista, combined with the limited resources of the company that produced both products, it's no surprise that quality assurance for the original bug fix might be lacking.
</sarcasm>
* According to Heise Security, "the update does not really fix the problem..."
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
