Windows 7 Release Candidate now available to MSDN and TechNet subscribers

Windows 7 is up for people who have subscriptions to MSDN and TechNet.

No surprises. The servers are starting to melt down. I’m repeatedly getting the message, “Sorry, we were unable to service your request.”

Where are we with the patches?

Reader BH writes:

Before the current MS update release on Tuesday you were at Defcon 4
and stated to install the patches. Did that statement include:

Microsoft.NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)

KB952004

KB956572

KB959426

KB960803

Update Rollup for Actice X Killbit for Windows Vista (KB960715)

I have been sitting on these for awhile and wish to know what to do with them.

Your post regarding loading the patches did not specify the above and all along you have been stating not to load the Net Framework and Active X Killbit updates for some time now.

I follow your MS-DEFCON and only load when you say so and I would guess many others follow the same procedure. Wish you would incorporate a chart with each to the updates listed and what to do with them. It would only involve the lastest listing plus those from past months  that you do not wish us to update.

Wish I had time to do that! But it would be a monstrous task.

Here’s what I recommend:

I’m still ambivalent about KB951847. It breaks a lot of stuff. The ActiveX Killbit rollup also breaks a lot of stuff. I talk about both here.

KB952004 and KB956572 are MS09-012. You should’ve installed that already, but if you haven’t, wait.

KB959426 is MS09-015. Same comment.

KB960803 is MS09-013, part of the massive Internet Explorer patch. Same comment, especially if you use Firefox.

In general, if you follow the MS-DEFCON level, you’ll apply patches when they’re safe, and avoid applying patches when they aren’t. There are always a few stinkers – the ActiveX Killbit and .NET Framework patches fall into that category – but by and large you can apply the patches, when they’re fully baked, en masse.

For now, hold off.

MS-DEFCON 2: Office 2007 Pack 2 is up – avoid all patches for now

I’m raising us to MS-DEFCON 2:

Hot on the heels of Office 2007 Service Pack 2 / KB 953195, Microsoft has just released Windows Vista Service Pack 2 [* to manufacturing - expect to see it widely available at some indeterminate point in the not-too-distant future].

About a week ago, Microsoft started “pushing” Internet Explorer 8 via Automatic Update.

I strongly recommend that you HOLD OFF on all three. IE 8 has been through the wringer, and I remain ambivalent about installing it, but the other two patches haven’t been out in the wild long enough to see what problems crop up.

Because of the two new patches and the third that’s long in the tooth but still unproven, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

UPDATE: *Man, am I embarrassed. I’ve been knee-deep in Windows 7 stuff, and erroneously reported that Vista SP2 is out in the wild. It isn’t. Microsoft announced that Vista SP2 is complete – it’s been “released to manufacturing” (precisely what is being “manufactured” isn’t at all clear, but I digress). “We expect Windows Vista and Windows Server 2008 SP2 to be publicly available in Q2 2009.”

… as I go slinking back to my Windows 7 hovel, tail firmly between legs…

I feel that the pushing of Office 2007 Service Pack 2 and Internet Explorer 8, though, warrant staying at MS-DEFCON 2.

Microsoft will disable AutoRun and change AutoPlay

Remember all the angst over Windows AutoPlay and AutoRun? (For a detailed discussion of the differences between AutoPlay and AutoRun, start with this Wikipedia article.) AutoPlay was a major infection vector for Conficker. It’s always been a huge security hole in Windows.

Microsoft just announced that it’s disabling AutoRun in Windows 7, and changing the way AutoPlay works. The details are a bit hard to follow – the terminology is more than a bit obfuscating – but here’s what’s happening:

As I explained in my Windows Secrets column in January, it’s very easy to create a file called autorun.inf that can confuse the living daylights out of people. If you stick this custom-made autorun.inf on a USB drive or burn it on a CD, the commands in that file will cause Windows to display a (potentially infective) program on the AutoPlay menu, the menu that appears every time you insert a USB drive or CD into your computer (see screen shot).

In fact, autorun.inf controls what appears on the AutoPlay list if you stick it on any kind of removable media – USB drive, CD, DVD, SD card (so a card from your camera could infect other computers), and so on.

Microsoft is changing Windows so it behaves in two different ways, depending on whether the autorun.inf file is stuck on (1) a CD/DVD, or (2) any other kind of  media, notably a USB drive or SD card.

In the future, when Windows finds an autorun.inf file on a USB drive or SD card, it ignores the file. Nothing happens. You can create the most diabolically clever autorun in the history of mass infections, put it on a USB drive, and if someone sticks the drive in a properly patched Windows machine, it won’t do squat. AutoPlay doesn’t list anything from the autorun.inf, and nothing runs automatically.

In the future, when Windows finds an autorun.inf file on a CD or DVD, it shows the contents of the autorun.inf in the AutoPlay window, but the new, revised AutoPlay window warns you that the entry associated with autorun.inf is from the CD, not from Microsoft. The AutoPlay warning says “Install or run program from your media.”

And no matter where the autorun.inf file comes from, it can’t launch its own program. You have to do the clicking – point the gun at your own foot and pull the trigger.

The recently leaked Windows 7 Release Candidate, which should be widely available next week, already has those changes to AutoRun and AutoPlay. In addition, says Microsoft, “we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.”

It’s about time.

Oh. There’s one little caveat. For those of you who suffer with U3 – the technology built into some USB drives that makes part of the drive look like a CD drive – Microsoft hasn’t figured out how to treat the whole USB drive like a USB drive. Instead, the CD part will be subject to the same handling as a CD. Quoth the Softies, “It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see Wikipedia for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.”

Firefox 3.5 Beta 4 and 3.0.10 Now Available

For those of you who have beta tested Firefox 3.1 beta 3 back in mid-March, Mozilla has just released Firefox 3.5 Beta 4 on their beta page. The folks at Mozilla decided to make a version number change from 3.1 to 3.5 when beta 4 was going to be released.

And for those using Firefox 3.0 [yup, Woody has been reminding you Windows users to use Firefox], version 3.0.10 has been released at this Mozilla.com page. This one fixes one major security flaw mentioned in MFSA security bulletin 2009-23 and improves stability from the previous release of Firefox 3.0.

Office 2007 Service Pack 2 is up – avoid it for now

If you’re feeling lucky, Microsoft just posted Office 2007 Service Pack 2 / KB 953195. It’s a massive update, with hundreds of fixes and a handful of improvements.

For most of us, the main things we’ll notice are save as PDF support (which has always been available via a separate download; now it’s native) and many tweaks to Outlook and Excel. The one I look forward to the most is the promise that Outlook 2007 SP 2 “greatly reduces the number of scenarios in which you receive the following error message when you start Outlook: The data file ‘file name’ was not closed properly. This file is being checked for problems.” I see that message far too often.

There’s nothing earth shattering in SP2. No need to install it now. Let the pioneers get the arrows in their backs first.

UPDATE: There’s a thorough discussion of Office 2007 SP2 on the Office Sustained Engingeering blog. Thanks to MR for the heads-up.

Conficker back in the news – but the sky isn’t falling

I keep getting questions about Conficker and its supposed April 1 “doomsday” update. I’ve talked about that many times before. The simple fact is that April 1 came and went without incident. The press had a field day. The antivirus companies made a lot of money. I warned you – and about a zillion researchers warned you – that the April 1 date wouldn’t bring any devastating problems. It didn’t. Tell me if  you’ve heard that story before?

The people who control Conficker are very smart, and they aren’t going to do anything to raise too many hackles or too many alarms. But they’re going to keep quietly using Conficker to make money.

Bet on it.

The press is now agaga (can I Google “agaga”?) over Conficker. Again. MSNBC – which, being a division of Microsoft, should know better – posted a sensationalistic piece about an hour ago. The Associated Press has a much more accurate (and refreshingly brief) take on the new developments. Except, uh, what the AP says isn’t new at all.

The bottom line hasn’t changed one iota: if you or your Great Aunt Martha is running Windows XP, take a look at the Conficker Eye Chart. If you’re infected, you’ll see in a second. If you aren’t infected, read up on the known problems with patching, then get patched up and get on with your life. Do it now, before Microsoft releases another bunch of patches.

One interesting side-note: AP now quotes a Cisco rep as saying “up to 12,000,000 personal computers” are infected with Conficker. Fecund little guy. But I’d take the number with two grains of salt.

Ed Bott’s Windows 7 Release Candidate FAQ

Thinking about installing the Windows 7 Release Candidate?

The official version will be widely available on May 5. I’ll post the download link here as soon as it’s available.

The most important thing to remember about the RC: when you decide to switch to the “real” Windows 7 (or on March 1, 2010, whichever comes later), you should plan on wiping out your hard drive and starting all over. Yes, you can use Windows Easy Transfer to take your data off the hard drive before you upgrade. But, no, Windows Easy Transfer doesn’t transfer everything – most notably, you’ll have to re-install all of your programs.

Before you consider downloading and installing the RC, take a look at Ed Bott’s extensive FAQ about the Release Candidate.