Windows 7 Release Candidate now available to MSDN and TechNet subscribers

Windows 7 is up for people who have subscriptions to MSDN and TechNet.

No surprises. The servers are starting to melt down. I’m repeatedly getting the message, “Sorry, we were unable to service your request.”

Where are we with the patches?

Reader BH writes:

Before the current MS update release on Tuesday you were at Defcon 4
and stated to install the patches. Did that statement include:

Microsoft.NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)

KB952004

KB956572

KB959426

KB960803

Update Rollup for Actice X Killbit for Windows Vista (KB960715)

I have been sitting on these for awhile and wish to know what to do with them.

Your post regarding loading the patches did not specify the above and all along you have been stating not to load the Net Framework and Active X Killbit updates for some time now.

I follow your MS-DEFCON and only load when you say so and I would guess many others follow the same procedure. Wish you would incorporate a chart with each to the updates listed and what to do with them. It would only involve the lastest listing plus those from past months  that you do not wish us to update.

Wish I had time to do that! But it would be a monstrous task.

Here’s what I recommend:

I’m still ambivalent about KB951847. It breaks a lot of stuff. The ActiveX Killbit rollup also breaks a lot of stuff. I talk about both here.

KB952004 and KB956572 are MS09-012. You should’ve installed that already, but if you haven’t, wait.

KB959426 is MS09-015. Same comment.

KB960803 is MS09-013, part of the massive Internet Explorer patch. Same comment, especially if you use Firefox.

In general, if you follow the MS-DEFCON level, you’ll apply patches when they’re safe, and avoid applying patches when they aren’t. There are always a few stinkers – the ActiveX Killbit and .NET Framework patches fall into that category – but by and large you can apply the patches, when they’re fully baked, en masse.

For now, hold off.

MS-DEFCON 2: Office 2007 Pack 2 is up – avoid all patches for now

I’m raising us to MS-DEFCON 2:

Hot on the heels of Office 2007 Service Pack 2 / KB 953195, Microsoft has just released Windows Vista Service Pack 2 [* to manufacturing - expect to see it widely available at some indeterminate point in the not-too-distant future].

About a week ago, Microsoft started “pushing” Internet Explorer 8 via Automatic Update.

I strongly recommend that you HOLD OFF on all three. IE 8 has been through the wringer, and I remain ambivalent about installing it, but the other two patches haven’t been out in the wild long enough to see what problems crop up.

Because of the two new patches and the third that’s long in the tooth but still unproven, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

UPDATE: *Man, am I embarrassed. I’ve been knee-deep in Windows 7 stuff, and erroneously reported that Vista SP2 is out in the wild. It isn’t. Microsoft announced that Vista SP2 is complete – it’s been “released to manufacturing” (precisely what is being “manufactured” isn’t at all clear, but I digress). “We expect Windows Vista and Windows Server 2008 SP2 to be publicly available in Q2 2009.”

… as I go slinking back to my Windows 7 hovel, tail firmly between legs…

I feel that the pushing of Office 2007 Service Pack 2 and Internet Explorer 8, though, warrant staying at MS-DEFCON 2.

Microsoft will disable AutoRun and change AutoPlay

Remember all the angst over Windows AutoPlay and AutoRun? (For a detailed discussion of the differences between AutoPlay and AutoRun, start with this Wikipedia article.) AutoPlay was a major infection vector for Conficker. It’s always been a huge security hole in Windows.

Microsoft just announced that it’s disabling AutoRun in Windows 7, and changing the way AutoPlay works. The details are a bit hard to follow – the terminology is more than a bit obfuscating – but here’s what’s happening:

As I explained in my Windows Secrets column in January, it’s very easy to create a file called autorun.inf that can confuse the living daylights out of people. If you stick this custom-made autorun.inf on a USB drive or burn it on a CD, the commands in that file will cause Windows to display a (potentially infective) program on the AutoPlay menu, the menu that appears every time you insert a USB drive or CD into your computer (see screen shot).

In fact, autorun.inf controls what appears on the AutoPlay list if you stick it on any kind of removable media – USB drive, CD, DVD, SD card (so a card from your camera could infect other computers), and so on.

Microsoft is changing Windows so it behaves in two different ways, depending on whether the autorun.inf file is stuck on (1) a CD/DVD, or (2) any other kind of  media, notably a USB drive or SD card.

In the future, when Windows finds an autorun.inf file on a USB drive or SD card, it ignores the file. Nothing happens. You can create the most diabolically clever autorun in the history of mass infections, put it on a USB drive, and if someone sticks the drive in a properly patched Windows machine, it won’t do squat. AutoPlay doesn’t list anything from the autorun.inf, and nothing runs automatically.

In the future, when Windows finds an autorun.inf file on a CD or DVD, it shows the contents of the autorun.inf in the AutoPlay window, but the new, revised AutoPlay window warns you that the entry associated with autorun.inf is from the CD, not from Microsoft. The AutoPlay warning says “Install or run program from your media.”

And no matter where the autorun.inf file comes from, it can’t launch its own program. You have to do the clicking – point the gun at your own foot and pull the trigger.

The recently leaked Windows 7 Release Candidate, which should be widely available next week, already has those changes to AutoRun and AutoPlay. In addition, says Microsoft, “we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.”

It’s about time.

Oh. There’s one little caveat. For those of you who suffer with U3 – the technology built into some USB drives that makes part of the drive look like a CD drive – Microsoft hasn’t figured out how to treat the whole USB drive like a USB drive. Instead, the CD part will be subject to the same handling as a CD. Quoth the Softies, “It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see Wikipedia for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.”