Woody Leonhard's no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon
  • MS-DEFCON 3: Get patched now

    Posted on July 30th, 2009 at 11:01 woody 20 comments

    With the Black Hat conference in full swing in Las Vegas, and detailed instructions for bypassing Microsoft’s killbit patches posted on the Web, it’s time to get everything patched.

    Rub your lucky rabbit’s foot, bend over and kiss your keester, and install all of Microsoft’s outstanding patches. Yes, that includes the killbit patches I’ve been moaning about, and the patches Microsoft released two days ago. Susan Bradley’s Top Story in Windows Secrets Newsletter, released about an hour ago, convinced me that the bad guys are hovering, and a rash of infectious junk is about to hit the fan.

    Specifically, you should install Windows Vista Service Pack 2/KB 948645 , the .NET Framework patch, KB 951847 , Office 2007 Service Pack 2 / KB 953195 , Windows XP Service Pack 3, KB 936929 , the old killbit patch KB 960715 , and the two new ones, MS09-034 / KB 972260, and MS09-035 / KB 969706.

    If you get repeated notifications to install the killbit patches, check out this workaround.

    Microsoft has screwed up the killbit patches so much that you may well break some of your old applications, but the fact that the security holes go all the way into the libraries means there are thousands of newly discovered infectious vectors. The only way you’re going to guard against them is by applying Microsoft’s horrendous updates. You can thank Microsoft’s use of ActiveX for that.

    Do me a favor and boycott Internet Explorer, OK? Use Firefox. We’ll both sleep better at night.

    We’re at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

    Get all caught up, and stay tuned for more fixes, as a result of disclosures at the conference.

  • MS-DEFCON 4: Get patched, but avoid these stinkers

    Posted on June 5th, 2009 at 06:09 woody 16 comments

    With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

    Here are the ones I suggest you pass by:

    Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

    Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

    KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

    KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

    KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

    I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

    I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

    Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

  • Windows Secrets: get rid of the drive-by .NET Framework Firefox add-on

    Posted on June 4th, 2009 at 17:29 woody 4 comments

    The new Windows Secrets Newsletter is out.

    Nice lead article about the Windows 7 Starter Edition and what it means for the future of netbooks, at least in the near term.

    In the same issue, also in the free content, Brian Livingston has dissected that nasty patch Microsoft applied to Firefox, without your knowledge or consent. Brian shows you how to tell if you have the add-on, and if you do, how to get rid of it.

    Check out the article, then check out your system.

  • More .NET Framework patch stupidities

    Posted on June 2nd, 2009 at 09:53 woody 3 comments

    Several of you have written, pointing to an article by Brian Krebs in the Washington Post, adding yet more fuel to the pyre that is known as the .NET Framework patch or KB 951847.

    Quoth Brian:

    [T]he .NET update automatically installs its own Firefox add-on that is difficult — if not dangerous — to remove, once installed.

    The so-called .NET Framework Assistant for Firefox is difficult, but not impossible to uninstall. Details appear on Brad Abrams blog.

    Thie particular piece of Microsoft “support” shouldn’t come as a big surprise to anyone who follows .NET Framework updates religiously. Microsoft employees have been blogging about it since May 12, at least.

    Still, it’s a bit disconcerting to have Microsoft install a drive-by Firefox add-in as part of a “security update.”

    I hope that the folks at Microsoft return the favor. I would love to see Firefox 3.0.11 – the next security update to Firefox – automatically, silently install a hard-to-remove add-on to Internet Explorer that makes IE infinitely more secure by, oh, disabling ActiveX controls.

    The fact that Microsoft released such a patch – and installs it silently as part of a “security” update – should give you pause. But also consider the corporate culture that allows such blatant acts of hubris to take place. Repeatedly.

    The old Microsoft is with us still.

    Hold off on your Microsoft patches, folks. Beware of Redmond Geeks bearing gifts. The PC you wreck may be your own.