If you use a Windows computer connected to a network, a newly discovered bug makes it possible for a bad guy to wreak havoc on the computer without your doing anything. The most vulnerable versions of Windows are XP, 2000 and Server 2003. Vista and Server 2008 are also vulnerable, but not as badly. Microsoft considers the bug important enough to issue the patch immediately rather than waiting for their normal once-a-month patch Tuesday.
Susan Bradley, writing for the Windows Secrets newsletter recommends immediately installing the just-issued patch. Then she offers some unusual advice, suggesting people first restart their computers "to verify that your machine is bootable." Can't hurt. Then she says to install the patch and reboot again. Her article also includes direct links to the patch for each version of Windows. If, for some reason, you can't run Windows/Microsoft Update you can manually download the patch and install it.
A standard of Defensive Computing is that the less software installed and running the better. This particular bug is with a part of Windows known as the Server service. If you are not sharing files and/or printers on a local area network, then you don't need to have the server service running, bug or no bug.
Making a Windows service not run all the time is called disabling and/or stopping. Stopping refers to the instance of the service currently running. Disabling means preventing it from ever starting again. Microsoft describes how to both stop and disable the Server service in Security Bulletin MS08-067. They also suggest doing the same to the Computer Browser service.
Anyone not sharing files and/or printers on a network should also turn off File and Printer Sharing for Microsoft Networks (the Windows XP name) on all network definitions. For example, on a laptop with both wired Ethernet networking and wireless Wi-Fi networking, File and Printer Sharing should be turned off in both network definitions.
If the Server and Computer Browser services are disabled, then some people might consider the last point (and the next) overkill. I think they are a good idea because it means two mistakes would have to be made to enable file and printer sharing as opposed to only one mistake.
Build a better fence around your Windows computer.
For still more safety, look into how your firewall is configured to ensure that it does not allow incoming traffic on TCP port 139 or 445. Again, this is for someone not sharing files and printers. Firewall configuration varies widely, but if you are using the Windows firewall in XP, the exception for this is called "File and Printer sharing."
Firewalls are the first line of defense against this type of problem. With that in mind, you may want to review the series of postings I did recently on adding a second router to a LAN to provide additional firewall protection to your most important computers. See A second router protects adults from kids.
See a summary of all my Defensive Computing postings.
The New York Times published an article on Friday about Windows Vista that included this: "The main problem with Vista, Microsoft said, was that given the delays, uncertainty and significant changes in the software, the rest of the industry was not ready when Vista finally arrived."
This is, of course, self-serving; companies rarely admit their mistakes. How convenient that the fault lies with the "rest of the industry."
In fact, Microsoft released Vista prematurely. One can only assume that there was pent-up pressure stemming from the delay in getting it out the door. But few Windows users care about the delay. What made an impression, to the non-techies of the world, were the initial problems people had using it.
In the quote above Microsoft was referring to the lack of hardware drivers. They have to shoulder some of the blame for this, both in terms of not working sufficiently with hardware vendors and for releasing Vista knowing full well that driver problems awaited early adopters. Then too, they signed off on calling under-powered computers "Vista capable".
On top of this, Vista wasn't fully baked when it was released. The huge number of articles that suggested waiting for the first service pack is a testament to that.
In fairness, the same can be said of Apple. Leopard (Mac OS X 10.5) too, was far from fully baked when it was released. In this regard at least, Linux shines. There is no marketing department or sales department at Linux headquarters pushing the operating system out the door before the programmers say it's ready. In fact, there are no Linux headquarters at all.
Hassle factor
The Times article goes on to say: "By now, Microsoft insists that most of the frustrating technical problems with Vista...have been resolved--and many industry executives and analysts agree." Assuming, for argument's sake, that's true, the out-of-the-gate problems aren't the end of the story.
Vista has to be better than Windows XP. And the judgment of whether it's better or not varies with the audience. While techies may write blogs and articles, nerds are the minority--most Windows users are normal people with lives focused elsewhere. And for many normal people, Vista just ain't worth it.
For example, I can drive a car with an automatic transmission, but not a stick shift. Assuming, for argument's sake, that stick shifts offered an advantage (perhaps better mileage), I have to weigh the advantage against the cost and hassle of making the switch.
For many computer users, Windows XP works just fine. It's familiar, it's what they know, it's not a problem waiting to be solved. Some can barely use Windows XP and may not have the ability to adapt to anything new. Technical change is fun and easy for techies, but the same change is hard and/or distracting for others. I deal with many non-techies with jobs in other fields who could care less about operating systems. Their computer is a tool to get their work done and any change is a nuisance--perhaps one they don't have time for.
The keyboard on your computer uses a layout that was chosen for reasons that no longer apply. Yet, who knows how many better layouts have failed to take off because they couldn't overcome the hassle involved in changing. Once someone learns to type on an existing keyboard, the benefit has to be huge to switch to a new layout.
Against this background, Vista has to be better than Windows XP. Much better. Noticeably better.
I don't see it.
I don't see Vista offering sufficient benefit in the way of must-have features to make it worth the changeover hassle. On top of this, despite whatever strides Microsoft may cite, Windows XP will be more compatible with existing hardware and software for the immediate future. Thus, XP is still the right decision for many Windows users.
Businesses choose which version of Windows to use and most chose XP (see Intel and General Motors). Consumers, by and large, don't choose, they are force-fed Vista. That's a shame. In part, it has led to the resurgent interest in Macs (along with the commercials, of course) and may well lead to the rise of Linux on Netbook computers. We'll see.
Update September 7, 2008: I'm not a Mac person, so my analogy about Apple also releasing an OS before it was ready may have been off. A commenter below said: "You would be more correct in using OS X 10.0 as a parallel example, which was released way too quickly, and was full of bugs. OS X 10.1 (which had all the fixes) came out very quickly after that, and was distributed to all OS X users for free as a partial apology."
See a summary of all my Defensive Computing postings.
On two Windows XP machines of mine, the installation of post-SP3 patches has broken Windows Update.
I first wrote about this yesterday, when it happened on one machine. Today, on a computer with very different hardware, the problem repeated itself.
In both cases the computers had no application software installed. Each had only Windows XP SP2 and a handful of vendor installed utilities. Neither machine had any anti-malware software of any kind, not even a firewall (other than XP's firewall). Both were running Internet Explorer 6.
Each time I started by installing SP3 and rebooting. Next, I ran Windows Update manually and opted to install all the post-SP3 patches, with the exception of Internet Explorer 7. I prefer to install IE7 by itself. The patches install fine, and I reboot again.
At this point Windows Update no longer works.
As I suggested three months ago, it's best to hold off on Service Pack 3.
Update July 27, 2008: This problem is not related to IE6, it was re-produced on two machines running IE7. At this point, I have tried to reproduce it on five computers. My best guess now is that the problem has to do with the type of license for Windows. On four machines that were purchased from the same hardware vendor (very different models), Windows Update broke. However, a copy of Windows XP purchased at retail in a shrink-wrapped box had no problems with Windows Update.
One Windows XP test machine started out with no service packs. I installed SP2, rebooted, installed IE7, rebooted, installed SP3, rebooted and then installed all the post-SP3 patches except for one. One patch had to be omitted because without something to install there is no way to know that Windows Update is broken. Specifically, I chose not to install KB923789, an update to the Adobe Flash player. The post-SP3 patches that I did install were KB951748, KB951978, KB890830, KB951376, KB950762, KB950760 and KB942763. One of them broke Windows Update.
For the fix to Windows Update see Fixing Windows Update on XP SP3
See a summary of all my Defensive Computing postings.
The day Windows XP SP3 was released I advised waiting a long time before installing it. In the three months since, I haven't installed it on a computer that mattered to me. Today, I installed it on a computer that didn't matter much, and it caused a problem. So, I tried to take advantage of the free tech support Microsoft offers for SP3 - and got a lesson in fine print.
The computer shipped with Windows XP SP2 and some vendor utilities installed. It was a good guinea pig for SP3 because there were no user-installed applications and no user-created data files on the machine.
I downloaded and installed SP3 without incident. Then I rebooted and ran Windows Update again to get the latest patches. There were a handful of recent patches, and I installed all of them except for Internet Explorer 7. This too went fine and I rebooted again, little knowing the grief that awaited.
Back to Windows Update to install IE7. As you can see below it found another patch too.
Now however, Windows Update can't install either the patch for the .NET framework or IE7. It politely says that "Some updates were not installed".
Under the error (see below), it says to try again. So I did, but that didn't help. I tried one at a time, but that didn't help either. I rebooted, to no avail.
So I called Microsoft (866-234-6020) hoping to get some of the free tech support for XP SP3 mentioned here. But I didn't qualify.
The free support is for "installation and compatibility". In my case SP3 installed fine so I don't qualify there. And compatibility doesn't seem to include SP3 being compatible with Windows Update.
No Free IE7 Tech Support Either
While on the phone with Microsoft, I have an idea. Because of the problem, I couldn't install Internet Explorer 7 and Microsoft offers free tech support for IE7 too. This page clearly refers to "Free Internet Explorer 7 installation and set-up phone support".
Switching from asking for XP SP3 support to asking for IE7 support stumped the person I was speaking to, and I had to wait on hold while he got a ruling from the judge. Again, I didn't qualify.
Despite the offer of free installation support for IE7 and despite the fact that I couldn't install IE7, the Microsoft person explained that since my problem was really with Windows Update, I didn't quality for the free help.
The patch for the .NET framework did me in. Since it also wouldn't install, this pointed the finger at Windows Update rather than at IE7. Adding insult to injury, Windows Update created the need for this patch by installing the known buggy Service Pack for the .NET framework in the first place, a situation I wrote about back in April (see Don't get burned by Windows Update).
Lawyers reading this, must find it a hoot. Internet Explorer 7 is installed with Windows Update and there is free telephone support for installing the product. But if Windows Update is the problem, no free support.
After hanging up, I tried Microsoft Update instead of Windows Update, but it failed in the same way. When turning off the machine, automatic updates tried to install a patch, but that failed. At the next boot, automatic updates wanted to install both IE7 and the patch for the .NET framework. I let it try, but it failed in the same way. At the next shutdown, Windows again tried to install a patch. It's confused.
Microsoft offers free tech support for Windows Update too. But that's not on the phone, only by email. I went down that route, filling out the necessary forms and accumulating the required data.
I don't expect it to lead anywhere. For one thing, as you can see from the screen shots above, there is no error code, just a generic warning about "a problem". I checked the event logs and there were no error messages there either. Debugging errors without an error code is really hard, especially by email.
I think it's time for some more Linux postings.
Update: July 22, 2008: This was not a fluke, it happened again on another machine.
See a summary of all my Defensive Computing postings.
A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.
On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.
The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.
Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).
Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?
Old Versions of Software
Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.
A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.
Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.
Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.
Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.
One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.
Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.
Which do you prefer?
Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:
"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"
Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?
Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.
See a summary of all my Defensive Computing postings.
In the first posting on this blog I said it would be a game-free zone. Despite this, I recommend reading The truth about last year's Xbox 360 recall by Paul Thurrott. The story is as much about Microsoft and hubris as it is about the Xbox 360.
You may recall that Microsoft had to replace many Xbox 360s that suffered from a "Red Ring of Death" and even went so far as to extend the warranty to three years. Microsoft never offered specifics on the problem and now we know why, it was embarrassing.
Anyone can call the Xbox 360 "... a hunk of unreliable junk that was foisted on us by people who are more concerned with their own image than with reality." But, it means more, when coming from a pro-Microsoft person, such as Mr. Thurrott.
FYI: The article refers to an "ASIC" which is an Application Specific Integrated Circuit. In the context of the article it refers to the graphics processor.
See a summary of all my Defensive Computing postings.
My last couple postings were about a bug fix for Windows, that I think is best avoided. Dealing with this particular fix, raised the issue, for me, of how to best deal with installing all patches, from a Defensive Computing standpoint.
I spent 10 years in the mainframe world administering to DB2 databases. The conundrum with installing patches is the same on mainframes as with PCs. Should you install every bug fix as soon as it's released or should you hold back a bit? And, if you do hold back, for how long?
The problem, in both environments, with installing bug fixes ASAP is that some will inevitably cause more problems than they fix. And when they do cause a problem, it may be a biggie, because a work-around could be days away. The problem with holding back, again in both environments, is how long to wait until you are reasonably sure that a patch won't break something accidentally. Do you install bug fixes a week after they were released? A month? Two months?
Mainframers have some advantage over Windows users when it comes to installing patches.*
For one, they can opt to not install patches until they "ripen" (my term). Assuming, for example, that patches are released monthly, a mainframe administrator can, if they want, install March patches in May and April patches in June. Windows/Microsoft update has no such date-oriented feature.
Another advantage is that mainframe patches are usually overseen by someone expert in the software being maintained. That is, a DB2 expert reviews the DB2 patches and can decide to omit some, if for example, they apply to features not being used. Likewise, patches for the operating system (z/OS) are typically reviewed by an expert in the OS before being applied. Needless to say, most PC users can not evaluate for themselves whether a particular patch is really needed or not.
Patching for non-techies
So, what should non-technical PC users do?
There is no one right answer. If non-techies install patches as soon as they are released, they are the least qualified to deal with problems caused by buggy patches. Yet, leaving their computers vulnerable to newly discovered bugs is risky too.
Many people recommend that non-techies let Windows automatically install patches as they are released. To recommend this is to trust Microsoft a bit more than I do. But, if the computer is used for non-essential things, and being without it for a period of time is no big deal, then installing patches automatically is the way to go. If the computer in question is used by children a lot, then again, installing patches immediately is probably the best approach.
But, some non-technical users make their living using a Windows computer, and they can't take the risk of a buggy patch causing a problem for which a fix may be days away. These people are probably better off waiting until a computer nerd can assist them, even if means being vulnerable to a newly discovered bug.
Patching For Techies
If you have the technical skill and the inclination, then I suggest turning off all the automatic processing offered by Windows/Microsoft Update. Don't even let it check for updates without downloading them. On top of this, I would also disable the underlying Automatic Updates Windows service (In XP, Control Panel -> Administrative Tools -> Services).
Once a month, I would enable and run Windows/Microsoft Update manually, then immediately disable it again.
When to run it? Installing patches a few days after Patch Tuesday gives Microsoft time to fix or withdraw any patches that caused widespread problems. Sometimes patches can be easily un-installed, but not always. Unless you make a disk image backup beforehand, I'd be very wary of installing patches on Patch Tuesday.
The classic trade-off has always been between security and convenience. Manually running Windows Update once a month is, admittedly, a nuisance.
To run a completely disabled instance of Windows/Microsoft Update in XP, you start by enabling the Automatic Updates service. This requires both setting it to start Automatically (note that it must be set to an "Automatic" startup, for some reason "Manual" is treated the same as disabled) and then manually starting it. Then run the update, selecting "Custom" rather than "Express" processing (see above). Before shutting down Windows, stop and disable the Automatic Updates service again. The Background Intelligent Transfer Service can be left at Manual startup at all times.
Disabling the Automatic Updates service has two added benefits. The minor one is that it enables XP to start up a bit faster.
The major one is that it also helps to protect you from Microsoft, which last September, forced updates on computers that were configured not to be automatically updated. I blogged about this at the time, see Windows is spyware and Defending yourself against Microsoft. I also recommend reading the September 13, 2007 edition of the Windows Secrets newsletter, specifically the lead article by Scott Dunn, Microsoft updates Windows without users' consent.
On a related note, as I wrote in April, Windows XP users should not be in a rush to install Service Pack 3. In fact, if someone suggested installing SP3 soon after it was released - don't take advice from them in the future. The problems that cropped up after its release were as predictable as the sun rising in the morning and the benefits are, by all accounts, minimal.
Patching Other Software
But what about the tons of other software, besides the operating system, that also needs to be patched?
In the Windows world this is a mess, if not a disgrace. Every software company re-invents the wheel when it comes to updating their software.
I'm not a Mac person, but I believe the situation is basically the same there, Apple's equivalent to Windows Update only updates Apple software. Linux has great potential in this area but I'm not familiar enough with it to judge if the potential is being realized. I do know that a number of Linux distros resisted my attempts to figure out how to update software. At least Windows Update is simple as easy to use, even in manual mode. Recently, a copy of gOS running a new computer totally refused to update anything and the error messages were of little help.
Macs and PCs will always be unreliable without a single patch delivery system for all the installed software.
In the meantime, some businesses make due with assorted commercial products that install patches to a wide range of software. A large computer company has home-grown software for doing this on the machines of employees. Home users have the Secunia Online Software Inspector; flawed though it is, you're much better off using it than avoiding it. FileHippo has a free update checker for Windows machines, but it is in beta test and requires .NET framework version 2. CNET offers VersionTracker, but it is not well rated by the 387 users that rated it.
In the long run this argues for Software as a Service, if for no other reason than, as in the mainframe world, experts oversee the patch process rather than normal, non-techie users. It may also lead to some type of virtualized desktop, again, motivated by the need to increase reliability by controlling software installations. Personally, I'm a huge fan of portable applications, that is, software that can run without being installed (www.portableapps.com has a great collection). And while I'm not a big fan of software like GoBack to rollback system activity, it may justify itself by being able to undo any software installation, be it a patch or not.
Personal computing is a young field and the way patches are handled, shows all too clearly that this is still the Fred Flintstone era.
*NOTE: What Windows people refer to as a "patch" or "update", mainframe people refer to as a PTF - Program Temporary Fix.
See a summary of all my Defensive Computing postings.
As I wrote a couple days ago, Microsoft released a new bug fix, KB932823, on May 28th which seemed suspicious for a number of reasons.
For one thing, the patch was released at the end of the month instead of Patch Tuesday. It turns out, according to a company spokesperson, that Microsoft releases patches twice a month, not just once a month. "While we release security updates on the 2nd Tuesday of the month, non-security updates are usually released either the 2nd or 4th Tuesday of the month." Who knew?
Since KB932823 is not a security related patch (terminology: "updates" means "patch" which in turn means "bug fix"), it doesn't show up in the list of latest security patches. The Microsoft spokesperson was unable to find a web page that explains or documents the fourth Tuesday bug fix schedule.
Still, this particular bug doesn't strike me as high priority, so I wouldn't install the patch. As I wrote previously, there are two workarounds, and according to Microsoft, the problem only "occurs if the Japanese Input Method Editor (IME) is the default keyboard layout."
The Microsoft spokesperson added that the problem only occurs on multi-core machines. So why was my English-only copy of XP running on a single-core processor offered this patch? Doesn't inspire confidence.
In addition, the problem also occurs on Windows Server 2003 where it is considered a "hotfix" rather than a critical bug. A hotfix is a bug fix that not only doesn't get installed automatically, you can't even download it. Instead, you have to call Microsoft and convince them you need it. For Windows Server 2003, Microsoft says:
Apply it only to systems that are experiencing this specific problem ... if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
In other words, the patch status on Windows Server 2003 is totally opposite from that in Windows XP. Strange.
I also checked the IE blog and the IE home page at Technet. Neither said a thing about this bug fix.
Another Microsoft spokesperson noted that this patch also applies to the Media Center Edition of XP. They said, "Media center is just a variant of Windows XP so all fixes that apply to Windows XP Pro apply to Media Center Editions. Windows Update handles this automatically by delivering the correct version of the fix."
In addition, they pointed out that KB932823 applies to both 32 and 64 bit versions of Windows XP. Quoting: "The x64 version of Windows XP uses the Server 2003 version of the fix - this is true for all x64 XP fixes. Windows Update handles this automatically by delivering the correct version of the fix. (However, only WinXP x86 fix is available from the Microsoft Download Center. Customers who want the fixes for ... Windows XP x64 need to contact Microsoft to get the fix.) "
If you have Windows/Microsoft Update set to operate automatically, then you can't pick/chose the patches to install. Next time, some thoughts on dealing with Windows/Microsoft Update.
Update June 2, 2008: Added comments from second Microsoft spokesperson.
See a summary of all my Defensive Computing postings.
For some reason I felt the need today to run Microsoft Update (big brother to Windows Update) on my Windows XP computer. No particular reason, just felt it in my bones, even though I had run it recently after installing the Word viewer. Sure enough, it found a missing bug fix. It thinks the bug fix is critical, me, I'm not so sure.
Anyone who runs Windows Update manually, as I do, knows not to trust it all that much. It has, for example, found missing patches for software that was not installed. In April, I blogged about how Windows Update installed software with known bugs, converting a secure computer into an exploitable one.
This particular bug (a.k.a. KB932823) doesn't seem at all critical. The sole extent of the problem (see You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP) is that Internet Explorer 7 may not download a file when requested to do so. Here is the problem symptom, as described by Microsoft:
"You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP. For example, after you click Save in the File Download dialog box, the file is not downloaded."
In other words, it's not a security related thing at all.
And, there are two workarounds. One, provided by Microsoft in the problem description, involves configuring Advanced Text Services. The other is simply running another web browser.
The patch for Windows XP was released May 28th, but the problem description was last reviewed 2.5 months ago. I searched Microsoft's website and found nothing new written about it. Microsoft tracks the latest security updates here. It was last updated May 13th and says nothing about the release of KB932823 on May 28th. The Microsoft Update Product Team blog also says nothing about this bug fix. Not exactly a hot item.
Microsoft releases patches once a month, on what us nerds call Patch Tuesday. For a bug fix to be released immediately, as opposed to waiting for the next Patch Tuesday, it has to be the most critical of the critical. Doesn't happen often. And, apparently, should not have happened now. By all measures, this is a trivial dinky problem.
Still, why not just let Windows/Microsoft Update install the patch anyway?
For one thing, any time you install software you are taking a risk. That Microsoft released this as an immediate critical patch makes it fairly obvious they don't have their act together, so I would trust this patch even less than normal.
And, there have been reports that this patch has caused problems (here and here and here). Then again, these problem reports have to be taken with a grain of salt, unless you know the people reporting them.
The bug, it seems to me, is with Windows/Microsoft Update, rather than with IE7.
Update June 2, 2008: See More about patch KB932823 for more on this.
See a summary of all my Defensive Computing postings.
NOTE: Microsoft says the bug applies to Windows XP Home and Professional, but doesn't bother to state if it is the 32-bit or the 64-bit editions or both. For Windows Server 2003, which is also affected by this bug, they do clearly make this distinction. And, Microsoft does not say that the bug applies to the Media Center Edition of XP - almost every bug for XP Home and and Professional also affects the Media Center Edition.
Not everyone wants to, or can, pay for a copy of Microsoft Office. Some of us, instead, chose to run free software that competes with Office, such as Open Office or Star Office or IBM's Symphony.
As a user of Open Office, I can attest that it's formatting of Word documents is far from perfect, and, there is no way to know how good a formatting job it is doing on any particular document. To get perfect rendering, I also use the free Office viewers that Microsoft provides for Word, Excel and PowerPoint. You can download them at microsoft.com/downloads (select "Office" in the left side column).
Despite the name "viewer" these programs also let you print Office files and copy data into other applications. The viewer programs are supported on Windows XP, Vista, 2000 and Server 2003.
The most popular viewers are those for PowerPoint 2007 and Word 2003. The Word 2003 Viewer, like Word itself, can read documents from earlier versions of Word.
The latest Word viewer, released in September 2007, is simply called the Word Viewer, with no version number at all. It's nice to be a monopoly. You can think of the latest Word Viewer as the Word 2007 Viewer since it lets you view the new .docx and .docm file formats. However, to get this functionality, Microsoft also requires that you install the Office Compatibility Pack.
The latest Excel Viewer, released in January 2008 also has no associated version number. A screen shot is below. I haven't used it much, but have noticed that it doesn't let you resize columns.
In part, this posting was prompted by a recent question at ask-leo.com - Do I need MS Office updates if I only have the viewers? The answer is yes, but Windows Update doesn't cut it. Just like with the real Office software, bug fixes to the viewers are detected and installed with Microsoft Update. The Word 2003 Viewer was released in August of 2005 and needs quite a few patches as shown below.
Office documents have often been booby-trapped with malicious software, so be sure to run Microsoft Update after installing any of the Viewer programs.
Many of the Word documents that I'm sent don't need to be edited, only viewed. If that's the case for you too, you may be able to save the cost of Microsoft Office by combining free Office software with the free viewers.
See a summary of all my Defensive Computing postings.
