Install MS’s out-of-cycle patches for IE, apps

Last chance to get money-saving tips for free

We can offer our newest bonus for only a few more days this week. All our subscribers are eligible for a free download of Green Home Computing for Dummies by Katherine Murray and our very own contributing editor Woody Leonhard. The book is full of tips on how to reduce your PC’s power cost, optimize your system’s performance for better energy efficiency, and more! The printed volume isn’t in stores yet, but all subscribers can receive our exclusive excerpt of two full chapters now through August 5. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Special report: anti-malware killbits are broken

By Brian Livingston

When Microsoft makes a mistake, it’s usually a doozy.

It’s been disclosed this week that the “killbits” set by Microsoft to protect Internet Explorer against malware can be circumvented by bad guys — but we’ll tell you today about emergency patches that can defend you.

We don’t ordinarily publish new Windows Secrets content on the 5th Thursday of the month. I mean, come on, our writers deserve a break once in a while. To prove there’s no rest for the wicked, Microsoft’s release of two urgent patches this week forced us back to work. The Redmond company’s out-of-cycle fixes are actually patching other patches that were released on Patch Tuesday just 16 days ago.

Like all our news updates, today’s content includes only a single article — this time, it’s by Susan Bradley, our esteemed Patch Watch columnist — and there’s no difference between the free and paid content. All of our readers receive the same information.

Note: The next regular edition of Windows Secrets will be brought to you on Aug. 6.

Susan’s detailed reporting on what to watch out for in Microsoft patches usually appears in the paid version of our newsletter. If you’re not receiving her findings — and those of Fred Langa, Woody Leonhard, Ian “Gizmo” Richards, and our other contributors — you can get the word every week with no fixed fee. We accept any financial contribution of any amount, and you’ll receive our paid content for a full year. For more info, free subscribers should visit our upgrade page.

Thanks for your support of our research into Microsoft Windows.

We’re pulling in young energy to dig up secrets

I first learned programming some 40 years ago, and Fred, Woody, and Gizmo have had to start lying about their ages. So you might think we have nothing but “geezer geeks” here.

I’m pleased to say that we’re booting up new geeks who can keep the old guys on their toes.

Stephanie Small, photo at left, joins us in the position of research director. As the person who evaluates the torrent of tips that stream in every day from our readers, she’s critical to helping us develop new stories. (In fact, she’s rather critical in general, but I kind of like that.)

Before she came to Windows Secrets, Stephanie was a Web intern with the monthly Seattle Metropolitan magazine, where she generated scores of capsule reviews for that publication’s guide to city life.

Prior to the Met, Stephanie was a reporter for the University of Washington Daily for almost three years. She graduated from the university with a B.A. in communications/journalism in June 2009.

Stephanie has stepped into the shoes of Katy Abby, our long-time research director, who recently moved to Portland, Ore., with her husband, Jon. You used to see Katy’s byline on our Wacky Web Week column, but you’ll be seeing Steph’s name there from now on.

Allison Espiritu (pronounced “ess PEER it too”) is our new research analyst, working closely with Stephanie on a part-time basis. The rest of the week, when she’s not helping us uncover fresh secrets of Windows, Allison is a reporter for the Ballard News-Tribune, a weekly Seattle neighborhood tabloid.

Before her work with WS and the Trib, Allison was a news assistant for the metro section of the Seattle Times, a daily newspaper.

Allison graduated from the University of Washington with a B.A. in journalism in 2007.

Damian Wadley is a Web developer who’s worked with us intermittently this summer and last summer. The other three quarters of the year, he’s a computer science undergraduate at Washington State University in Pullman, Wash.

I’m pleased to report that Damian has signed up to come back to work at Windows Secrets full-time when he receives his degree in May 2010. His accomplishments for us to date include recoding our Web site to make it more reliable and easier to maintain — a code base that will go live in the next week or two.

He’s so good that most visitors won’t notice any difference in our site — and that’s a big compliment to his work. More visible design changes we’re planning will be introduced over the next several months, so stay tuned.

These individuals represent the future of journalism on the Web. I assure you that they’ll be digging up secrets to help Internet users long after I’ve enjoyed my final Blue Screen of Death.

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Install MS's out-of-cycle patches for IE, apps

By Susan Bradley Two emergency updates released by Microsoft this week correct flaws in Internet Explorer and potentially dozens of third-party programs. One of the patches is intended primarily for use by application developers, but how far the threat to apps extends — and how many end users will be affected — is not yet clear.

MS09-034 (972260)
Apply this Internet Explorer patch today

This week, Microsoft released security bulletin MS09-034 without waiting for the next scheduled Patch Tuesday on Aug. 11. According to the Redmond company, this patch is rated “Critical” for IE 6/7/8 on XP and IE 7/8 on Vista. (While the Windows 7 release to manufacturing (RTM) version is unaffected by the problem, the Windows 7 release candidate does requiring patching.)

You may already have applied “killbits” from Microsoft security bulletin MS09-032, which was released on this month’s regular Patch Tuesday, July 14. In theory, these killbits should protect you against certain ActiveX exploits already circulating on the Internet.

Microsoft’s Security Research & Defense blog recommends that you retain the killbits, if you did install them, and also apply this week’s update. The group says this will provide an added layer of “defense in depth” patches.

On the other hand, if you haven’t yet applied the MS09-032 update, installing this week’s out-of-cycle patch means you don’t have to install the previous one.

Why did Microsoft rush out an update for a problem that most admins have already patched? The reason was revealed yesterday afternoon in Las Vegas. A presentation at the Black Hat Security Conference by security researchers Ryan Smith, Mark Dowd, and David Dewey showed that the previous killbit fix could be evaded by malware.

In their blog post announcing the talk, the researchers described how they had found a vulnerability in Microsoft’s Visual Studio Active Template Library (ATL), which is used by developers to write Windows programs. In a video posted on the researchers’ site, they demonstrate how an exploit can take control of a PC, bypassing the killbit.

When Microsoft stated that MS09-032 protected you from known attacks, that’s technically true. New attacks, however, are likely to show up very soon, due to the release of the Las Vegas presentation. It would be wise for you to install the more-recent MS09-034 patch right away.

MS09-035 (969706)
Apps developed using ATL may be insecure

Hearing of a new patch for Internet Explorer, most of us would sigh, launch Firefox, and simply go on with our lives, thinking we are unaffected. The problem announced this week, however, involves more than just IE.

The vulnerable ActiveX control present in Visual Studio’s Active Template Library (ATL) is used in many third-party applications. So security bulletin MS09-035 may be the more important of this week’s two out-of-cycle updates.

For instance, Cisco Systems has released an alert saying the company’s Unity products are affected by the vulnerability. Other companies’ products — which you might never suspect of being the weak point in a malware attack — could easily be at risk.

Verizon Business is providing a service that checks a system for the presence of this control. As explained in a Verizon blog, the use of the file atl.dll in an application indicates that an app is susceptible.

In my research, I found on one fully patched Vista machine an old tax program that includes atl.dll. I can’t remove this file, because the old software is still needed.

To be sure, bad guys are less likely to target an obscure software program than vulnerabilities in IE. Even so, installing MS09-035 gives you additional protection, not just for Microsoft’s browser but also for some apps you may have forgotten you ever installed.

My standard admonition is more important than ever: use a third-party patching tool such as the Shavlik Patch Google Gadget or Secunia’s Online Software Inspector or Personal Software Inspector. Review your system at least monthly, after you’ve installed Microsoft’s latest patches. These tools test a wide range of software — including many browsers other than IE — and notify you when security patches are available.

See my May 28 Top Story for more on Shavlik, Secunia, and other third-party software-update services.

I’ve only heard sporadic reports of problems a few people have had with the out-of-cycle patches. These issues are described in a Microsoft forum post about a Visual Studio compiling error, and an MS MVP blog item about the Visual Studio patch being offered repeatedly. I’ll provide information in my next Windows Secrets column on any other glitches that may affect these patches.

Given the strong recommendations I’ve read by members of the security community, I believe you should install this week’s updates immediately. You can uninstall them if they act up.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.