McAfee automatic updating sucks, too

If you have McAfee Antivirus running on a Windows XP machine with Service Pack 3 installed, you probably can’t read this.

McAfee has removed the defective update, but I’m hearing estimates that tens of thousands – maybe hundreds of thousands – of PCs got locked up.

Wow. I can’t think of any virus in the history of malware that took out so many machines, so quickly, effectively, and thoroughly. The dead machines are locked up so tight it’s very hard to get them back and working: general approach seems to be disabling McAfee and re-installing svchost.exe. Ah well. Good riddance to bad rubbish, sez I.

The reason? A false positive. The virus definition update released earlier this morning mis-identified the WinXP SP3 system file svchost.exe as being infected with the W32/Wecorl.a virus.

Full details on the SANS Internet Storm Center (I’m having trouble getting into their server – they may be melting down at the moment).

For those of you who haven’t been listening, or reading my books, I’ll repeat it one more time. There’s no reason in the world to be paying for antivirus software. The mainstream packages have turned into big, bloated, pieces of clingy, begging junk. And that’s being charitable. You should use free antivirus, and my favorite at this moment is Microsoft Security Essentials. Fast, free, easy – and it won’t accidentally flag svchost.exe as an infected file.

I hope.

Office 2010 RTM

Stick a fork in it.

Takeshi Numoto blogs that Office 2010 has gone gold. The official launch is May 12, with shrinkwrapped product on store shelves June 15.

I’m not going to rush out and buy a copy, but Office 2010 does have some worthwhile new features – if nothing else, the File menu is back, finally. Ed Mendelson, who knows more about word processing than any human alive, has a balanced review on the PC Mag web site.

Microsoft’s official review guides just went up on the MS site.

All in all, it strikes me as a ho-hum upgrade to Office 2007, and a possibly worthwhile upgrade for Office 2003. If you can get used to the %$#@! ribbon.

Java 0day infects songlyrics.com

On April 9, Travis Ormandy wrote about a 0day hole in Java. It’s amazingly easy to exploit. Sun didn’t take him seriously:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

Now comes word that a very popular Web site, songlyrics.com, has been serving up ads that are infected with that specific 0day. The ads feature rogue antispyware applications from Russia.

Thank you, Sun.

UPDATE: Brian Krebs reports that there’s a new version of Java out. I suggest you wait and have it installed automatically: Ryan Naraine discovered that if he installed it manually, Sun oh-so-helpfully offered to install the Bing Toolbar – another piece of crapware from Microsoft – and the installer goes so far as to offer the Bing Toolbar by default.

Open question: is Sun turning into the next Apple?

A couple of worthwhile patches and a bunch of worrisome ones

Microsoft has released its April Black Tuesday patches, with 11 Security Bulletins (MS10-019 through MS10-029) covering 25 separately identified holes.

(In case you were wondering, most of the world counts the number of security holes based on the number of CVE (= Common Vulnerabilities and Exposures) reports that Microsoft claims to have solved. The actual number of truly nailed CVEs may or may not match the number Microsoft reports.)

As usual, SANS Internet Storm Center has the most thorough overview of the situation.

Microsoft raised a special red flag for three of the security bulletins. Lest you go rushing to Windows Update to get your fix, please consider:

MS10-019, KB 981210, the first of the red-flagged patches, has no known exploits currently in the wild. The problem comes from a hole in Windows Authenticode Signature Verification program. Here’s how it works.

When you run a program that tries to install something on your PC, WASV kicks in and verifies the digital “signature” on the file. If there’s a valid signature, you get a dialog box that tells you the program was signed by such-and-such (usually a company, sometimes an individual; see the explanation at Tech-Pro). If there’s no valid signature, you see a dialog box that “The publisher could not be verified. Are you sure you want to run this software?”

Here’s the rub. There’s a hole in WASV that, if properly manipulated, would allow a cretin to modify a program without “breaking” the signature. So you may be told that the program is signed by, oh, Microsoft Corporation, when in fact it hadn’t.

So far, nobody’s figured out how to do that. But Microsoft expects that somebody will figure it out, pretty soon. I’ll be keeping a close eye on this one.

MS10-026, KB 977816, patches a drive-by hole in the way Windows handles AVI files. If you go to a Web site with an AVI file that starts automatically, your machine could be taken over, thanks to this flaw. Similarly, double-clicking on an AVI file attached to a message could subvert your machine.

The problem is in the DirectShow subsystem in Windows. If that sounds familiar, it should – Microsoft patched a different 0day hole in DirectShow last year, in MS09-032.

I’ve been looking high and low to see if Firefox is affected the same way that IE gets hit: the core question is whether Firefox uses the Windows MPEG Level-3 codec to play media files. Unfortunately, I haven’t found a definitive answer. But I do know that Vista and Windows 7 aren’t as vulnerable – according to the MS Security Research & Defense blog, Win7 isn’t affected at all (although the KB article says that the Win7 fix is “Important” – go figger). I also know that there are, as yet, no known exploits in the wild.

Finally, MS10-027, KB 979402, covers a security hole in Windows Media Player 9. Considering that WMP is up to version 12, and WMP 12 works on older hardware, the best solution for this one is to get rid of WMP 9.

I’m sticking with MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Happy New Year!

Songkran in Patong

Yes, the water fights.

It’s fashionable for long-term expats like me to be a bit blase about the massive partying going on in Patong, but I’ll readily admit that I love it. Thousands of people dousing each other with water. It’s crazy, it’s wild, and it’s one whole heckuvalot of fun.

The water fights have just started, and they’ll continue for the next three days. In a few hours, there will be rivers of water rolling through the streets of Patong, with traffic snaking and snarled all through our little town. I’ll hop in a truck with my Dad, stick our friends in the back, set ‘em up with barrels and barrels of water, roll out the squirt guns, and go have a blast.

For those of you who have written, concerned about the political problems in Bangkok, not to worry – Bangkok is a thousand miles away, both geographically and politically. In Phuket, everything’s normal, always has been  normal, and it’s time to have fun.

Wish you were here!

11 Security Bulletins coming, 20 problems patched, no need to update yet

Microsoft has announced that we have 11 Security Bulletins coming on Tuesday. Nine are for Windows, two for Office (the Office bulletins are only rated “important”). There are 25 separately identified security holes plugged by the 11 bulletins.

I mentioned a few days ago that the giant Internet Explorer roll-up MS10-018 isn’t very pressing if you run Firefox or Chrome. I  haven’t seen anything to change my ho-hum opinion about it. So I’m advising for now that you don’t patch anything. Last month’s Black Tuesday patches weren’t very important, at least so far; the interim MS10-018 patch isn’t pressing unless you use Internet Explorer 6 or 7 (in which case you should switch browsers anyway).

I’m keeping us at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it. Let’s see what problems crop up with the April patches.

Microsoft raises notices for MS10-018 patch

Microsoft has just posted an article showing that attacks that take advantage of the hole plugged by last week’s out-of-band Internet Explorer patch, MS10-018, are starting to appear.

Before you start rushing out to apply the patch, remember:

(1) You aren’t affected BY THIS PARTICULAR SECURITY HOLE if you’re using Internet Explorer 8 or Windows 7. (Some day you’ll want to apply MS10-018 because it plugs eight additional, unrelated holes.)

(2) You aren’t affected if you’re using Firefox or Chrome, or any browser other than IE 6 or 7.

(3) Almost all of the infected systems are in PR China and Korea.

(4) MS is hinting that Microsoft Security Essentials protects you, too – although, infuriatingly, they aren’t coming out and saying it.

Microsoft isn’t real happy with me (so what else is new, eh?), but I still don’t see any reason to apply the March Black Tuesday patches, or this out-of-band patch. Sit tight, grasshopper.

Is Microsoft Security Essentials bothering you?

I’m getting reports from people who say that Microsoft Security Essentials has started requesting permission before installing the usually-daily updates to its signature files. That isn’t supposed to happen. The problem seems to be triggered by some Automatic Update settings, and it started rearing its ugly head after MSE update 1961, which came out almost a month ago.

For a good overview of the problem, see this Microsoft Answers thread, which begins:

See this FAQ specific to the issue of AU and MSE that began with the 1961 upgrade released in the beginning of March: http://social.answers.microsoft.com/Forums/en-US/mseupdate/thread/af4a5fff-c014-45b3-991b-cfd589a23aed

And see the general Update FAQ: http://social.answers.microsoft.com/Forums/en-US/mseupdate/thread/74e507b8-f6da-4eca-8ce7-d1aca7d3f1ba

Susan Bradley, of Windows Secrets fame, advises:

If you or anyone you know is getting bugged by frequent Windows Update taskbar notifications for MSE definition updates, you can disable these notifications in Windows 7 (and Vista?) by turning off “Give me recommended updates the same way I receive important updates” in the Windows Update settings.

Of course this will mean you don’t get notified of any new “recommended” category updates, but from my POV this is a good trade-off.

I’m not seeing the problem on any of my machines, but apparently it’s widespread. And until Microsoft gets off its duff and fixes it, you may have to click in order to get your MSE signature files updated ASAP. (As I understand it, the signature updates get installed anyway, if you wait long enough, but I hesitate to say that’s always the case, because this bug has been so weird.)