April 11 patch re-released with fixes

April 11 patch re-released with fixes

Microsoft re-released on Apr. 25 a security patch that had been issued 14 days earlier in the company’s monthly Patch Tuesday schedule.

The original version of security bulletin MS06-015 causes problems with Microsoft Office and other apps when you try to open or save files in the My Documents folder; with Internet Explorer when you type Web addresses into the Address Bar; and with an untold number of other programs.

The Redmond company says the problems are being caused by older versions of HP Share-to-Web software, nVidia graphics drivers, and Kerio Personal Firewall. But I believe there may be other conflicts at work, as I discuss below.

In addition, Microsoft released a surprising number of other hotfixes and notices on Apr. 25. These include:

• In Outlook Express, some Address Books now won’t work after you install MS06-016;

• Hotfix 900485, which was originally issued by Microsoft in December 2005 to correct a rare XP crash, started being pushed out to users as a “security patch,” apparently in error;

• Windows Genuine Advantage, which previously checked for pirated versions of Windows only when a user downloaded free programs from Microsoft’s site, started being installed on every machine that has Automatic Updates turned on in the U.S., U.K., Australia, New Zealand, and Malaysia.

I’ll give you help for these and other April surprises below. First, let’s look at the worst problems, which affected people who installed MS06-015.

Workarounds for MS06-015 problems

The problems caused in Microsoft Office and other apps after installing MS06-015 has to be one of Microsoft’s biggest blunders. Fortunately, these issues seem fairly easy to correct, now that the Redmond company has re-released its bulletin.

If you’re affected by any of the problems related to MS06-015, they’re most likely to be resolved by running Windows Update or the improved Microsoft Update. If the update routine detects that you have drivers that conflict with MS06-015, entries will be written into the Registry, after which things should function normally. According to Microsoft, there’s no new version of the patch binaries themselves, just these new, more-forgiving Registry entries.

If that doesn’t solve your problems, the update routine may not be detecting anything that suggests the changes are needed. In such a case, you may need to uninstall MS06-015 and then run Microsoft Update to get the 2.0 behavior. To do this:

Step 1. Reboot to remove any programs that may be in memory;

Step 2. Run the Add/Remove Programs control panel and uninstall update 908531 (security patch MS06-015);

Step 3. Run Windows Update or Microsoft Update, which should offer you MS06-015 as a critical security patch. Install the patch.

If you can’t get the bad behavior fixed using Microsoft Update for some reason, reader Andy Suarez has a description of a manual workaround (which was developed before the re-released bulletin became available):

• “I’m sure you have already been alerted to it, but there seems to be a problem circulating on Windows machines… Symptoms are:

  • Cannot type a Web site into the Address Bar in IE — causes a indefinite wait time. It never goes anywhere. Typing www.website.com does not work. Typing website.com does not work. The only way for IE to bring you anywhere is to type http://www.website.com.

  • Going to a Favorite, clicking on a link in a Web page, or typing the Web site in as a Run command brings you to the Web site. It seems to only affect the Address Bar.

  • Trying to do a “save as” in a MS Office document leaves you with an hourglass that never goes away and never brings you to a folder listing. The same thing applies to trying to add an attachment to an e-mail in Outlook. This leads me to believe that it affects any program that brings up a box to navigate through Windows folders to save/open a file. …

  “The solution:

  1. Close any open windows.

  2. Go into Task Manager and kill any processes called verclsid.exe.
  
  3. Go into the c:windowssystem32 folder (on a WinXP machine, where c:windows is the drive where windows is installed).

  4. Make sure that file extensions can be seen (Tools, Folder Options, View tab, Hide extensions for known file types off, click OK).

  5. Scroll down to the file named verclsid.exe and rename it to verclsid.old.
  
  6. Change the option back for file extensions to not be shown (if you want).

  7. Voilà, everything works again.

  “I guess you could have just have deleted the verclsid.exe file, but I don’t know if we will need to change it back eventually when whatever is wrong is fixed."

In addition to the above problems, Microsoft says you may find after installing MS06-015 that:

• You can’t access files in My Pictures or other “special” folders;

• Right-clicking a file in Windows Explorer or on the Desktop, and then clicking Send To, doesn’t do anything;

• Trying to expand a folder in Windows Explorer has no effect.

For more information on the patch and the workarounds for the conflicts it causes, see Knowledge Base article 918165 and security bulletin MS06-015.

Coping with other April Fools’ issues

Since some of the newly released material just appeared yesterday, information is still a bit sketchy. Here are the best resources I’ve found on these topics:

• Address Books won’t open in Outlook Express. This apparently affects only Address Books that were created with older versions of Outlook Express and developed minor file corruption at some point. OE won’t load such Address Books after you install MS06-016. Microsoft has published an official workaround, which involves copying the affected file to a new name, manually deleting the old file, and then importing the renamed file. See KB 917288.

• Hotfix 900485 for XP SP2 being pushed out automatically. This patch is described by Microsoft in KB 900485. That article doesn’t explain why this 2005 hotfix is being deployed to everyone now. It’s probably just a Microsoft error. The situation is unclear even to MVPs (Most Valuable Professionals), as evidenced by a cryptic exchange in the Windows Update forum.

• FrontPage 2002 Server Extensions require special installation. If you use Microsoft’s Systems Management Server (SMS), you may need to avoid problems installing the FrontPage 2002 Server Extensions in security bulletin MS06-017 by using "interactive mode." See KB 917627.

• Outlook Web Access doesn’t work in IE 6 or Vista. After you install the so-called Eolas patent downgrade to IE, which has been released in various forms over the past several weeks, OWA won’t work in IE 6. It doesn’t work in the beta of Windows Vista, either, which is a separate problem. Both issues can be corrected with a hotfix to Microsoft Exchange Server. See KB 911829.

• Genuine Advantage automatically being installed in many countries. With no notice, Microsoft began installing Genuine Advantage to users in English-speaking countries and Malaysia on Apr. 25. This software had previously checked for pirated versions of Windows only when users tried to download free software from Microsoft’s site. Now it runs immediately, displaying warning messages if it feels that something is amiss.

It’s natural for Microsoft to want every copy of its software to be licensed. But many companies would rather not find out about this suddenly when they’re in the midst of some mission-critical process.

For more information, read the analysis by the Washington Post’s Brian Krebs and Microsoft’s Knowledge Base article 905474. The KB explains a way to disable the notifications that emit from Genuine Advantage. The change is said to work until the next time Microsoft decides to release a GA update. The article states that Genuine Advantage cannot be uninstalled once it is in place.

More fixes for Windows users

The problems with this month’s patches, especially the quiet mass installations of Genuine Advantage, are stimulating a healthy debate among the contributing editors of Windows Secrets. I’m personally considering whether to reverse the recommendation in our Security Baseline section that home users should leave Automatic Updates turned on. Microsoft is destroying the credibility of Automatic Updates by using it to force the installation of nonsecurity hacks, such as Genuine Advantage.

If you’re willing to actually pay attention when new critical updates are released, use the Automatic Updates control panel to switch its behavior to Notify me but don’t automatically download or install them. Then, when notified, select the most critical updates for installation — after you’ve read the paid version of that week’s Windows Secrets Newsletter.

Each month, we publish an issue that appears only 2 days after Patch Tuesday. We grill our sources to find and reveal to you all the negative side-effects involving every Microsoft patch that’s just been released. We follow this up 16 days after Patch Tuesday in our next issue, with further details we’ve learned.

The paid version of today’s newsletter is where we have the best information about problems and fixes related to the April patches.

As I said above, I believe more software is having problems with MS06-015 than Microsoft has explained. In today’s paid newsletter, I include a description of problems with DUN connections and possibly other software that clearly seems to be April Fools’ patch-related.

Also, Susan Bradley’s column explains the ins and outs of the Patch Tuesday problems and other issues you may run into.

Any reader may upgrade and immediately receive today’s paid version — and our next 12 months of secrets — by making a voluntary financial contribution — whatever amount it’s worth to you. Check it out. How to upgrade

To send us more information about the April patches, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Were you a victim of Patch Tuesday?

Here I was, looking for fallout from Microsoft’s Eolas/Internet Explorer patch — but most of the issues came instead from other patches.

Just like everyone else, I was expecting most of the problems from Patch Tuesday would be from 06-013. This is the cumulative Internet Explorer patch, which changes the way Active X works. I wasn’t expecting to see issues in the Window Shell patch, the Outlook Express patch, nor in OE’s Junk Mail Filter. These issues, because they mostly affect consumers, have raised a concern about online communities and self-help sites. I think they’re masking the real magnitude of issues.

MS06-015 (908531)
Windows Shell patch impacts HP, nVidia

The Windows Shell patch, MS06-015, interacted with both HP’s Share-to-Web software and nVidia drivers to freeze up computers. Some folks thought they were being impacted by malware. KB 918165 discusses the issues you see when you’re affected by these problems.

They include the following:

• You cannot access special folders such as "My Documents" or "My Pictures."
• Microsoft Office applications stop responding when you try to save or to open Office files in the "My Documents" folder.
• Office files that are located in the "My Documents" folder cannot be opened.
• When you type an address in the Address Bar in Microsoft Internet Explorer, nothing happens.
• When you right-click a file and then click Send To, nothing happens.
• When you expand a folder in Windows Explorer, nothing happens.
• Some third-party applications stop responding when you open or save data in the “My Documents” folder.

If you’re one of the folks who was impacted by this patch, I need you to do me a favor. I want you to call Microsoft’s security phone number at 1-866-PCSAFETY and say so. (For folks outside the U.S., the phone numbers are at theinternational support page.)

In this Web-enabled world of ours, where computer tech support consists of your 10-year-old or his friends, I’m not sure Microsoft is getting an accurate feel for the impact of this issue. At one point in time, the company indicated that the call volumes were low on this topic. But, due to the fact that the side-effects of this patch tend to be mostly in the consumer world, I’m not sure Microsoft is getting good numbers of what I call a "body count."

The good news is that Microsoft re-released the MS06-015 patch on Apr. 25 to fix the problems. If you see issues with your system (described in the KB) that would be best described as general "freeze ups," go into Add/Remove Programs. (If you’re running Windows XP, click the box at the top of the window, which will show updates.) Find patch 908531 and remove it, then install the new MS06-015.

At this time, I have not seen a public exploit that takes advantage of the MS06-015 hole. Thus, your risk of infection is low during the period when the old patch is uninstalled and the new one is in place.

You really only need to reinstall 908531 if you are affected by the problem. Microsoft Update won’t reinstall it unless it detects that you have the conflicting HP/nVidia drivers. So, if you don’t get the patch re-offered to you, don’t worry, you probably don’t have the impacted software on your system.

KB 905474 and 900485
Patch Tuesday-and-a-half on April 25

I was expecting the re-release of MS06-015, but I wasn’t expecting all the other patches I had to deal with on what I’m calling the “second” Patch Tuesday for the month of April. Here are some details of what else was released around Apr. 25:

• Genuine Advantage. I had read that Microsoft’s Genuine Advantage tool would be rolled out more broadly in a larger “pilot program.” But it now appears that, beginning on Apr. 25, customers in the entire North American continent, plus Britain, Malaysia, Australia, and New Zealand are getting Genuine Advantage pushed out to them. More information, and a way to disable Genuine Advantage notifications until the next time MS decides to issue a pilot (Microsoft claims there’s no way to uninstall it once it’s installed) is in KB 905474.

• XP SP2 BSOD Hotfix. Then Microsoft released a hotfix that prevents a “blue screen of death” on XP SP2 machines. A BSOD, as it’s called, is when a system crashes and you are left with a bright blue screen with a series of cryptic numbers. Normally it takes someone with a debugger tool to review this. See KB 900485.

All of this reminds me that the “upper” patch section in Microsoft Update doesn’t include just security-related patches but also “high priority” patches. I definitely didn’t plan on dealing with this many patches on a day that I was expecting only a fix for MS06-015’s issues.

MS06-016 (911567)
Outlook Express patch hits address books

The next patch that has issues is MS06-016, which affects Outlook Express. This is one we’ve been tracking in the newsgroups.

If you installed MS06-016 and you get an error message when accessing Outlook Express, either call Microsoft at the numbers listed above and state that you are seeing issues with the patch. Removing the patch will resolve the issue, as will re-importing the OE Address Book.

Removing the patch will obviously leave you unprotected against possible attacks. But, at this time, I do not see specific exploits in the wild for this hole and most antivirus programs have by now been updated to protect you.

Microsoft issued on Apr. 26 an official workaround, which is posted at KB 917288. This involves making a copy of the Address Book, manually deleting the original one, then importing the copy. Microsoft’s article states that this doesn’t yet fix OE 5.5 SP2 on Windows 2000 and that the problem with that version is still being researched.

Even if the workaround solves your immediate problem, I still strongly urge you to call Microsoft and report the situation.

Outlook’s Junk Mail Filter has install issues

A few months back, there was an issue with Office 2003 Service Pack 2 not being properly installed. In what appears to be a similar problem, this month’s Junk Mail Filter, KB 914454, has been having install issues.

The problem appears to be related to the Windows Registry cleaner tool, or some third-party Registry cleaner that has adjusted the settings. Eric Vogel discusses the issue in his blog posting. To remedy this situation, follow the instructions in KB 884298.

MS06-013 (912812)
IE patch not as bad as expected

After all the dire warnings of doom and gloom over this patch, as you can tell from my introduction above, MS06-013 apparently wasn’t a major issue. While it did impact some folks running Siebel Systems software, I really did not see negative impacts to the extent I was expecting.

Because Microsoft’s patch changes how IE handles ActiveX content, the additional clicking that’s now required on certain Web sites has been annoying, but it’s nothing that has stopped systems.

If you do experience anything harmful to your systems as a result of installing MS06-013, please feel free to let me know via the contact page.

Why you should call MS support with issues

At the bottom of each security patch e-mail is a statement by Microsoft that issues caused by a security patch are a free call. But in typical "legalese" wording, they always preface it by saying that you may be asked for a credit card for a charge that will then be refunded.

The process is, to be frank, there to ensure that the free-call process is not abused. Those computer owners who are obviously impacted by a security patch will not be charged for a call. Phone numbers, Web resources, and other self-help resources can be found at www.microsoft.com/support.

The important thing that I’d like everyone to remember is that if you get a great support rep from a vendor — any vendor — make sure that the company hears that the person went out of their way and exceeded your expectations. Conversely, if your tech-support experience isn’t up to par, ensure you give feedback as well.

In the case of Microsoft, when a case is opened, you are assigned a SRX (or SRC in non-U.S. countries). This has at the bottom the contact information to give feedback. If you had a great support experience, say so. If you didn’t, say that too.

Tricks for moving to a new computer

At my office, I regularly migrate the files and settings from one computer to another. I use a variety of methods, including the Windows XP File and Transfer Wizard. I’ve also been known to pull the hard drive out of an old computer and place it in a USB enclosure in case I’ve forgotten anything in the transfer.

The key to successfully using the wizard is ensuring that you either add all of the same add-ins into Word or you remove them before you use the wizard.

Can you save files for offline patching?

A question from the newsbag came in about the ability to copy patches from one machine to another to act as an offline patching mechanism. Unfortunately, it’s not as easy as this.

What you can do is run Windows Update or Microsoft Update, go to the administrative section, search for patches for your operating system, and then download them and burn them to a CD-ROM. This can save time if downloading of several security updates over dial-up connections would take too long.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

How to check that sites are safe

I don’t gush over new software very often. Most of what I see looks like same-old, same-old, maybe with a burnished bell here or a twisted whistle there.

But I recently found something new — something exciting — on the Web, and it’s saved my tail a couple of times. If you haven’t seen SiteAdvisor, you should look. If you don’t use SiteAdvisor, you should try.

Exploring the underbelly of the Web

I confess. I venture to all sorts of Web sites that sit on the fringe of respectability. P2P sites. Warez sites. Download sites. Hacker sites. Tweaker sites. Political sites. Sometimes I’m pushed, like when a friend sends an intriguing link. Sometimes I’m pulled, when Google turns up an unexpected result.

Many of the most interesting sites have files I’d like to download. And that’s where I start living on the edge. My firewall’s up and working, AV software in place, Firefox blocks a lot of junk, Webroot Spy Sweeper is on the job, my shields are up, and my BS detector runs in overdrive. You know the drill. I bet you’ve been there a hundred times.

I’m not all that worried about drive-by infections: I’ve never been bit by simply visiting a Web site. I’m not worried about worms, Trojans, and viruses because my AV software works the way it should. I never double-click on downloaded files without saving them to disk and submitting them to an AV scan first. I don’t install ActiveX controls unless they’re pedigreed beyond reproach and pass Spy Sweeper muster. I’m not even all that worried about downloading and installing junkware these days, because Spy Sweeper catches the stuff that Microsoft’s Windows Defender misses, whether by omission or commission.

The problem: You can’t always guess right

With so many bases covered, you might think that I could surf, install ActiveX controls, and download in peace. Yeah, right.

Here’s the crux of the problem: I don’t want to waste my time on sites that are spamming, scamming, and slamming people. I don’t want to download a file, only to discover 15 minutes later that a piece of 180solutions (er, Seekmo) scum or Gator (er, Claria) crapola came along for the ride. I don’t want to spend any time at all on sites that make me worry about using a throw-away e-mail address. I don’t like doing business with people like that — and I sure as shootin’ don’t want to add to their Web hit counters.

I’m also getting more and more concerned about phishing sites. A couple of times I’ve almost clicked on links in incoming messages, thinking that I really did need to verify an account. In some cases, the URLs were cleverly constructed so at first glance it appeared as if the messages were legit. These guys are getting better at their craft, and if they find some magic means of disguising URLs, I could get tripped and ripped. Off, that is.

That’s why I was so impressed when I bumped into an article entitled Deciding Who to Trust by antispyware researcher Ben Edelman. Ben gets it. He joined the advisory board of a company called SiteAdvisor, and the product they have to offer (absolutely free!) runs rings around any scumbusting software I’ve seen before.

SiteAdvisor’s objective approach to bad things

SiteAdvisor crawls the Web, subjecting each site to a multi-pronged probe. First, SiteAdvisor looks to see if there are any files available for download. If there are, the spider downloads the files and examines them for many different kinds of scum.

But the SiteAdvisor approach goes beyond downloading and dissecting. If the site asks you to submit your e-mail address, the spider fills out the form with a traceable address — and then SiteAdvisor sits back and waits to see if any spam arrives. Very slick.

There’s more. SiteAdvisor also examines links on the site, to see if the site attempts to get you to go to other scummy sites.

The folks at SiteAdvisor realize that their method isn’t infallible, so they embed easy hooks for people to leave comments. If you bump into a site that ends up causing you problems, you can file a report, and the report is linked directly to the site. If a site owner feels that he has been unjustly accused, he can state his case, just as well, and just as easily. It’s a reasonable and fair counterbalance to incessantly automated scanning.

Using SiteAdvisor’s toolbar for fast ratings

SiteAdvisor plugs straight into Firefox. (Or Internet Explorer, if you still use it.) It occupies a small corner of the toolbar. As long as the SiteAdvisor icon glows green, you’re in good company. When it turns red, you may be stepping in deep dross. And if it stays gray, SiteAdvisor has no opinion — which isn’t a good sign, if you’re about to enter account or credit card information. Click the SiteAdvisor icon, of whatever color, and the site takes you to an analysis page that tells you precisely why the site you’re visiting warrants trust or caution.

SiteAdvisor also hooks itself into your Google (or Yahoo or MSN) search results, displaying a small icon next to each item in your returned search. That’s the big time-saver for me: if a site comes up red, I think twice (or more) about clicking through.

Times may be a-changin’

A couple of weeks ago, McAfee announced that it’s buying SiteAdvisor, lock, stock, and spider-scanned barrel. Although McAfee says it’ll keep SiteAdvisor free, I think right now is a very good time to drop by the SiteAdvisor.com and install your copy before this changes.  

"Free" is a relative term, eh?

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All-In-One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).

There they go again — slipstreaming patches

For as long as people have been finding security vulnerabilities, software vendors have been trying to "slipstream" security fixes. What’s surprised me in the past few weeks is that a couple of big vendors have admitted to it and are trying to justify the practice.

You might think of "slipstreaming" as patching an installer so that new installs are born patched. I would clearly have no problem with that. The other meaning, however, has to do with silently releasing a security fix as part of some other software patch or update — and not letting users know there was a security problem or how serious it was. That I have a problem with.

How researchers educate software vendors

It’s been my observation, with a few laudable exceptions, that software vendors have to go through a learning process when it comes to security fixes. They go through this process until they eventually arrive at the "right" way to handle security fixes. That is, they eventually do it my way.

Well, it’s not "my" way. I didn’t invent any of it. It’s just the way that all of my security-zealot buddies and I like to see things done.

Without going into a lot of detail, let’s just say that it involves things like a free and easy way to report problems to the vendor, free security patches, timely releases, and enough detail for patch consumers to make informed decisions.

This isn’t a one-way street. Software vendors typically expect researchers to keep quiet while the vendors take as much time as needed to prepare a good fix. In the meantime, researchers are expected not to release public exploits and to keep providing the vendor with free QA.

The majority of players in this game have settled into a truce usually called something similar to "responsible disclosure." Of course, since it’s a middle ground, there are degrees and extremes on both sides. For example, you have researchers who hate the Microsofts of the world, and blindside them every chance they get. On the other side, you have database vendors who’d rather the researchers never revealed anything at all.

Truth be told, the vulnerability researchers hold the power in this relationship. They have a provable fact on their side, and it has value. They could release the details at any time, and would generally suffer little or no consequence for doing so. If they opt to give the vendor time to prepare, they’re doing so as a favor to the vendor and its users (and possibly preserving some business relationships, depending on the researcher.)

Given this, most software vendors seem to eventually arrive at the set of practices that we like to see. The vendors often go through something like a grieving process when people start finding security vulnerabilities in their software. They often start by denying the problem, or hoping it will go away. They may become angry and try to sue. They go through the pain of building the teams and processes to deal with the reports, and build the patches. And finally they accept that this is the way things are, and incorporate it into their business planning.

As a good example, look at Microsoft. They used to be considered as bad as anyone about security issues. Frankly, I think the company has one of the best processes now for taking vulnerability reports and fixing them.

That’s why it pains me to see what I think of as a regression in Microsoft’s behavior.

Microsoft accused of slipstreaming fixes

In her Apr. 13 column, Susan mentioned Matthew Murphy’s blog entry about Microsoft downplaying the severity of old problems while quietly fixing them. This is also known as slipstreaming.

We’re all missing some information on this incident, but eWeek appears to believe Murphy’s version of things. (I believe it too, if I haven’t already made this obvious.)

For a bit of humor and irony, the eWeek article points out that a recent blog entry by a Microsoft Response Center employee gives Apple grief about the Cupertino company’s response handling. I’ll get to Apple shortly.

Murphy’s issue seems to have sparked discussion in the security community. In a post to the DailyDave mailing list, Marc Bevand from Rapid7 makes a compelling case for a couple of other slipstreamed fixes he says Microsoft has pulled off. He claims Microsoft fixed the bug in MS05-047 earlier for Windows 2003. It wasn’t until eEye discovered this independently that Microsoft also released the fix for older versions of Windows.

The whole thread is fascinating, if you’re into the topic. Read the posts entitled "Microsoft silently fixes security vulnerabilities." A number of other researchers confirm the existence of "silent fixes." These are some of the same researchers who "read" Microsoft patches as a matter of course when they are released. By this, I mean they’re reading the binary files to see what has changed in the patched version. These researchers indicate that more holes are often fixed than a Microsoft bulletin says.

It seems pretty clear that MS does, and I presume will continue to, slipstream fixes as it sees fit. I’ll leave some room here for other explanations, but I’m not aware of Microsoft having publically indicated its policy on this. I imagine it would have something to do with "customers at risk."

Apple simply admits slipstreaming fixes

Apple, on the other hand, comes right out and tells us it’s slipstreaming. In a News.com article, Bud Tribble, Apple’s vice president of software technology, is quoted as saying, "We don’t feel that our customers are better served by public disclosure of potential issues." He goes on, "We think that in the general case, people who need to know about issues are the ones that can actually fix the bugs."

Tribble seems to forget that it is both IT people and end users who need information to decide if and when to upgrade. As News.com points out, this "policy" comes up because Apple got caught slipstreaming patches that appeared to be ordinary Quicktime and iTunes updates. Did you know that not keeping your iTunes up to date (and accepting any DRM changes, too) might put you at risk for remote exploitation?

If you use OS X, I hope you paid to upgrade to 10.4, and are religious about installing every single fix that Software Update offers you.

And how about if you’re a Windows user of iTunes and Quicktime? Do you need to install the updates? Yeah, I don’t know either.

What to do about slipstreaming

There are at least two answers on what to do about the slipstreaming problem. One is to make sure you pay for the latest version of any operating system and software you have, and install every single update, on the assumption that each one has critical security fixes.

OK, so I have to replace every copy of Windows with Windows 2003 and every OS X with 10.4. So, I pay the vendors over and over again, and they can force any change they want on me. Who benefits in this scenario? If we all do this, I’m sure they will clean up their acts right away (ha, ha).

The other way to deal with it is activist-style. Complain, vote with your dollars, etc. I’m a bit of a cynic when it comes to making Microsoft change its ways, but I don’t see anything else for you to do about it that would work.

Every time Microsoft, Apple, and the other vendors ship patches, they’re spilling the beans to all the security researchers who read binaries. These security researchers have a history of training software vendors to do things the "right way." Maybe soon we’ll see an end to slipstreaming and get the information we need the day patches are first issued.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Deeper problems emerge with April patches

As you’ve seen in the top story in this issue, the patches Microsoft released via its regular Patch Tuesday schedule on April 11 caused serious grief for many people. Unfortunately, I believe there are still other software conflicts that Microsoft hasn’t yet confirmed.

I’ve seen reports of problems with AOL, the Windows version of iTunes, and other popular software — all related somehow to the April 11 patches.

I’m not printing anything about these issues yet, because I can’t get enough confirmation that they are anything other than run-of-the-mill Windows headaches.

Reader Alan Crawford, however, has done a substantial amount of troubleshooting and has issues that I believe are significant. He writes:

• “I can’t find any other references to this anywhere… so I will ask you and the Windows Secrets community.

  “Our group supports many customers around the country, and we access some of these customers’ machines via telnet and other TCP/IP-based protocols over Dial-Up Networking (DUN) connections. Having working DUN is obviously critical to our success.

  “We all use Windows XP Pro SP2, fully patched, with automatic patch download. Some of us apply the patches automatically, and some manually.

  “One of our machines had last week’s patches applied manually on Sunday night [Apr. 16], and that user’s DUN connections immediately started causing problems. While the DUN connections appeared to be successful, no TCP/IP-based communications would work — not telnet, not FTP, not HTTP, not POP3. All non-DUN networking worked as expected, including direct network connections and VPN connections.

  “Suspecting that the Windows firewall could be the culprit, we disabled it… but no joy.

  “Suspecting the Apr. 11 patches had caused the problem, we backed out the four Windows XP security updates that were applied on Sunday night. Success! Now our DUN connections work again.

  “Needless to say, we want all of our machines to have up-to-date security patches. But we don’t want to try these again until we can figure out what happened.”

Microsoft hasn’t published anything to my knowledge about the April 11 patches affecting telnet or dial-up networking. If you know why this is occuring, or you have any other details about problems MS hasn’t acknowledged, e-mail me using our contact page.