Do I need to patch Internet Explorer?

Reader DS writes:

I’m using Firefox.

I updated some of the April 2009 Black Tuesday patches, but haven’t patched KB952004, KB596972, KB959426, KB960803.

Vista is running so good I don’t want to mess it up. Should I just go ahead and patch with finger’s crossed?

Yep. The MS-DEFCON 4 status applies to everyone using Firefox. The April 2009 patches seem to be working. Unfortunately, you have to patch Internet Explorer even if you use Firefox, because IE is baked into Windows.

Delete the updates?

Reader RM writes:

Woody,

What happens to all the Vista Updates after they have been installed. Are these files still on my computer, and, can I delete them or just leave them alone?

Many updates leave dregs on your hard drive, primarily because many updates can be “uninstalled” and the snippets are necessary to return your PC to its original state.

Some people advise that you can delete the dregs, and give instructions for doing so manually. I say, “Why bother?” If you’re running out of room, follow the instructions in any of my books to run Windows Disk Cleanup. Better, go out and splurge $50 and get a second, big, hard drive. If you aren’t running out of room, fuhgeddaboutit.

Windows 7 Release Candidate – why should I care?

Sometimes I get so wrapped up in what I’m doing that I lapes into a verbal shorthand, and confuse the bewilickers out of people. Sorry about that. I’m writing a book about Windows 7 – Windows 7 All-In-One For Dummies – so Windows 7 news really strikes home. Sometimes I forget that not everyone is writing a book about Windows 7…

My post about the Windows 7 Release Candidate drew this question, posted here, from MW:

So this means what for a layman?

MSoft is going to release a full-featured OS for free? Or is a RC some sort of trial?

I guess my main question is : What differentiates a RC from a fully licensed OS?

Very good questions, and if I had been thinking  I would’ve answered them in the original post.

A Release Candidate, in Microsoft’s current parlance,  is sort of a final test version of the product. It has many known bugs, but it’s generally very stable. You shouldn’t install it on your main PC, but if you have an extra PC lying around, installing a Release Candidate gives you a very complete look at the next version of the product.

In this case, I’m very excited because, frankly, I love Windows 7.

The RC is free, but it expires. (I’m not sure when this RC expires, but it’s probably late this year.) When the RC expires, you have to replace it with a different program. For most people with the Win7 RC, that means you’ll have to go out and buy a copy of Windows 7, if you like it, or find some other version of Windows (or Linux) when the time limit’s up.

You should plan from the get-go on completely wiping out the hard drive and installing the new operating system from scratch. That’s true of every beta test copy or Release Candidate of every piece of software – you can’t rely on uninstalling or upgrading. (In Win7′s case that isn’t even an option.) The RC version of Win7 will die, and you need to be constantly aware of the fact that you’ll have to wipe your hard drive when it does.

Hope that answered your question. Apologies for my abbreviated version.

It’s official: Windows 7 RC available to everybody on May 5

‘Softie Brandon LeBlanc has just confirmed what we’ve all suspected for quite a while about the Windows 7 Release Candidate:

I’m pleased to share that the RC is on track for April 30th for  download by MSDN and TechNet subscribers. Broader, public availability will begin on May 5th.

Pirate copies are burning up the ether right now. Those of you who pay for MSDN or TechNet subscriptions can get the official version on April 30. And the unwashed (and unpaying) masses can try to get it before the servers melt down on May 5.

Windows 7 secret unveiled: WinXP mode

Three weeks ago, I mentioned that Microsoft was planning a big, huge announcement about something new in Windows 7. Here’s what I said:

My guess is that Microsoft will announce some sort of Windows XP emulator that runs under Windows 7 Enterprise Edition. (No, they won’t call it an emulator, they’ll call it “Enterprise Desktop Virtualisation” but – with apologies to the developers who hate the term – it’s basically a fancy emulator.) That’ll make a lot of companies happy. But it’s not something I would call major.

Looks like Paul Thurrott was just authorized by his Microsoft handlers to spill the beans. Secret No More: Revealing Windows XP Mode for Windows 7.

Gawrsh. Where have I heard that before? Says Paul:

XPM is built on the next generation Microsoft Virtual PC 7 product line, which requires processor-based virtualization support (Intel and AMD) to be present and enabled on the underlying PC, much like Hyper-V, Microsoft’s server-side virtualization platform. However, XPM is not Hyper-V for the client. It is instead a host-based virtualization solution like Virtual PC; the hardware assistance requirement suggests this will be the logical conclusion of this product line from a technological standpoint. That is, we fully expect future client versions of Windows to include a Hyper-V-based hypervisor.

Sorry, but that’s even less interesting than I thought it would be – and I wasn’t expecting much. Paul (Raf?) goes on to say:

XP Mode consists of the Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site. (That is, it will not be included in the box with Windows 7, but is considered an out-of-band update, like Windows Live Essentials.)

Which means those of you running Windows 7 Home Premium won’t get it.

That’s OK. I don’t get it. Sure, running a WinXP emulation window on a Win7 desktop is kinda cool, but I don’t see a whole lot of advantage of this approach over, say, running a VMWare window – and I bet the processing overhead is excruciating.

I wonder what happens to WinXP drivers?

From the drivel file: Unfixable Windows 7 security flaw

There’s an article floating around the blogosphere that says two security researchers have discovered an “unfixable” security hole in Windows 7. A friend of mine just pointed me to it, with the usual Red Robbin/Sky is Falling spin.

Two minor problems. First, the “unfixable” security hole, or one just like it, exists in every PC operating system.

Second, in order to take advantage of the flaw, you have to be sitting in front of the PC.

Drivel. I’m sorry, but I can’t imagine why stuff like this gets airplay.

You all know the 10 Immutable Laws of Security, right? Microsoft posted it on TechNet about ten years ago:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

Law #10: Technology is not a panacea

Windows 7 Release Candidate available

If you have access to the alt.binaries.warez.ibm-pc.ms-beta newsgroup, you should be able to find Windows 7 build 7100, which is widely acknowledged as the Release Candidate. It’s available in both 32-bit and 64-bit flavors.

MS-DEFCON 4: Watch out, but go ahead and install April patches

The crop of April Black Tuesday patches looks reasonably stable. The SANS Internet Storm Center reports that Symantec has raised an alert about possible MS09-013 / KB 960803 based infections – “but it could also be old vulnerabilities from 2002 (both Apache and IIS).” MS09-013 and MS09-014 are the (now expectable) monthly humongous Internet Explorer patches.

There are known problems with all of the following:

MS09-010 / KB 960477 Wordpad and Office converter patches may refuse to install, and they change the way Wordpad handles Word 6 and Write files. When you install this patch, go ahead and install the new Office Compatibility Pack immediately after. I haven’t seen any advice as to whether the new Compatibility Pack eliminates the need to install MS09-010 or not, so to be safe, install the patch, then the new converters.

MS09-014 / KB 963027, the massive Internet Explorer patch, may trigger a bogus “Connection Denied” message which requires a Registry change to eliminate. Of course, you’re using Firefox, so you aren’t overly concerned. Go ahead and patch.

MS09-015 / KB 959426 has an interesting problem: if you install the patch on a Windows 2000 computer, you have to dig into the Registry to make the patch work. Kinda makes me feel warm and fuzzy about the testing that goes into these patches…

At any rate, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

I still recommend that you HOLD OFF on these patches:

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.