If you use a Windows computer connected to a network, a newly discovered bug makes it possible for a bad guy to wreak havoc on the computer without your doing anything. The most vulnerable versions of Windows are XP, 2000 and Server 2003. Vista and Server 2008 are also vulnerable, but not as badly. Microsoft considers the bug important enough to issue the patch immediately rather than waiting for their normal once-a-month patch Tuesday.
Susan Bradley, writing for the Windows Secrets newsletter recommends immediately installing the just-issued patch. Then she offers some unusual advice, suggesting people first restart their computers "to verify that your machine is bootable." Can't hurt. Then she says to install the patch and reboot again. Her article also includes direct links to the patch for each version of Windows. If, for some reason, you can't run Windows/Microsoft Update you can manually download the patch and install it.
A standard of Defensive Computing is that the less software installed and running the better. This particular bug is with a part of Windows known as the Server service. If you are not sharing files and/or printers on a local area network, then you don't need to have the server service running, bug or no bug.
Making a Windows service not run all the time is called disabling and/or stopping. Stopping refers to the instance of the service currently running. Disabling means preventing it from ever starting again. Microsoft describes how to both stop and disable the Server service in Security Bulletin MS08-067. They also suggest doing the same to the Computer Browser service.
Anyone not sharing files and/or printers on a network should also turn off File and Printer Sharing for Microsoft Networks (the Windows XP name) on all network definitions. For example, on a laptop with both wired Ethernet networking and wireless Wi-Fi networking, File and Printer Sharing should be turned off in both network definitions.
If the Server and Computer Browser services are disabled, then some people might consider the last point (and the next) overkill. I think they are a good idea because it means two mistakes would have to be made to enable file and printer sharing as opposed to only one mistake.
Build a better fence around your Windows computer.
For still more safety, look into how your firewall is configured to ensure that it does not allow incoming traffic on TCP port 139 or 445. Again, this is for someone not sharing files and printers. Firewall configuration varies widely, but if you are using the Windows firewall in XP, the exception for this is called "File and Printer sharing."
Firewalls are the first line of defense against this type of problem. With that in mind, you may want to review the series of postings I did recently on adding a second router to a LAN to provide additional firewall protection to your most important computers. See A second router protects adults from kids.
See a summary of all my Defensive Computing postings.
All web browsers have bugs, but when simply viewing a web page can infect your computer with malicious software, the speed with which bugs are found and fixed is critical. It may be the most important yardstick by which to measure any web browser.
For Windows users, the choice between Firefox and Internet Explorer isn't a contest at all. Microsoft is slow in fixing IE bugs, being locked into a once a month cycle. Not Firefox.
Mozilla released version 3.02 of Firefox on Tuesday. It had a bug. Happens all the time. What doesn't happen all the time is that the bug was fixed quickly and version 3.03 of Firefox was released on Friday.
Anyone interested in Defensive Computing doesn't want their bug fixes idling at the gate waiting for the one day a month when they are set free.
See a summary of all my Defensive Computing postings.
Yesterday, was Patch Tuesday and a bug fix released by Microsoft caused a problem for ZoneAlarm firewall users - they could no longer get online. Oops. Except, if they followed the advice offered earlier on this blog, which is to wait until Thursday or Friday before installing the patches Microsoft releases on Tuesday. This is exactly the sort of situation for which that advice was intended.
On July 2nd, I wrote about Flagfox, a Firefox extension that displays a small flag in the corner of the browser window. Three days later I expanded on this saying that Flagfox can serve a very important service, displaying the IP address of a website. For financial institutions, or anywhere you do sensitive transactions, this is very important. There are many ways that malicious software can fake out things such that even using a browser bookmark/favorite and even seeing the name of your financial institution in the address bar, you can nonetheless be at a phony, scam copy of the website, one designed to steal your password. Typically this is the result of an attack on DNS, a system that I described back in December when I suggested using OpenDNS.
Yesterday, it comes to light that there is a huge bug in DNS. Massive repercussions. But, not for Flagfox users. They can see the IP address of their bank website and verify it. If, for example, a bank website is supposed to be at IP address 1.2.3.4 and a DNS poisoning attack results in your ending up at 5.6.7.8, Flagfox users won't be faked out. Of course, the banks have to publicly verify their IP addresses and so far only Bank of America has done so. Chase outright refused to say anything. I'm still working on this.
On June 11th Brian Krebs at WashingtonPost.com wrote about a version of the "Zlob" Trojan that tries to zap the DNS settings on your router (a totally different type of DNS attack). But, anyone who took my March posting, Defending your router, and your identity, with a password change to heart, had already changed their router password and was immune to this attack.
On July 6th I discussed Still more reasons to avoid Internet Explorer. The very next day, we learned of another security problem with IE, this one having to do with an ActiveX control related to Microsoft Access. By my count, this brings the number of known bugs in Internet Explorer without fixes to six. I read my fair share of articles on this latest IE bug, none said anything about a Microsoft commitment to fix it, despite the fact that bad guys are currently exploiting it. In fact, Elinor Mills said Microsoft "may" provide a fix in the future. It must be nice to be a monopoly.
Back in April, when Windows XP Service Pack 3 was released, I advised against installing it at a time when others said it was good thing. In retrospect, the problems it caused far outweighed the trivial benefits it offers. I still haven't installed it and don't plan on doing so in the immediate future. Neither should you.
Watch this space for more Defensive Computing and, if you missed it, let me suggest reading The pillars of Defensive Computing.
See a summary of all my Defensive Computing postings.
My last couple postings were about a bug fix for Windows, that I think is best avoided. Dealing with this particular fix, raised the issue, for me, of how to best deal with installing all patches, from a Defensive Computing standpoint.
I spent 10 years in the mainframe world administering to DB2 databases. The conundrum with installing patches is the same on mainframes as with PCs. Should you install every bug fix as soon as it's released or should you hold back a bit? And, if you do hold back, for how long?
The problem, in both environments, with installing bug fixes ASAP is that some will inevitably cause more problems than they fix. And when they do cause a problem, it may be a biggie, because a work-around could be days away. The problem with holding back, again in both environments, is how long to wait until you are reasonably sure that a patch won't break something accidentally. Do you install bug fixes a week after they were released? A month? Two months?
Mainframers have some advantage over Windows users when it comes to installing patches.*
For one, they can opt to not install patches until they "ripen" (my term). Assuming, for example, that patches are released monthly, a mainframe administrator can, if they want, install March patches in May and April patches in June. Windows/Microsoft update has no such date-oriented feature.
Another advantage is that mainframe patches are usually overseen by someone expert in the software being maintained. That is, a DB2 expert reviews the DB2 patches and can decide to omit some, if for example, they apply to features not being used. Likewise, patches for the operating system (z/OS) are typically reviewed by an expert in the OS before being applied. Needless to say, most PC users can not evaluate for themselves whether a particular patch is really needed or not.
Patching for non-techies
So, what should non-technical PC users do?
There is no one right answer. If non-techies install patches as soon as they are released, they are the least qualified to deal with problems caused by buggy patches. Yet, leaving their computers vulnerable to newly discovered bugs is risky too.
Many people recommend that non-techies let Windows automatically install patches as they are released. To recommend this is to trust Microsoft a bit more than I do. But, if the computer is used for non-essential things, and being without it for a period of time is no big deal, then installing patches automatically is the way to go. If the computer in question is used by children a lot, then again, installing patches immediately is probably the best approach.
But, some non-technical users make their living using a Windows computer, and they can't take the risk of a buggy patch causing a problem for which a fix may be days away. These people are probably better off waiting until a computer nerd can assist them, even if means being vulnerable to a newly discovered bug.
Patching For Techies
If you have the technical skill and the inclination, then I suggest turning off all the automatic processing offered by Windows/Microsoft Update. Don't even let it check for updates without downloading them. On top of this, I would also disable the underlying Automatic Updates Windows service (In XP, Control Panel -> Administrative Tools -> Services).
Once a month, I would enable and run Windows/Microsoft Update manually, then immediately disable it again.
When to run it? Installing patches a few days after Patch Tuesday gives Microsoft time to fix or withdraw any patches that caused widespread problems. Sometimes patches can be easily un-installed, but not always. Unless you make a disk image backup beforehand, I'd be very wary of installing patches on Patch Tuesday.
The classic trade-off has always been between security and convenience. Manually running Windows Update once a month is, admittedly, a nuisance.
To run a completely disabled instance of Windows/Microsoft Update in XP, you start by enabling the Automatic Updates service. This requires both setting it to start Automatically (note that it must be set to an "Automatic" startup, for some reason "Manual" is treated the same as disabled) and then manually starting it. Then run the update, selecting "Custom" rather than "Express" processing (see above). Before shutting down Windows, stop and disable the Automatic Updates service again. The Background Intelligent Transfer Service can be left at Manual startup at all times.
Disabling the Automatic Updates service has two added benefits. The minor one is that it enables XP to start up a bit faster.
The major one is that it also helps to protect you from Microsoft, which last September, forced updates on computers that were configured not to be automatically updated. I blogged about this at the time, see Windows is spyware and Defending yourself against Microsoft. I also recommend reading the September 13, 2007 edition of the Windows Secrets newsletter, specifically the lead article by Scott Dunn, Microsoft updates Windows without users' consent.
On a related note, as I wrote in April, Windows XP users should not be in a rush to install Service Pack 3. In fact, if someone suggested installing SP3 soon after it was released - don't take advice from them in the future. The problems that cropped up after its release were as predictable as the sun rising in the morning and the benefits are, by all accounts, minimal.
Patching Other Software
But what about the tons of other software, besides the operating system, that also needs to be patched?
In the Windows world this is a mess, if not a disgrace. Every software company re-invents the wheel when it comes to updating their software.
I'm not a Mac person, but I believe the situation is basically the same there, Apple's equivalent to Windows Update only updates Apple software. Linux has great potential in this area but I'm not familiar enough with it to judge if the potential is being realized. I do know that a number of Linux distros resisted my attempts to figure out how to update software. At least Windows Update is simple as easy to use, even in manual mode. Recently, a copy of gOS running a new computer totally refused to update anything and the error messages were of little help.
Macs and PCs will always be unreliable without a single patch delivery system for all the installed software.
In the meantime, some businesses make due with assorted commercial products that install patches to a wide range of software. A large computer company has home-grown software for doing this on the machines of employees. Home users have the Secunia Online Software Inspector; flawed though it is, you're much better off using it than avoiding it. FileHippo has a free update checker for Windows machines, but it is in beta test and requires .NET framework version 2. CNET offers VersionTracker, but it is not well rated by the 387 users that rated it.
In the long run this argues for Software as a Service, if for no other reason than, as in the mainframe world, experts oversee the patch process rather than normal, non-techie users. It may also lead to some type of virtualized desktop, again, motivated by the need to increase reliability by controlling software installations. Personally, I'm a huge fan of portable applications, that is, software that can run without being installed (www.portableapps.com has a great collection). And while I'm not a big fan of software like GoBack to rollback system activity, it may justify itself by being able to undo any software installation, be it a patch or not.
Personal computing is a young field and the way patches are handled, shows all too clearly that this is still the Fred Flintstone era.
*NOTE: What Windows people refer to as a "patch" or "update", mainframe people refer to as a PTF - Program Temporary Fix.
See a summary of all my Defensive Computing postings.
New computers come with old software, a situation that, considering the recent slew of critical bug fixes, can be quite dangerous.
To illustrate just how old some of the software is, consider a new Windows XP machine that I got yesterday. The computer, a ThinkCentre A61 tower, was ordered from Lenovo on January 6, 2008. It was delivered to someone on January 16th, exactly who I'll never know. As I wrote about last month, UPS lost my computer. But that's another story.
I've got my new computer routine down pat at this point. First, I run a slew of hardware diagnostics, then I make a disk image backup. Next, I remove the pre-installed software that I don't want, followed by updating the pre-installed software that I'm keeping.
The first update is to Windows itself. I start by manually running Windows Update at www.update.microsoft.com. The Windows Update software is always old. Every new Windows XP computer I've touched required a couple software updates to Windows Update itself before it would even start scanning for missing bug fixes (a.k.a. patches and updates).
The machine was missing 60 fixes to Windows XP. I installed them, re-booted and went back to Windows Update. Experience has shown that Windows Update is far from perfect. Running it a second time often reports a new bug fix that was either missed the first time or is needed because the first go-round installed buggy software. Sure enough, a custom scan shows the machine is missing the .NET Framework version 1.1 Service Pack 1.
After dealing with Windows, I tried the Adobe Flash tester page, which reported that Internet Explorer was using Flash version 7.0.68. This is a really old version of Flash (the latest is 9,0,115,0).
The other popular Adobe product, the Acrobat Reader, was the only reasonably recent software. That said, the pre-installed version, 8.1.0, is missing critical bug fixes that make it too, a security risk.
At this point I turn to the online Secunia Software Inspector to see what other software is missing security patches.
In addition to the ancient version 7 of Flash, the machine also came with the downright pre-historic, and buggy, versions 4 and 6 pre-installed.
Java too, was missing security fixes. Secunia reported that Java was at version 1.5.0_6, which was released about December 2005. The latest version of the 1.5.x family, version 1.5.0_14 is secure, according to Secunia. However, the current version of Java is 1.6.0_4. You can see which version you have at javatester.org.
Lenovo has their own version of Windows Update called ThinkVantage System Update that updates the software they pre-install. It also seems to update other software, but exactly what it targets is not at all clear from the supplied instructions. Just like Windows Update, the first update it finds is to itself.
After self-updating, ThinkVantage System Update finds about a dozen or so software updates, mostly to Lenovo applications. The number would have probably been larger, but I had already un-installed some of the Lenovo software. Interestingly, it offered to install the latest version of the Adobe Flash player, despite the fact that Internet Explorer was already using the latest version at this point, at least according to Adobe's Flash tester page. The updates I chose to accept were 422 megabytes.
Finally, the computer came with Picasa version 2 from Google. The first time I ran Picasa, it wanted to update itself to a newer version.
The hardware in a new computer may be new, but the software never is.
See a summary of all my Defensive Computing postings.
Bug is a dirty word in the software world. After all, it means "mistake" and no one wants to admit they made a mistake. Instead of calling the fix for a mistake by its rightful name, a bug fix, software companies refer to "patches" or "updates". Soft words. Happy words.
The bug itself is called a "hole" or a "vulnerability". Initially, bugs were called "issues" but eventually people caught on. Did you happen to notice that Mitt Romney recently "suspended" his campaign (a soft word), as if he was taking the weekend off, rather than actually stopping (a harsh word).
But getting back to software, below I go over a slew of important bug fixes released in the last few days. I also describe the latest updates to Java and the Flash player even though they weren't released this week. As more and more Windows users get their Windows fixes automatically, the bad guys are naturally going to attack other software on your computer. Thus, it's important to install the fixes described below. This is a Defensive Computing blog after all.
Recent Bug Fixes
Firefox released version 2.0.0.12 on February 7th to fix ten bugs, three of which are considered critical. Firefox runs on Windows, Macs, Linux and more. Mozilla, the company behind Firefox, doesn't say if any of the bugs are specific to an operating system, so all Firefox users should upgrade.
The usual Help -> About displays the currently installed version. You can force Firefox to check for updates with Help -> Check for Updates.
Firefox normally checks for updates often enough that you don't need to be concerned. From what I've seen, looking at website usage statistics, the vast majority of Firefox users are using the latest version. That means most Firefox users have it configured to automatically check for updates. To see how your copy of Firefox is configured, do Tools -> Options -> Advanced -> Updates tab. When updates are found, Firefox can either apply them automatically or to ask you before applying them. All in all, the self-updating of Firefox works great.
The Adobe Acrobat Reader was updated on February 6th to fix security problems on Windows and Macs. Interestingly, Adobe says they support Mac OS X Leopard up through version 10.5.1. That was as of February 7th, but Apple updated Leopard to version 10.5.2 just four days later (see below for more on updates to OS X). Adobe hasn't yet said if this latest update to the Reader works on the latest version of Leopard.
The latest and greatest Acrobat Reader is version 8.1.2. If you are running version 7, the latest edition, 7.0.9, has known bugs but Adobe has not yet issued fixes for. They intend to. According to Adobe Reader 8.1.2 Release Notes the latest version of the Adobe Reader is available on Windows 2000, XP, Vista, 2003 Server, as well as Macs, Linux and Solaris.
In both versions 7 and 8, the usual Help -> About displays the current version and you can check for updates with Help -> Check for updates. Most likely you will find available updates. Version 7 dealt with this well, displaying the all the available updates and letting you pick and chose those to install. Version 8 has, by default, done away with displaying information about each available update. I mention this because there are updates that version 8 users may not want or need.
If you are using version 8, then after checking for updates, click on the "Show details" link before downloading anything. You may also want to click on the "preferences" link to configure self-updates. In terms of security, you don't need the update that installs dictionaries for spell checking for multiple languages. You also don't need the Photoshop Album Starter Edition.
Depending on how your copy of the Adobe Reader is configured, it may notify you of the need to update itself as soon as the program starts up.
According to Adobe, bug fixes are also needed if you are running "Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions". For more see Security update available for Adobe Reader and Acrobat 8 and the Secunia advisory.
Apple's QuickTime was updated on February 6th to fix a security problem. The latest version is 7.4.1. The update affects Mac OS X v10.3.9, v10.4.9, v10.5, Windows Vista and Windows XP SP2. You can download it here and see the Secunia advisory . Apple has a software update service for both Macs and Windows, but I'm not familiar with it.
Skype was updated on February 5th to fix a security problem that only affects Windows users. The new version of Skype for Windows is 3.6.0.248. You can download the latest Skype software here. For more, see the Secunia advisory or read about the problem from Skype.
Windows users can check for software that is missing bug fixes using the online Secunia Software Inspector .
Not So Recent Bug Fixes
Java was updated a few weeks ago, but there was confusion about the need for the latest version, 1.6.0_04. I wrote about this on February 8th, see Sun's Java sloppiness.
Update. February 13, 2008: Sun provides recent copies of Java for Windows, Linux and Solaris here but not for Macs. At this Java.com download page, Sun links to Apple's web site, where the available versions of Java are very old. Specifically, this page offers downloads of Java version 1.5.0_08 and 1.4.2_12. More recent was the December 13, 2007 release by Apple of Java for Mac OS X 10.4 which offers up versions 1.5.0_13 and 1.4.2_16. Despite the title, it seems as if these versions of Java are supported on Leopard (10.5). I am not a Mac user so I can't test this myself. If and when Apple will release a version of Java in the 1.6.x family is anyone's guess. For more see developer.apple.com/java/.
To see which version of Java is installed on your computer, you can use my javatester.org web site. Be sure to check in every web browser that you use.
The confusion included Secunia recommending version 1.6.0_04, while Sun recommended version 1.6.0_03. Since writing about this on the 8th, I've been in contact with Sun. I'll have more to say on this later, but suffice it to say that version 1.6.0_04 contains many updates but only one that might be considered a security update. Sun's position is that version 1.6.0_03 is secure for normal consumer usage.
If you are running version 1.6.0_03, it may not be worth the trouble to update to the latest version. If you have an earlier version of the 1.6 family however, then you should update and, if you're going to update, you might as well go for 1.6.0_04. The last version of the previous 1.5 family is 1.5.0_14. According to Secunia, this version is secure, but earlier versions of 1.5.x are not.
Before updating Java, I suggest removing older versions. Windows users can do this with the usual Add/Remove programs thingy in the Control Panel (I say "thingy" because when discussing Java, the normal term, "applet", has a specific non-Windows meaning).
The latest version of Adobe Flash player was released in mid-December. I mention it here because it fixed a number of critical security bugs, everybody has a copy and didn't get a lot of publicity.
To see which version of the Flash player is installed on your computer, go to www.adobe.com/products/flash/about/. The latest is version 9,0,115,0. As with Java, you need to check this in all web browsers on your computer as different browsers can be using different versions.
I wrote about updating the Flash player on January 28th, see A heads-up on the Adobe Flash player. For safety, old version(s) should be manually un-installed before installing a new version. Unfortunately, removing the Flash player can be problematical. My blog posting has more on this, but after removing the Flash player, check with the above web page, that each browser on your machine is, in fact, not able to access Flash. Adobe has a dedicated Flash Player un-installer, if need be.
The latest version of the Flash player is available at www.adobe.com/go/getflashplayer.
Operating Systems Too
Both Windows and the Mac OS X were also just updated.
Updates to Mac OS X were released yesterday (February 11th). The latest Leopard is now 10.5.2. For more, see this from Apple docs.info.apple.com/article.html?artnum=307109 and Apple updates Leopard, Tiger with security updates from fellow CNET blogger Robert Vamosi. I couldn't find any references to recent Tiger (10.4) bug fixes at Apple's web site.
All users of Mac OS X should read Mac OS X: Updating your software from Apple.
Update: February 13, 2008: The title says it all: Rush Limbaugh begs Steve Jobs for bug fixes.
The latest Microsoft bug fixes roll out today, February 12th, otherwise known as "Patch Tuesday". Some fixes are for Windows, some are for Microsoft Office. Specifically, there are bug fixes for Windows 2000, XP, Vista and Server 2003 as well as Office 2000 and 2003 and Office for the Mac 2004.
For the gory details see Microsoft Security Bulletin Advance Notification for February 2008 from Microsoft and Microsoft fixes 17 flaws in 11 patches; 6 are critical by CNET blogger Robert Vamosi.
I need your help here. The latter article starts with "Microsoft on Tuesday released its February 2008 security bulletin, which includes eleven bulletins, six of which are deemed Critical by Microsoft, while five are deemed Important."
The latest soft word in the bug field seems to be "bulletin". I missed the memo. What's a bulletin? Is it a bug? A bug fix? A description of the bug? How can the February bulletin include eleven bulletins?
See a summary of all my Defensive Computing postings.
Yet again, a bug fix created a new problem. This time it occurred with Internet Explorer 6 and 7 on Windows XP and Vista.
The problem is that Internet Explorer crashes after viewing a web page. Not all web pages though, I was able to successfully view about half of those I tested with IE6. One site that crashes it pretty quickly is Microsoft's own msn.com (they offered it as an example).
It wasn't hard to find information online about this problem which was introduced in the December 11th round of bug fixes to Windows.
According to Computerworld, reports came in immediately after the release of the December 11th patches, about problems with Internet Explorer. I was just hit with this because I always wait a bit before installing new bug fixes. This wasn't the first time that a poorly tested fix created a new problem.
To document the problem Microsoft created Knowledge Base article 946627.
On December 18th, Microsoft offered a work-around in the form of a registry zap. Not your most user-friendly undertaking.
On December 20th, however, they incorporated the registry zap into a downloadable EXE file, and updated the Knowledge Base article with a link to the file.
Uninstalling
Rather than fix the fix with a registry zap that seems to target the symptom rather than the underlying problem*, my first reaction was to un-install the buggy bug fix.
Windows XP users can do this using the "Add or Remove Programs" applet in the Control Panel (see above). At the top of the window, turn on the checkbox for Show updates and sort by date last used. Then, scroll to the bottom and look for KB942615.
When I did this however, I was scared off by the warning message shown above. Even if I was willing to risk breaking two other bug fixes, I want no more to do with the Adobe Flash player. If you try this, please leave a comment below about the patches and applications, if any, that you get warned about.
Installing
You can download the automated registry zap here . The file is WindowsXP-KB946627-x86-ENU.exe, and running it starts up a Wizard (below) that walks you through a simple, standard installation process.
I suggest making a restore point before installing anything. Can't hurt. In my case, the fix was immediate, there was no need to restart Windows.
According to this Microsoft Security Response Center blog posting the newly automated fix has been incorporated into windows update.
<sarcasm>
Considering how so few people use Internet Explorer and even fewer use Windows XP and Vista, combined with the limited resources of the company that produced both products, it's no surprise that quality assurance for the original bug fix might be lacking.
</sarcasm>
* According to Heise Security, "the update does not really fix the problem..."
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
