Fix for broken MS patch is released

Fix for broken MS patch is released

By Brian Livingston

After a frustrating six weeks of complaints from Windows users, Microsoft has released a fix for its patch known as security bulletin MS03-032 (Knowledge Base article 822925), which was released in August. The patch was supposed to correct serious flaws in Internet Explorer 5.01, 5, and 6 but in fact left some problems wide open.

The new fix is said by Microsoft to be a “cumulative” patch that includes corrections for all known weaknesses in IE 5 and 6. This patch has its own, new number: MS03-040 / 828750.

Background:

• I wrote in the Sept. 18 issue of Brian’s Buzz that the MS03-032 patch – which had been rated by Microsoft as “critical,” the highest level of seriousness – failed to actually close one of the security holes that it had been designed to correct.
• Later, in the Oct. 2 Brian’s Buzz, I followed up by reporting that the unclosed hole was in fact being exploited by malicious hackers in the real world. For example, one malevolent Web page was able to take over PC users’ AOL Instant Messaging accounts. Another succeeded in switching victims’ dial-up accounts to a pay-per-call number costing as much as $5 per minute.

With the new MS03-040 patch installed, it should no longer be necessary to disable ActiveX in Internet Explorer or configure the browser to prompt you before running active content, as was recommended in the Sept. 18 Brian’s Buzz. You can refer to the directions found in that issue to reverse the changes to IE if you reconfigured these settings and want to change them back.

Microsoft has again rated its new MS03-040 patch as “critical” for all supported versions of IE 5 and 6. That includes IE 6 on Windows Server 2003, which is not vulnerable by default but can easily become vulnerable if a common configuration change is made.

During the weeks in which Microsoft’s broken MS03-032 patch went uncorrected – but after the Oct. 2 Brian’s Buzz was written – another serious exploit occurred “in the wild” that some experts say forced the Redmond company to speed up its development of the fix.

A Trojan horse known as Qhosts somehow infected a banner ad on FortuneCity.com, a free Web hosting site, according to News.com. Windows users who visited that site, which is otherwise a legitimate service, were silently infected. The Trojan then redirected the victims’ browsers, sometimes switching users to a page of ad links. FortuneCity soon removed the banner ad and Qhosts’ redirect servers were quickly yanked off the Internet by the ISPs where they had been set up, so few users appear to have been affected.

Because of the serious nature of these threats, which can silently take over a Windows installation, I recommend that you install the MS03-040 patch immediately. This patch, however, is still problematic in two ways that you must deal with.

Two side-effects you need to correct:

• Update HTML Help. As was the case with MS03-032 and a few other recent patches, installing MS03-040 will cause problems with Windows’ HTML Help engine unless you also install a fix to update the help feature. This is explained in Microsoft Knowledge Base article 811630.
• Update Windows Media Player. After installing MS03-040, you also need to install an update for Windows Media Player versions 6.4, 7.1, and 9, and Media Player for XP. Microsoft-style audio and video data files are allowed (stupidly, in my opinion) to command Media Player to open Web pages. These pages might be malicious or infected. The update allows administrators to shut down this feature by making changes to the Registry. I don’t believe this capability should ever have been shipped, but I recommend that you install the patch and implement the more-secure policies, as described in KB 828026.

I’ll continue following patches like these to keep you informed about weaknesses and gotchas that you should know about.

To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Another broken patch: MS03-039 is cracked, too

In yet another example of a patch that needs a patch, Microsoft security bulletin MS03-039 / 824146, released on Sept. 10, continues to allow denial-of-service (DoS) attacks even after installation, according to Counterpane Internet Security, a respected threat analysis firm.

With the MS03-039 patch installed, Windows systems are no longer vulnerable to takeovers that run remote code. But DoS attacks are still possible. Microsoft at press time had no fix for the MS03-039 patch or any indication of when such a fix might be made available.

Counterpane’s bulletin on the problem lists several steps you can take to protect the vulnerable machines. The affected systems include Windows NT, 2000, XP, and, yes, Windows Server 2003.

AOL accused of double-billing hundreds of thousands of members

Just in time to help the computer industry out of its financial doldrums, a clutch of attorneys says that America Online, the world’s largest ISP, has found a novel way an enterprise can double its revenue stream – without increasing its customer base.

A lawsuit filed Sept. 29 seeks class-action status for an allegation that AOL charged hundreds of thousands of accounts $23.90 at the beginning of the month, and another $23.90 at the end of the month, according to ConsumerAffairs.com, a site associated with the law firm Joan E. Lisante LLC.

If you saw two charges like this on your credit-card statement, you’d naturally assume one represented the previous month and the other was for the following month.

Only if you examined your statements for two or three months would you realize that this was doubling the amount you should have been paying, the consumer site says.

You may not have a business relationship with AOL. But the accusations suggest a marvelous way for high-tech companies to beef up their bottom lines:

• Microsoft could send bills to corporations that had upgraded Windows XP on top of thousands of old Windows Me machines. The software giant could seek another payment for all those XP licenses, because now the PCs are actually running parts of two operating systems.
• When you purchase a database from Oracle, it could send you a second invoice. Your first payment had authorized you to use columns of data, but now you also need to pay for the rows.

In AOL’s defense, Nicholas J. Graham, a spokesman for the Dulles, Virginia, company, says the matter is all a big misunderstanding. There are several lawsuits with the same claims pending against AOL, including ones in California and Washington state, Graham says. But these suits haven’t obtained class-action status, because it hasn’t been granted yet by the courts, he explains.

“The specific allegations in the lawsuits pertain to a particular feature that’s called a spin-off subaccount,” Graham says.

This feature is useful for AOL subscribers who use different screen names but share the same account, he says. If individual members divorce, move away to a university, or go their separate ways for whatever reason, it can be necessary for one of them to get a new account, as Graham describes it.

“If people split or go to college, and one is on the account at the same time as the other, it causes a problem,” he says. AOL doesn’t permit two individuals to log on to the Internet at the same time from two different places.

“AOL strongly denies the claims and intends to vigorously defend itself in court,” the company said in a written statement. “Even in advance of these complaints being filed, AOL had instituted important changes to this procedure to reduce the potential for inadvertent actions taken by members in this program.”

The statement continues, “Sometimes, members mistakenly make an inadvertent selection that may result in a spun-off account. Fortunately, AOL has safeguards in place – such as email notification and confirmation, as well as 45-day free trials – that enable members to quickly and easily reverse the process themselves at no cost.”

The case raises all kinds of interesting questions about what corporations can and cannot do when presenting choices to customers on the screens of their computers.

As one lawsuit describes it, AOL allegedly operated a “master screen name spinoff program.” Subscribers with two or more screen names would on occasion see on their monitors a pop-up window about spinning off a new account. If someone clicked “OK” to close the window, another $23.90 was added to the credit-card charges of the user each month, and this went on for months or years before most people detected it, according to the suit.

Some people say, “Where there’s smoke there’s fire” – but these allegations could just as easily be smoke and mirrors without a serious basis. I have no way of knowing for sure.

What I do know is that AOL and its Compuserve unit settled on Sept. 23 another billing complaint filed by the U.S. Federal Trade Commission. The agency says that AOL billed numerous customers for months after they tried to cancel, and failed to deliver promised $400 rebates.

Do you smell smoke in here?

Four all-new 'critical' patches released yesterday

I don’t ordinarily bore you with the details of every bulletin Microsoft puts out. But in this case, it’s important for you to know about not one, but four new security patches that Microsoft rated “critical” and released on Oct. 15.

Every recent version of the operating system from Windows NT to 2000 to Me to XP to Server 2003 needs one or more of these “critical” patches. In addition, a fifth patch is rated “important.”

• Web site or e-mail message can install malicious code.
  Under certain circumstances, merely viewing a Web page or previewing an e-mail message can silently install an infected ActiveX control. This vulnerability is present whether or not you use Internet Explorer if you are running Windows NT, 2000, XP, or Server 2003 (Me is not vulnerable). MS03-041 / 823182.
• Windows 2000 is wide open to infected HTML code.
  The Help Troubleshooter in Windows 2000 has a buffer overrun problem that allows a rogue program to be installed if the user views an infected Web page or previews an infected e-mail message. Other versions of Windows are not vulnerable. MS03-042 / 826232.
• Microsoft recommends disabling Messenger Service.
  A remote attacker can use NetBIOS ports 137-139 and UDP broadcast packets to access the Windows network alert system known as Messenger Service (as opposed to Windows Messenger or MSN Messenger). This weakness is present in Windows NT, 2000, XP, and Server 2003. The new patch corrects the immediate problem, but Microsoft suggests that you also block these ports and disable Messenger Service entirely if you don’t need it. MS03-043 / 828035.
• Help and Support Center open to attack in XP and 2003.
  A user clicking a URL on a Web page or in an e-mail can allow an attacker to run code on a user’s machine, especially in Windows XP and Server 2003. Microsoft rates the threat to these OS versions as “critical,” while rating it “low” for Windows NT, 2000, and Me. MS03-044 / 825119.
• Anyone who logs on to Windows 2000 can gain control.
  A person with physical access to a Windows 2000 machine can log on and gain higher privileges than the normal user ordinarily has. Microsoft rates this threat as “important” only for Windows 2000, in which the vulnerable Utility Manager runs with system privileges. It’s rated “low” for Windows NT, XP, and Server 2003, in which the Utility Manager has only the same privileges as the logged-on user. MS03-045 / 824141.

Note: Starting with these five bulletins, Microsoft has begun a policy of not including any meaningful information in the Knowledge Base articles that relate to a security bulletin (such as KB 824141). The security bulletin now is the sole source for all of the known information about a problem and its patch. The related KB article will merely give a link to the security bulletin.

I’ve included in the descriptions of each security bulletin above a link to the related KB article, in case you wish to see that this is the case. Strangely, the KB number (not the MS bulletin number) will still be used in the Add/Remove Programs control panel to show whether or not a particular patch is installed. I’ll explain in the Nov. 6 paid version of Brian’s Buzz the full implications of the new Microsoft policy.

Make animated demonstrations in a Wink

It’s always frustrating to try to create an on-screen demonstration that shows end users how to operate a particular piece of software. There are Windows applications that can do this, but they tend to be big and cumbersome, such as PowerPoint, and most of them are not particularly well-suited to the job even then.

Wink, shown at left, is a simple, easy-to-use, and (best of all) free program that solves most if not all of these problems. Remarkably, it allows you to make an animated demonstration in either of two ways: (1) by “recording” the actions that you take in a program – pulling down menus, clicking buttons, etc. – or (2) by sequencing a series of screen shots you may have previously saved.

You can make screen shots in BMP, JPG, PNG, TIFF, TGA, and PCX formats and use any of these formats in your animated demonstrations. Once you’ve sequenced or recorded the actions you want to present, Wink can create your presentation as a Macromedia Flash or HTML file for posting on a Web page, a stand-alone EXE file for mass distribution, a PDF file to make printable manuals, or any of the bitmap formats mentioned above.

The Flash presentations Wink creates are highly compressed and can be as small as a few kilobytes to a few hundred kilobytes, depending on the content you include. Because a Flash player is installed on more than 90% of the PCs that use the Internet, this can be a very convenient format for use on the Web.

Reader Elizabeth Swoope has tested Wink and found it to be just the ticket for the computer literacy classes she teaches. Followers of my Windows Secrets books may remember that she allowed me to include her RRKeyFonts software in several editions. Her fonts insert images of Enter, Tab, and other keys into documents.

(To see RRKeyFonts, visit FileLibrary.com, then search for filenames only that contain rr_pt2.zip in the Multi-Platform collection.)

Here’s her report on her search for demonstration software:

• “I looked at something that PC Magazine had recommended highly (CamStudio). But I didn’t like the herky-jerky way it made my cursor behave or the huge files it created. …

  “I don’t know whether you have any interest in software that makes it easy to take a series of screen shots (as if you were recording on video, but not exactly) and string them together into a Flash demo. But if so, you might want to take a look at Wink. It is pretty stable even as a release 1, and the programmer is very responsive. It reminds me of the olden days, back when software developers actually knew their users.

  “Wink creates a Flash demo that can be accessed from a Web site, or an EXE, or a PDF. The animation of the cursor from screen shot to screen shot is nifty. Also the fact that you can edit out any mistake screen shots (if you opened the wrong menu or had to backtrack) and Wink will just animate the cursor from its location on one screen shot to its location on the next screen shot – even if they aren’t in sequence.

  “I am in no way, shape, or form affiliated with the programmer. I’ve only known about this software since Friday night. But this is the first software I’ve used in a very long time that has actually been fun to use.”

Wink was developed by Satish Kumar, who is a research engineer for Togabi Technologies (a wireless vendor in San Diego, Calif.) and the Webmaster of DebugMode.com. For more information and to download Wink free, visit http://www.debugmode.com/wink/.

Identify the junk that starts itself up automatically

Several readers have proposed that I identify by name all of the “spyware” and other programs that sneak themselves into one of the Run keys in the Registry. This makes them run automatically every time you start Windows. Sometimes they launch silently, without even an icon in the Tray to alert you to their presence. In every case, they’re irritating, since they never inform you of what their cryptic filenames mean.

Making such a list is beyond me, but someone has actually done it. “Pacman’s Portal Start-Up Tips” has the longest list I’ve seen of the filenames and descriptions of all kinds of sneakware programs. Once you know the long description for something that’s in a Registry key, you can search on that term in a search engine to discover everything that’s known about it.

The British tips site has also compiled a helpful guide to the various ways programs start up in Windows and how you can shut them down.

Reader Jeff Larsen uses the site regularly and highly recommends it. Here are some of his comments and advice:

• “While recently cleaning up our CEO’s spyware-infected laptop (why does he let his kids use it?!), I discovered a Web site that documents just about anything you will ever find in Registry keys such as

HKLMSoftwareMicrosoftWindowsCurrent VersionRun

[See the A List to sample the database, then jump to the main index, then jump to “Startup Content.”]

“It contains listings of over 3,000 programs, including the Registry value names, the executable file, and a code that describes the entry as necessary, optional, or complete garbage. It often includes instructions on how to clean up offending entries – beyond just deleting the Registry entry.

“The information is free, but the site accepts PayPal donations to help support the cause.”

In my opinion, you should frequently run Spybot-S&D, a free utility (donations gratefully accepted) that finds and removes sneakware of all kinds. But if you’re researching a problem in a PC’s startup sequence, Pacman’s Portal is an unsurpassed resource to let you know what’s what in there. More info

Here's a tip they'll never forget

Here’s a tip they’ll never forget
With All Hallows Eve coming, it’s the perfect time for Web sites with creepy crawly things that slither in the night. Fortunately for us, scary Web sites aren’t all infested with computer viruses and worms. One of the best for Hallowe’en ghoulishness is Bloody Finger Mail (left), a unique free service that you can play with to your heart’s content.

When you visit Bloody Finger Mail, you first click “Send a Bloody Message” to start the show. After a few moments for the effect to load, you write your message in blood on an appropriately creepy wall using your mouse as a pointer. A bloody finger (what else) helps you smear your words for all to see.

When you’re finished with your last writes, click Send. You then fill in your name and e-mail address and the same information for the person you wish to send a message to. That lucky recipient doesn’t get the actual image in his or her inbox. Instead, a plain-text message invites your loved one to visit a Web page where an animation of the masterpiece you recorded (in full motion) is waiting for their viewing pleasure.

Since people are understandably freaked out about hoaxes and malware on the Internet these days, you might want to send your correspondents an ordinary e-mail message in advance (to advise them that the following message is actually from you). Even better, send the first message to yourself so you can see what people should be prepared to receive.

The Bloody Finger Mail site isn’t new, but it’s a classic waste of bandwidth that becomes all the more timely around Hallowe’en. It’s a production of Engine Digital, a design firm with offices in Vancouver, B.C., New York, and Los Angeles.

Have fun, and don’t stay out all night! BloodyFingerMail.com