MS-DEFCON 2: August Black Tuesday unleashed

It’s going to be a bloody month.

Microsoft just released nine security bulletins, covering 19 separate security holes.

Five of the bulletins have an exploitability rating of “1″ which means Microsoft “expect[s] there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release.”

Sorry, I don’t buy it.

This month we get two ActiveX security bulletins, with a total of nine separately identified security holes. That’s just for ActiveX – the evil spawn of Internet Explorer.

MS09-037 is the patch for the Active Template Library that I talked about two weeks ago. If you recall, there was an out-of-band patch that was supposed to fix the problem. Again. Security Advisory 973882 goes into the details of how MS09-032, MS09-034, MS09-035 and MS09-037 are inter-related. Man, what a mess. Keystone Kops time.

The other ActiveX security bulletin, MS09-043, fixes ActiveX holes in the Office Web Components.

Those are the two bulletins I’ll be watching most closely. I may advise you to apply the patches earlier this month than usual. Let’s see what happens.

As usual, the most thorough analysis is at the SANS Internet Storm Center – although I don’t recommend that you follow their “damn the torpedoes, patch it now” advice.

We’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

UPDATE: In response to a request from Vaughn, here are the KB numbers for the August Black Tuesday patches:

MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)

MS09-037
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)

MS09-038
Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)

MS09-039
Vulnerabilities in WINS Could Allow Remote Code Execution (969883)

MS09-040
Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)

MS09-041
Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)

MS09-042
Vulnerability in Telnet Could Allow Remote Code Execution (960859)

MS09-043
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)

MS09-044
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)

Should I delete Internet Explorer?

Reader Ted wrote in with an interesting question that I hear frequently:

I have followed your advice and started using Firefox instead of IE, and I sometimes use Google Chrome. What I don’t understand is if IE is part of the Windows operating system won’t it just kick-in anyway and be used by various programs even in Firefox and Google? Or, if you don’t use it at all, is it just taking up space on the computer? I’m really confused as you can tell. Should IE be deleted, or even can it? If it can’t and it’s not used, should it still be updated, following the advice in your MS-Defcon system?

Thanks so much for helping because like I said, I’m confused!

Ted, IE does lurk in the background sometimes and, depending on the version of Windows you’re using, the lurking can be more or less intrusive.

You can remove it completely in Windows 7, but in XP and Vista, it’s pretty much baked in. Even if you want to remove it, though, there are some times when you really need IE – for example, Windows Update and Microsoft Update require it.

Your best bet is to update IE, but use Firefox.

Dell’s dropping the 12-inch Netbook

Dell confirmed today that it’s dropping the 12-inch Inspiron Mini 12 netbook. There’s a lot of gobbledygook on the Direct2Dell blog justifying the decision – “for a lot of customers, 10-inch displays are the sweet spot for netbooks… Larger notebooks require a little more horsepower to be really useful”   but that’s all hogwash.

Here’s what’s happening.

Intel wants to segment the market: they want to keep netbooks clearly differentiated from notebooks. Why? Profit. In the World According to Intel, Netbooks run on the much-lower-profit-margin Atom chip, and Intel really has to fight in that market. Notebooks, on the other hand, run on a much-higher-margin Dual Core chip. Intel wants to keep the two markets highly differentiated, because the more they’re blurred, the greater the pressure on profits.

This is the same economic force that drove Microsoft to limit the screen size of netbooks running Windows 7 Starter Edition. I talked about that in my June 4 Top Story in Windows Secrets Newsletter. As I said then:

Microsoft will sell copies of Starter Edition to PC manufacturers only for installation on netbooks with limited processing ability. That’s defined as those using a single-core processor, running slower than 2GHz, consuming fewer than 15 watts, having less than 1GB of system memory, and using screens 10.2 inches or smaller… “People familiar with the matter say Microsoft takes in less than $15 per netbook for Windows XP once marketing rebates are taken into account — far less than the estimated $50 to $60 the company receives for PCs running Windows Vista.”

Some people see conspiracies behind every Microsoft move, and the Starter Edition hardware throttling is no exception. Certainly, by restricting Starter Edition to netbooks with screens smaller than 10.2 inches, companies planning to build netbooks with larger screens will face higher prices and, probably, lower margins.

Intel and Microsoft teamed up to set the 10-inch limit on netbooks. It looks like their, uh, collaboration is working – at least with Dell.

Green Home Computing For Dummies ships

I’m very proud to announce that Green Home Computing For Dummies has just hit the stands.

It’s an interesting book, which I hope you folks will find timely and useful.

If you want to see how to use your PC to make our world a little better, start with this book. If you’ve ever been confused by Energy Star Ratings – or wondered if the “green” claims made by manufacturers really mean anything – this should be your reference of first resort.

Kathy Murray and I tried hard to think both “inside the box” – discussing power settings, the ancient question of turning off your computer at night, and all of the Windows (and Mac!) minutae that can make a difference – as well as “outside the box” – using your home computer to make a difference in the way you consume the planet’s resources. It’s a unique reference that can help you – and me – sleep better at night.

Pick it up at Amazon or any major bookseller.

Windows 7 Release Notes

Microsoft has just posted the Windows 7 Release Notes. Since the dawn of DOS (sounds like a good title for a movie, eh?), the Release Notes have documented known problems with a new operating system, and given some workarounds.

The problems listed are few and minor. The only relatively interesting one is this:

If you use a computer that has Windows Search enabled (Windows 7, Windows Vista, or Windows XP with Windows Search installed) and have chosen a custom index location that has a path name longer than 128 characters, the indexer will not start after you have upgraded the computer to this release.

Of course, you can’t upgrade a Windows XP computer to Windows 7, so I have no idea why the Release Notes include the XP exhortation.

Why you might want Windows 7 – and how to get it

If you’re still undecided about Windows 7 – whether you really need it, and how to get it if you decide to take the plunge – I would like you to read three articles. Actually, parts of three articles.

Mark Minasi, a well-known Windows lecturer and mahaguru, puts together a series of newsletters. He’s devoted a big chunk of his two latest newsletters to explaining why a Windows XP stalwart and/or Vista victim might – or might not – want to shift to Windows 7. Mark knows whereof he speaks. Check out “Windows 7: To Adopt or Not to Adopt?” in newsletters 78 and 79.

Then, if you’re still interested, Ed Bott has just posted the first thorough and accurate Windows XP/Windows Vista-to-Windows 7 upgrade chart on his blog. You have to wade through some well-deserved criticism of Microsoft’s marketing minions at the beginning, but Ed’s chart at the end of the article gives you the straight scoop on the good, the bad and the ugly of upgrades.

 

August Black Tuesday coming – get patched now

Microsoft just issued its advance notification for next Tuesday’s patches.

Expect to see eight security bulletins, including one for the 0day in the Office Web Components, described in Knowledge Base article KB 973472. Microsoft says that particular patch affects Microsoft Office XP and 2003, Microsoft Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server.

Get all of the Microsoft patches applied now. We’re still at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

Windows 7 now available on MSDN and TechNet

The bits are up! The bits are up!

So are the activation keys.

If you subscribe to MSDN or TechNet, you can now download the official versions of Windows 7. There are separate downloads for the 32-bit (X86) and 64-bit (X64) versions but, as expected, the files for Ultimate, Pro, Home Premium, Home Basic, and Starter are identical.

Details for the 32-bit version: en_windows_7_ultimate_x86_dvd_x15-65921.iso SHA1: 5395DC4B38F7BDB1E005FF414DEEDFDB16DBF610 ISO/CRC: C1C20F76

Details for the 64-bit version: en_windows_7_ultimate_x64_dvd_x15-65922.iso SHA1: 326327CC2FF9F05379F5058C41BE6BC5E004BAA7 ISO/CRC: 1F1257CA

I didn’t expect it, but the file for Windows 7 Enterprise is different from the others.

Downloads are bound to be a tad slow for a while…