Dump Windows Update, use alternatives

Dump Windows Update, use alternatives

By Brian Livingston

The Internet interprets Microsoft as damage and routes around it.

My apologies to John Gilmore for tweaking his famous 1993 quote about censorship. But the above statement just happens to sum up the alternatives Windows users are adopting ever since Microsoft’s “Windows Genuine Advantage” (WGA) debacle.

It was only a few weeks ago when the Redmond software giant started quietly auto-installing WGA to Windows machines in the U.S., U.K., and a few other countries. The code, which qualifies as spyware under any objective definition, was programmed to contact Microsoft’s servers every 24 hours. Now, after hearing from plenty of outraged customers, the company back-pedaled on June 27, saying it would release a version that calls home less often.

That’s not really a solution, as I’ll explain below. Since that’s the case, the entire affair has given enormous momentum to third-party products that render Microsoft’s Windows Update routine completely unnecessary.

I’ll explain in today’s article exactly how you can best deal with WGA. For those in a hurry, here’s a 4-point elevator summary:

1. Turn off Automatic Updates in the Control Panel. Set it to merely notify you of new patches, not auto-install them.

2. WindizUpdate.com, an independent patch-download system, which I’ve been asked about by many readers, is a flawed alternative to Windows Update that I can’t recommend.

3. By contrast, patch-management software that’s well-supported, such as Shavlik’s NetChkPro, provides an inexpensive and reliable solution that far exceeds Windows Update’s capabilities.

4. Once your alternative update mechanism is in place, follow the routine I describe below to uninstall WGA and get it out of your system for good.

What’s so bad about Genuine Advantage?

My last article, in the June 15 newsletter, flatly declared that Windows Genuine Advantage is Microsoft-sponsored spyware. That story received the highest reader ranking since we started asking our readers last January to vote on our articles (4.4 out of 5.0). We also received almost 200 e-mails, far more than we normally get about any single topic. Windows users are highly agitated.

I’ve repeatedly heard terms like "furious" and "livid" to describe how people felt about Microsoft pushing a piece of marketing spyware through the company’s sacred mechanism for distributing critical security updates. Perhaps the most deeply offended were the outside professionals who have defended Microsoft for years against charges that it’s an "evil empire." Microsoft’s abuse of its auto-update system to install an intrusive sales gimmick caused a lot of these faithful ones to rail against the idea as though personally betrayed.

Without repeating my June 15 article, I’ll summarize the bottom line: No security-minded company or individual can allow a program to stealthily contact a distant server and morph its behavior at will. This principle holds just as true for people who think Microsoft is the world’s greatest corporation as it does for those who deeply distrust the company’s motives. (The rule obviously doesn’t preclude trusted programs with specific, known tasks — such as an antivirus utility — from automatically downloading new signature files.)

Let me emphasize that I’m dead set against the mass piracy of software or any other creative work. But Windows Genuine Advantage and Windows Product Activation, which WGA is meant to enforce, have nothing to do with stopping mass piracy.

As I reported in InfoWorld Magazine way back on Oct. 22 and Oct. 29, 2001, Microsoft deliberately designed Product Activation to be trivial for pirates to circumvent. Any fly-by-night business can copy a single file and sell thousands of machines that pass Product Activation (although the innocent buyers may have trouble validating months or years later).

The purpose of Product Activation has always been to prevent Mom and Dad from buying a Windows package, installing one copy on the parents’ PC and another on the kid’s PC. Frankly, copyright laws for hundreds of years have allowed buyers of copyrighted works to make a limited number of copies exclusively for themselves. If you bought an music album you liked, you could legally make a copy to play in your car. In the U.S., this is known as the “personal use exemption” of the copyright laws or, more generically, “fair use.”

Product Activation isn’t aimed at hard-core pirates. Instead, it’s part of a surprisingly powerful, coordinated effort to change the basic nature of copyright so people can’t make any personal copies whatsoever.

The fact that personal-use copies have traditionally been permitted under copyright laws is illustrated by, of all things, Microsoft Office. The Product Activation scheme in Office has always explicitly allowed the buyer to install copies on two different machines. Furthermore, Office Update — which uses a patch-download mechanism distinct from that of Windows Update — has never required Genuine Advantage prior to users downloading security patches for Word, Excel, and the like.

(Secret: Windows’ own flavor of Product Activation does allow anyone to install Windows XP on a different machine, which will then in most cases successfully validate, about once every six months. Microsoft almost never mentions this fact.)

By displaying warnings about piracy as often as once a day or even once an hour, Windows Genuine Advantage has no security benefit but was solely designed to sell more copies of XP to confused users. WGA was programmed so any actual pirates (and savvy Windows users) could turn off the nag screens with a few clicks — but novices would be unlikely to understand that.

Stopping the guys with the high-speed duplicators should be Microsoft’s top concern. Instead, the Redmond corporation inexplicably targets fair-use home installations. The marketers behind this presumably hope to increase gross revenue so Microsoft’s share price will get out of the doldrums. But most home users aren’t a ripe market to spend the kind of money Microsoft wants.

If the company devoted as much time developing innovative products as it does cooking up ways to prevent personal-use copies, its stock price wouldn’t be half of what it was six years ago.

WindizUpdate.com is not a recommended solution

Many readers in the past few weeks have asked me about WindizUpdate.com. This Web site, launched in 2005, scans your computer for needed Windows patches and then displays links to the relevant download locations at Microsoft.com.

Unfortunately, as promising as this approach may seem, after investigation I can’t recommend this site. Here are a few reasons why:

1. The site installs an unsigned control, which performs the scanning and reporting function. Without a digital signature, you can’t verify that the control is really from the same people who manage the site itself.

2. The scan process asks several times to read the Registry. If you know that WindizUpdate is perfectly legitimate, which I have no reason to doubt, this might be fine. But it’s bothersome, while at the same time it’s too risky to click "Always allow this site," which would permit too many unknown future actions.

3. The site is a part-time hobby with no visible means of support. There are many fine pieces of software and Web services that are free of charge. But WindizUpdate is performing a serious security task and doesn’t have a team of programmers that’s adequate to develop it, much less provide technical support if the user base grows.

I called the prime mover behind WindizUpdate, Phil Young, who is based in Auckland, New Zealand. He’s a director of 62nds Solutions Ltd., a consulting firm with two employees and a few part-time staff on the island.

When asked why WindizUpdate didn’t use a digital signature to provide a verifiable identity for its control, Young replied, "I haven’t got the $400 to spend on the security signing certificate. Because it’s a free site, it’s not high on our list of priorities."

I inquired whether the site might become supported by advertising or voluntary contributions by users. "I have considered putting some ads on," Young said, "but I dislike sites that have more advertising than content."

Besides having no digitally signed code, WindizUpdate also lacks the ability to scan for and deploy Microsoft nonsecurity updates, Office updates, or security updates for products other than Microsoft’s, such as RealPlayer.

All of the above nonfeatures cause me to advise readers to hold off on WindizUpdate. As attractive as the idea of a non-Microsoft patch-management system may be, other companies do a much better job.

One final strike against WindizUpdate is that it has no apparent uninstall procedure. If you’ve ever installed a WindizUpdate control, I recommend removing its components using the manual procedure described on the site’s page entitled Uninstalling.

Shavlik’s patcher joins the Security Baseline

It’s hard to find objective ratings published within the last 12 months of patch-management systems that are appropriate for home users as well as small and medium-sized businesses. That may be due to the fact that Microsoft has taken some luster off the category by expanding its own free offerings: Windows Update, the new Microsoft Update (which updates both Windows and Office apps), Windows Server Update Services, etc.

Based on the reviews by independent test labs shown below, however, I feel the best home and SMB alternative to Windows Update is currently HFNetChkPro from Shavlik Technologies. (The name of the product is a contraction of Hotfix Network Checker Pro.) Effective today, I’m adding Shavlik’s software to my Security Baseline feature, which appears in every issue, and removing Windows Update/Microsoft Update.

NetChkPro isn’t free, but its one-time license fee of $25 per machine is very reasonable. There’s also a 25% annual maintenance fee after the first year, Eric Schultze, Shavlik’s chief security architect, told me in a telephone interview. But this works out to only about $6 a year — a good investment if you like your software to remain supported.

Shavlik has been in business for 13 years, has developed award-winning products, and has a financial base that should be strong enough to support the growing number of users it’s attracting. In addition to patching Windows and Microsoft Office apps, NetChkPro can auto-deploy patches for Firefox, Adobe Reader, WinZip, RealPlayer, Macromedia Flash, and other programs.

NetChkPro is "agentless" patch-management software. That means a installation on a single PC can scan and deploy patches to as many machines across a workgroup or domain as you have licenses for. No "agent" program needs to be installed on each machine that’s to be scanned. In addition, NetChkPro gives back a license for any machine you haven’t deployed patches to for 45 days. That’s handy if one machine in a home or office is retired and a new one takes its place.

The minimum purchase at Shavlik’s site is a 5-user license, which amounts to $125. In my opinion, that’s justified for small offices and home users with several PCs. For home users with only a single PC, Schultze says a Web service that scans machines remotely will become available in a couple of months for an affordable monthly fee.

Here are some of the awards I examined when analyzing potential replacements for Windows Update:

1. Redmond Magazine, a periodical that’s independent of Microsoft, stated flatly, "HFNetChkPro is the best Windows-based agentless product," in a November 2004 test of seven competing products.

2. SC Magazine, a British publication, in a June 2004 test suite of 10 contenders gave HFNetChkPro its Recommended award. A more recent test in March 2006 handed the Recommended title to NetChk Protect, a closely related Shavlik product with added antispyware capabilities.

3. Computer Business Review Online, in a March 2006 review, names no winners on points but includes NetChkPro in a useful description of 10 competing patch-management solutions.

I’ll be looking for additional torture tests of patch-management programs, now that running Windows Update has become somewhat dangerous to Windows users. Just as third-party software firewalls and antivirus programs are widely considered superior to Microsoft’s own offerings, I believe patch management will become a category in which those in the know demand independent solutions.

If test labs start handing Editors’ Choice awards to a product other than Shavlik’s, of course, I won’t hesitate to include the new winner in the Security Baseline when that day comes.

Uninstall Genuine Advantage the official way

One of the clear outcomes of the customer pressures on Microsoft regarding WGA is the written uninstall procedure MS posted on June 27 in Knowledge Base article 921914. WGA had previously been difficult to remove, with components regenerating themselves as soon as one was deleted.

I stated in my June 15 article that it was pointless for home users to try to uninstall WGA if they’d somehow installed it. Even if the Web rumor mill provided the right steps, removing WGA would at that time have simply made it impossible for users to get any downloads from Microsoft, even critical security updates.

With NetChkPro or any decent patch-management solution installed, however, you can now remove WGA and never worry about using Windows Update again. Microsoft reportedly will soon allow all comers to once again receive crucial security patches — but whether the company does or not won’t matter to you. Shavlik and the other top-rated PM firms make sure the right patches flow to the right machines without any reliance on Windows Update.

The WGA uninstall process that’s now documented in KB 921914 is the same one that’s been described for the past few weeks in several private blogs and discussion groups on the Web. Now that the procedure has a place on Microsoft.com, however, I believe it can be followed by Windows users with confidence.

There are 11 separate steps in the removal process. These include renaming files, running commands in a character-mode window, and editing the Registry. (Microsoft could have simply provided an uninstall utility, of course, but hasn’t yet.) I believe even novice users should be able to follow all 11 steps, if each one is carefully followed.

Note: Two of the three Registry keys that are deleted in step 10 of Microsoft’s procedure are identical, as of this writing. This appears to be a documentation error — the two relevant lines in the instructions are simply duplicates of each other.

Watch out for downloads in the night

The change of tone from Microsoft about WGA doesn’t mean you can let your guard down. In a June 8 statement, the company said WGA would be changed to call home every 14 days instead of every 24 hours. A subsequent June 27 press release is unclear on this point but emphasizes that the new WGA will still operate, just not as frequently:

• “It is important to note that WGA Validation still periodically checks to determine whether the version of Windows is genuine.”

Furthermore, I tested Microsoft Update this morning (June 29), and it still refuses to identify any critical security updates until WGA is installed. Before showing the needed patches, the service displays the same deceptive message as before: “Software Upgrade for Some Windows Components Required.” No mention of WGA is made unless you click a tiny “details” link, and even then no information about WGA’s true functionality is displayed.

Microsoft’s statements imply that everything is fine and all of this is in the best interests of users. What customers around the world want to hear instead is, “We’ve canned the people who were responsible for misusing our critical security mechanism, and we’ve appointed an independent board to make sure it can never happen again.”

Until then, make sure you don’t allow patches 892130 and 905474 — the two components of WGA — to install themselves. And use the third-party software listed below in the Security Baseline to ensure you won’t wake up to any unpleasant surprises one day.

I’d like to thank readers John Holden and David Speck, M.D., for being the first among scores of readers who sent in valuable tips on this topic. (These two gentlemen are in no way responsible for the views I express above.) They’ll receive gift certificates for a book, CD, or DVD of their choice for sending us their research.

To submit more information about WGA, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Live Safety Center is good and free

By Woody Leonhard When Microsoft first announced Windows Live OneCare, I figured Redmond had a lot of cojones to charge consumers for protection against flaws in its own products. In OneCare’s first month, however, it appears to my jaundiced eye that MS has responded admirably to two real, in-the-wild, zero-day attacks — first in Word, then in Excel — via a little-known free service called the Windows Live Safety Center. Never heard of it? Read on.

What is Windows Live OneCare?

"Help get confidence and peace of mind with round-the-clock protection and maintenance—virus scanning, firewalls, tune ups, file backups, the whole nine yards." That’s what Live OneCare’s marketeers say. Yes, I know that Windows XP SP2 has a firewall, of sorts, and that entire industries support firewalls, virus scanning, tune-ups and backups with packages that range from utterly free to very expensive. Not sure where you can buy a whole nine yards, or even half of one, but I’ll leave that to the philosophers.

Microsoft charges $49.95 USD for one year of OneCare, and that fee can cover up to three computers. Compared to more expensive antivirus programs, it’s a deal. Compared to highly capable free packages, well… you do the math.

What Windows Live OneCare offers that no other company can offer is the name. M-i-c-r-o-s-o-f-t. Face it. Microsoft built the products that need protection. They have, by far, the largest reporting and support organization for those products. If something goes bump in the night, Microsoft can call out a whole army of programmers who know the terrain and have the resources — even the source code — to find and fix the problem.

When you pay for Windows Live OneCare, you’re paying for that expertise.

Cavorting on a tilted playing field

Here’s the rub. Many people who discover real, new malware (viruses, Trojans, worms and the like) send a report to the manufacturer of their favorite antivirus program. Many people go straight to Microsoft. Industry insiders tell me that Microsoft has been "pretty good" about disseminating new information to its competitors, the traditional antivirus software vendors. But there’s no doubt in anyone’s mind that Microsoft has the big guns — the people and the tools necessary to pinpoint the cause of the problem.

Before Windows Live OneCare, Microsoft disseminated critical information about new problems to all the major antivirus software vendors more-or-less simultaneously. Now that Microsoft peddles its own antivirus product, the playing field’s no longer level.

This month’s Word zero-day exploit

Although details remain sketchy, it appears that Shih-hao Weng at the Information & Communication Security Technology Center in Taipei discovered a Word document that uses SmartTags in a malicious way that had never been seen before — a zero-day exploit. He contacted Microsoft, as you might expect. Sporadic reports about the exploit spread like wildfire around the Net. Several days later, Microsoft officially confirmed the existence of a "memory corruption error when handling Word documents using a malformed object pointer."

At that point, Microsoft found itself in a bind with "monopoly" written all over it. If the ‘Softies offered a fix for the sploit via Windows Live OneCare — that is, if they offered to solve the problem for a fee, prior to the fix becoming widely available to all of its competitors — the antivirus vendors (indeed, the world!) would have good reason to scream bloody murder.

More than that, Microsoft has an obligation to fix security holes in its own products for free. It would be unconscionable for the ‘Softies to offer protection to those willing to pony up fifty bucks, while those of us unwilling to pay the piper would be left exposed until Microsoft released the appropriate security bulletin and patch, weeks or months later.

Enter the Windows Live Safety Center

Yeah, I get tired of the "Live" hype, too. Guess it sounds better than "Windows Dead Safety Center."

Microsoft has staked out a solid middle ground that you should take a look at. It’s the Windows Live Safety Center, a free alternative to the paid scanner in Live OneCare. For both the Word exploit and a separate Excel zero-day hack, Microsoft’s fix appeared first at the Live Safety Center. At least, that’s what the Microsoft Security Response Center claims.

To be sure, the Live Safety Center’s interface appears clunky and awkward. The service requires Microsoft Internet Explorer 6.0 or higher or MSN 9.0. The site goes down far too often. The descriptions on the site don’t bother to mention specifically which malware gets caught. It all reeks of half-baked and half-passed "beta" software. (Hey, Microsoft doesn’t make any money off of it. Whaddya expect?)

But the Live Safety Center now rates as the resource of first resort — especially for those of us who refuse to pay Microsoft $50 to fix its own products and for anyone who wants the most up-to-date protection anywhere.

The next time you’re faced with a Word doc or an Excel spreadsheet that just might be on the dicey side, don’t open the file. Save it, bring up the Live Safety Center, and run a scan. You might be surprised.

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All-In-One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).

How to disable unexpected attacks

By Ryan Russell. There are a lot of ways your machines can be attacked. Not all of them are via the Internet. Some attack vectors require physical access, but many others can hit you without notice when you do something as simple as accessing an external device.

Take a moment to shut down autoplay

I received feedback from a reader named Bob, who said he enjoyed my June 15 article on potential problems with the new “U3” USB keys. He indicates that he typically disables autoplay entirely, since it’s not a big deal to manually run an inserted CD. Excellent point. This should eliminate the possibility that U3 drives, which can emulate CDs, will run code automatically.

I was remiss in pointing out an autoplay threat without in the same column covering how to disable autoplay. Mea culpa.

In Windows NT-based systems, run regedit.exe. Navigate to HKLMSYSTEMCurrentControlSetServicesCdrom. Find the DWORD value named AutoRun. Change it from 1 to 0.

What if you have a Windows 9x-based system? How do you disable autorun there? As my fellow columnist, Susan Bradley, pointed out in her June 15 column, it’s time to give up on Win 9x.

The most “recent” flavor is Windows Me, which is now 6 years old. And Microsoft just officially quit caring about patching it. In its announcement, the company indicates that it isn’t going to bother with issuing security bulletins such as MS06-015 for Windows 98, Windows 98SE and Windows Me. It’s too hard, there’s been too much change, and these platforms go out of lifecycle support on July 11, anyway.

Yes, it’s a minor broken promise, but I really can’t feel too outraged about it.

You can be hacked via bad drivers

One of the attack vectors that not everyone thinks about is third-party driver software. You’ve probably experienced less malicious versions of the problem already.

Ever had some sort of Blue Screen of Death problem when performing some operation, which was fixed by upgrading drivers? Happens to me with new games quite frequently. I have to visit the nVidia or ATI Web sites before my new first-person shooter will work.

That’s an example of a driver bug. Fortunately, my machine merely crashed instead of suffering from having spyware installed, because the crash was a random occurance rather than an intentional attack.

Of course, some problems like these are exploitable. If it’s a driver for a remote-access device, this could lead to remote attacks.

What has me thinking about these problems is an Infoworld article about researchers who say thay’ve found such an attack and plan to demo it at the upcoming Black Hat Briefings conference in August.

I’ll be there, and I look forward to the demo. That this problem exists should be expected, though. Microsoft can make all the software improvements it likes, and it won’t improve the quality of third-party software. When that software is a driver living in kernel space, watch out.

A similar set of problems seems to exist on almost all Bluetooth software. A friend of mine, Kevin Finisterre, has published a lot about Bluetooth problems. It’s not much of an exaggeration to say that he’s been able to find a problem in every piece of Bluetooth technology he’s looked at.

And yes, driver problems such as these affect Mac OS X and Linux as well.

Harden a PC by disabling unused devices

This means that, when you’re hardening a computer, you must also disable any hardware devices that you aren’t using. To use Microsoft’s new favorite term, you want to reduce the attack surface.

Disable Wi-Fi and Bluetooth when not in use. Disable the IRDA port. If you always use wireless, then disable the wired Ethernet port. You get the idea.

Hardening becomes even more important on a traveling laptop, where you will be within range of many unknown attackers. I’m reminded of this every year when I go to Blackhat and Defcon. You can bet I think hard before even turning my laptop on.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Excel flaws pose a triple threat

By Chris Mosby. The last few weeks haven’t been good for Microsoft Excel. Three serious vulnerabilities affecting the popular spreadsheet program have been revealed. Two of these are already being actively exploited in the wild. This is a serious concern, as there currently isn’t a patch for any of the three holes. But I’ll arm you with workarounds that should keep hackers from storming your computer.

Excel’s ‘repair mode’ can be exploited

All versions of Excel from 2000 to 2003 (including Excel Viewer 2003) are vulnerable to a memory corruption problem in the “repair mode” feature. This function fixes corrupted documents. To exploit the vulnerability, a hacker would have to get a user to open a specially crafted Excel file. The file could be sent as an e-mail attachment or hosted on a Web site where a visitor could access it. Social-engineering techniques, which have worked in the past, could be used to accomplish this.

A hacker who was able to exploit this vulnerability could get the same user rights as the local user, allowing the introduction of infected files. The problem was discovered as a zero-day exploit and is already being used in the wild in targeted attacks to install infected software. One example of that is explained in Symantec’s description of Trojan.Mdropper.J.

Microsoft is aware of the flaw and has confirmed the vulnerability in Microsoft security advisory 921365. In that document and in the Microsoft Security Response Center blog, Microsoft states that it is working on a patch, but a time frame on its release is unknown.

What to do: Microsoft’s advisory on this flaw lists several workarounds for this issue. Most of them are for the more advanced user and involve modifying the Registry. The workarounds that Microsoft recommends are extreme and could very well corrupt your installation of Excel, if not done properly.

Windows Live Safety Center, which Woody Leonhard explains above, does catch Excel files that are infected with the repair-mode hack.

It may be easier for you to use Open Office’s Calc while you’re waiting for this vulnerability to be fixed. Also, always remember to never open any e-mail attachment from any source unless you’re expecting it. Unanticipated attachments should be treated as infected until you confirm them offline with the sender.

More info: CVE-2006-3059, National Cyber-Alert System, Secunia, SecurityFocus, US-CERT, Sectrack

Hyperlinks in Excel can be exploited

Excel’s new hyperlink vulnerability first surfaced on the Full-Disclosure mailing list. The exploit was posted there as proof of concept (POC) code written in Perl. Microsoft was soon able to confirm the vulnerability, saying it was technically a vulnerability in the hlink.dll component in Windows that processes operations involving hyperlinks.

The flaw is a boundary error in hlink.dll when processing hyperlinks in, for example, Excel documents. If a hacker can trick a user into clicking a link in an infected Excel document, a stack-based buffer overflow allows the hacker to run infected code.

Though the original POC code involves Excel, it’s very possible that other Microsoft products that use hlink.dll may also be vulnerable. Two more exploit code samples have come out, so it’s just a matter of time before we see this out in the wild.

What to do: Until this vulnerability can be fixed, I recommend not clicking any links you find in untrusted Office documents.

More info: CVE-2006-3086, National Cyber-Alert System, SecurityFocus, Secunia, TROJ_URXCEL.A

Excel auto-runs infected Shockwave files

It was disclosed recently that infected Flash files with explicit Java scripts can be embedded inside Excel files. A “Shockwave Flash Object” will run as soon as an Excel file is opened. Other than opening the file, the exploit requires no user intervention. This is not really a Flash problem, as I see it, but an Excel-specific vulnerability.

POC code is already readily available for download, but Microsoft has not made any formal announcement about this flaw. The only suggested workaround from Microsoft was provided to the person who discovered the problem, and I describe it below.

What to do: If switching to Open Office is not an option, then Microsoft suggests making a kill bit for Office, just as you can do for IE. You can find information about that in Knowledge Base article 240797.

Yeah, that does sound complicated, doesn’t it? You might want to remember to never open any e-mail attachment from any source unless you’re expecting it, as I mentioned earlier, until this flaw is fixed.

More info: CVE-2006-3014, National Cyber-Alert System, Neohapsis Archives, SecurityFocus

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.

June patches break dial-up scripts, etc.

By Susan Bradley. With the June patches being so numerous this month, even some folks who ordinarily patch quickly are just now getting around to patching. But with proof-of-concept code and live exploits already on the Net for many of the flaws announced on June 13, if you haven’t yet updated, now’s the time to test and patch.

MS06-025 (911280)
Scripted dial-up fails after MS patch

Most of us no longer use command-line dial-up scripts to configure 56K modems. If you do, however, you may need to check out KB 911280. This document has recently been updated to describe conflicts between MS06-025, which was released on June 13, and dial-up scripting. Microsoft says it plans to release a revised verison of MS06-025 at some unspecified future date.

I’ve applied MS06-025 to several servers with no issues whatever. If a conflict applies to you, though, your dial-up connections can be completely halted.

Installing MS06-025 is particularly important if you’re using Windows 2000 and Internet connection sharing. Several exploit examples and POC code samples have already been posted on the Internet to exploit the flaw that MS06-025 fixes.

Microsoft re-released MS06-025 on June 27, and it’s now compatible with dial-up scripts. You’ll want to reinstall the patch if you were bitten by the problem. Read the Microsoft Security Response Center’s blog on the change.

MS06-015 (908531)
Problems installing Apple Quicktime 7.1

There are reports on the Apple discussion boards of install failures of Quicktime 7.1 after MS06-015 (908531) is installed. As of now, the only resolution is to remove the security patch and attempt to reinstall it after Quicktime is installed.

(914784)
64-bit kernel update breaks Daemon Tools

For those running 64-bit machines, you may have found that your Daemon Tools software fails to run after you install Microsoft’s x64 kernel update.

This update, KB 914784, was offered up June 13 on Microsoft Update for Windows XP 64-bit editions. The issues were quickly reported on discussion boards. At this time, there’s no solution, as reported by Daemon Tools. Those needing the virtual CD-ROM feature provided by Daemon may need to remove the Microsoft patch temporarily.

MS describes issues with WSUS SP1

On the Windows Server Update Services blog, Bobbie Harder has pointed out the new SP1 Readme file, which lists the known issues that occur after applying WSUS SP1. The biggest issue folks have noticed is that, after the application of SP1, the password for the proxy setting is deleted and must be reentered.

For those using Windows Software Update Services, you need to review all of the known issues before applying this service pack. SP1 does include performance upgrades, so it’s recommended to install it.

More beta apps now supported in WSUS

At TechEd in Boston, I heard about the new "branding" for Microsoft’s security products. The new name is also showing up in the WSUS patch database, as reported by the WSUS blog.

Instead of Microsoft Client Protection, the new name is Microsoft Forefront Client Security. You’ll also notice that more beta programs are now included in WSUS including, Vista and Exchange 2007, among other categories.

Every language of SQL SP1 was downloaded

For those of you running WSUS, you may have noticed during the last week in May a bigger than normal download. If you had your server set to download "all products" and chose the language category of "English," you accidentally received all languages of the SQL 2005 Service Pack 1.

Instead of the expected size, you received 6 gigs of patches in one download. This was fixed in a later refresh, as was noted by Bobbie Harder. But it points out the fact that you probably don’t want to set up servers to automatically download and install. While this was an isolated incident and is expected not to occur again, keeping an eye on WSUS when service packs are expected is a wise thing to do.

Reliable info is tricky 2 days after Patch Tuesday

At TechEd in Boston, I happened to listen to Christopher Budd, the Microsoft employee who typically gives the day-after-Patch-Tuesday Webcast for Microsoft. He made the point in his talk that early information isn’t always the best information. Early information about patch issues can be rushed and based on rumor.

In the last few Patch Tuesdays, the editors and I have had our hands full, ensuring that we had solid information about patch issues before publishing Windows Secrets only two days later. The second issue of the newsletter after Patch Tuesday, such as today’s, typically has information that reflects the greater amount of experience people have with the latest crop of paches.

The other editors and I try as best as we can to ensure that you get solid information about patches. I personally love the e-mails and feedback you send, so please feel free to contact me via the contact page.

Redmond’s take on the patch process

Christopher Budd also wrote an excellent article for TechNet about Microsoft’s patch-management process. While I agree with most of his points, there’s one that I can’t abide.

That’s his stress on service packs as Microsoft’s main patching mechanism. These days, I don’t think service packs should still be held out as the way you want to patch.

I’ve personally had many issues with service packs and thus still depend on security patches, deploying them sooner than I do service packs.

There are many times I find vendors don’t immediately support service packs. Thus I don’t wait for service packs as my main means for patching. I’m instead deploying patches every month.

Next month, just like every month, I’ll be back again to give you the details about the patch issues I see. Until then, happy patching.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.