This month’s patches a real yawner

They’re out. As expected, Microsoft released two Security Bulletins, and they’re both a bit less than compelling.

MS10-030 applies to Outlook Express (XP and earlier) and Windows Mail (Vista). If you’ve already upgraded to Windows Live Mail – and you should, you know – there’s a very tiny exposure, but nothing worth sweating about.

MS10-031 only applies to people running applications made with Visual Basic for Applications. Even if you have VBA going on your PC, there aren’t any known exploits.

You’ll want to patch some day, but for now, let the other folks get the arrows in their backs.

Finally, details on the Custom XML modifications in Word 2007 effective January 10

Last week I posted a rather detailed discussion of the Custom XML modifications that Microsoft was implementing in Word 2007, to comply with a court order that found MS violated a patent by i4i.

Now, at looooooong last, we have technical details about what’s changing in Word 2007 (and therefore in Office 2007). Knowledge Base article 978951 addresses the issue:

Versions of Office Word 2007 that are distributed by Microsoft after January 10, 2010 no longer read the custom XML markup that may be contained within .docx, .docm, or .xml files. The new versions of Office Word 2007 can still open these files, but any custom XML markup is removed. Custom XML markup in Word documents is visible in the Office Word user interface as pink (the default color) tag names surrounding text in a document…

Office Word content controls are not affected by this update. Content controls are a common method of structuring document content and mapping content to the XML data that is stored in a document…

Custom XML markup that is stored within Word 97-2003 document (*.doc) files is not affected by this update.

Ribbon XML and Ribbon Extensibility are not affected by this update. The Word object model is not changed by this update. However some Word object model methods that deal with custom XML markup may return different results.

Sound confusing? Yeah, it is, particularly because MS isn’t changing content controls, but it is zapping manually defined custom XML – but only in Word 2007 docx, docm and XML files.

I have absolutely no idea how these changes map to the patent infringement judgment, and would welcome any enlightening words in the Comments to this post.

Office 2003 bug locks you out of your documents

Remember Windows Rights Management Services, the Windows Server-based piece of %$#@! that companies use to lock up their documents, so you can’t get at certain documents on a server? The Wikipedia listing for WRMS describes it thusly:

Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

I railed against WRMS in my books and several articles, many years ago.

Guess what? If your company uses RMS, and it uses Office 2003, starting on December 11, you may not be able to open, print, copy, edit, forward, delete or otherwise use those RMS-protected files. If you try to open a document with Word, Excel or PowerPoint 2003, or you try to open an RMS-protected message in Outlook 2003. you’re completely outta luck. You get the message “Unexpected error occurred. Please try again later or contact your system administrator.”

Yeah, right.

What happened? David Worthington at Technologizer says that Microsoft let an Information Rights Management certificate expire.

I won’t start ranting again. Suffice it to say that if your company was suckered into trusting Microsoft’s digital rights management software, they got what they deserved. You have my permission to yell LOUDLY at the idiot who decided to install it in the first place, and to continue SCREAMING until somebody who controls your server listens to reason. Windows RMS is a disaster waiting to happen. Oh. Wait a sec. It already has happened.

UPDATE: A hotfix has been announced, at least for Word and Excel. I’ve seen very few details, except you have to call Microsoft to get the hotfix, and you have to be running Office 2003 Service Pack 3.

Avast! Ahoy me false positive hardies

Avast is having a bad day. Seems its recent virus definition update started triggering all sort of false positives – incorrectly identifying good programs as malware. SANS Internet Storm Center puts it this way:

We have received a number of reports of Avast Antivirus false positives (Thanks Ken, Don,  Luca & others).   With a recent update the Avast antivirus product have started identifying legitimate products as containing Win32-Dell-MZG.  The Avast forum is awash with some of the products that have been tagged, many of which are known to be good and have been functioning quite normally.

The recommendation at the moment is to not reply delete or quarantine files as this may fry the product they belong to (a few readers are currently reinstalling applications).  As far as we know the files are consistently identified as Win32-Dell-MZG so if others pop up there is a fair chance that these are legit.

UPDATE: A new update was released fixing the issue.  091203-1.  If you haven’t used your computer between 12:00am UTC and 5.50 am UTC, then you will receive the new update and you should be fine.  For those that were affected I recommend you keep an eye on the Avast blog http://forum.avast.com/index.php?topic=51647 as they are working on some how to’s to help fix any issues.

Your biggest vulnerabilities aren’t what you think

SANS Institute just released a security vulnerability analysis covering real infections and vulnerabilities on 9,000,000 real computers at big companies. Interesting reading, with some surprising conclusions.

According to SANS:

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access… Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities… In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation.

Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period. Even so, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90% of attacks seen against the Windows operating system.

World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years. There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks.

Bottom line: stay cautious. Realize that even big-name Web sites can have infected files (as Graham Cluley explains, even the New York Times site was hit recently). For heaven’s sake, don’t install or run programs that you don’t know. Keep your whole system patched, using a tool like Secunia Personal Software Inspector. And stay away from ActiveX controls, the biggest source of buffer overflow vulnerabilities – which, in my opinion, means, you should be running Firefox (or Chrome or Opera or anything but Internet Explorer).

Which patches should I avoid?

Reader JB just wrote to say:

I know you listed what to patch and what not to patch, but I’m still confused. I don’t know much about computers so please bear with me. When I go to the update page there are several things listed under Microsoft Office 2007 updates, but they do not all have numbers listed. I have not installed the following: update for Office System (KB967642), Security update for Power Point “07 (KB957789),Security update for Office System (KB969618), Security PP Viewer 2007 (KB970059).

Then there are three Service Pack 2 items listed, but no numbers. One for Compatibility, one for Power Point viewer, and one for MS office suite. So when you say not to take sp2, I don’t know which of the three not to take because they do not have numbers listed next to them. Could you please be very specific in telling me what to take and not to take. I’ve read your blogs and I’m still not sure.

Microsoft makes this much more confusing than it should be.

If you ever wonder about a specific patch, go to Google and type the KB number. For example, typing KB967642 brings up a description about an error message that many people see when they try to install Vista SP2.

In general, though, you should install all of the patches you see except for the specific patches mentioned in my posting. In this case, I recommend that you hold off on any patch marked “Vista Service Pack 2″  or “Office 2007 Service Pack 2.”

MS-DEFCON 4: Get patched, but avoid these stinkers

With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

Here are the ones I suggest you pass by:

Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

One Black Tuesday patch coming next week

Microsoft has announced that it’s only going to release one patch this coming Black Tuesday. It’s a “critical” patch for PowerPoint.

Chances are very good it’s  a patch for the 0day hole I described a little over a month ago.

We’re still at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.